Discussion:
CoolWebSearch trying to install
(too old to reply)
Roger K
2005-07-10 10:26:46 UTC
Permalink
MS Giant AntiSpyware says that CoolWebSeach is trying to install on all my
other four users' (limited) accounts, though not on my admin account, every
time they log on. After clicking "Remove" I see "The browser modifier threat
CoolWebSeach has been successfully removed" and there doesn't seem to be a
problem. Doing a follow-up scan with AntiSpyware reveals nothing. Next time
they log on the same thing happens, and I'm worried that eventually they'll
slip up and click "Allow".

I've also run the latest version of CWShredder, which says I'm clear of
CoolWebSeach. Using Startup Control Panel there's nothing in the Startup
folders or Reg HKCU/Run or HKLM/Run keys that shouldn't be there.

I also run Spybot and Ad-Aware every so often but haven't seen any problems.

I guess it could be a false alarm, but why only on the Limited accounts?
Also it has only happened in the last few days and I've been using
AntiSpyware for some weeks.

Running XP HE +SP2 and using Firefox wherever possible - though have to use
IE on some sites.

I'd appreciate any advice.

Roger
Ian Cox
2005-07-10 10:47:27 UTC
Permalink
Post by Roger K
MS Giant AntiSpyware says that CoolWebSeach is trying to install on all my
other four users' (limited) accounts, though not on my admin account, every
time they log on. After clicking "Remove" I see "The browser modifier threat
CoolWebSeach has been successfully removed" and there doesn't seem to be a
problem. Doing a follow-up scan with AntiSpyware reveals nothing. Next time
they log on the same thing happens, and I'm worried that eventually they'll
slip up and click "Allow".
I've also run the latest version of CWShredder, which says I'm clear of
CoolWebSeach. Using Startup Control Panel there's nothing in the Startup
folders or Reg HKCU/Run or HKLM/Run keys that shouldn't be there.
I also run Spybot and Ad-Aware every so often but haven't seen any problems.
I guess it could be a false alarm, but why only on the Limited accounts?
Also it has only happened in the last few days and I've been using
AntiSpyware for some weeks.
Running XP HE +SP2 and using Firefox wherever possible - though have to use
IE on some sites.
I'd appreciate any advice.
Roger
Hi Roger,

my sister had problems with this a while back, try running HijackThis:

http://www.majorgeeks.com/download3155.html

then post your log to a new thread at aumha forums:

http://forum.aumha.org/viewforum.php?f=30

Please read the Announcement topic before posting!
--
Ian Cox
Sutton-in-Ashfield
Remove my hat to email me.
Roger K
2005-07-10 17:50:54 UTC
Permalink
Post by Ian Cox
Hi Roger,
http://www.majorgeeks.com/download3155.html
http://forum.aumha.org/viewforum.php?f=30
Please read the Announcement topic before posting!
--
Ian Cox
Sutton-in-Ashfield
Remove my hat to email me.
Thanks Ian, I've done as you suggested. It took me a while to go through all
the "precleaning" checks they spell out (which didn't reveal anything), but
I've finally done a scan with Hijack This and posted the log.

Roger
Ian Cox
2005-07-10 18:30:13 UTC
Permalink
Post by Roger K
Post by Ian Cox
Hi Roger,
http://www.majorgeeks.com/download3155.html
http://forum.aumha.org/viewforum.php?f=30
Please read the Announcement topic before posting!
Thanks Ian, I've done as you suggested. It took me a while to go through all
the "precleaning" checks they spell out (which didn't reveal anything), but
I've finally done a scan with Hijack This and posted the log.
Good luck! :O)
--
Ian Cox
Sutton-in-Ashfield
Remove my hat to email me.
Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)
2005-07-12 01:41:09 UTC
Permalink
An easier solution . . .
http://www.intermute.com/spysubtract/cwshredder_download.html

This DOES work for the vast majority of CoolWebSearch malware.
Post by Roger K
MS Giant AntiSpyware says that CoolWebSeach is trying to install on all my
other four users' (limited) accounts, though not on my admin account, every
time they log on. After clicking "Remove" I see "The browser modifier threat
CoolWebSeach has been successfully removed" and there doesn't seem to be a
problem. Doing a follow-up scan with AntiSpyware reveals nothing. Next time
they log on the same thing happens, and I'm worried that eventually they'll
slip up and click "Allow".
I've also run the latest version of CWShredder, which says I'm clear of
CoolWebSeach. Using Startup Control Panel there's nothing in the Startup
folders or Reg HKCU/Run or HKLM/Run keys that shouldn't be there.
I also run Spybot and Ad-Aware every so often but haven't seen any problems.
I guess it could be a false alarm, but why only on the Limited accounts?
Also it has only happened in the last few days and I've been using
AntiSpyware for some weeks.
Running XP HE +SP2 and using Firefox wherever possible - though have to use
IE on some sites.
I'd appreciate any advice.
Roger
Roger K
2005-07-12 17:20:29 UTC
Permalink
Thanks but as I said in my origianl post I tried CW Shredder and still the
messages popped up at each log on - but only in the limited accounts. I now
think that MS AntiSpyware is giving a false positive.
Roger
Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)
2005-07-12 19:35:21 UTC
Permalink
Problem is that CWshredder needs low level access to the operating
system. In some cases there is a program or DLL that is stored in the
user's profile and an entry in the user's registry hive that can
trigger re-infection.

But, considering CWshredder, you may have a hernia on the next bit of
advise, could make the limited account into a administrative account,
log in, run CWshredder as soon as the desktop appears, log out, log in
to a clean account and return `limited account` status to the user
account.
Post by Roger K
Thanks but as I said in my origianl post I tried CW Shredder and still the
messages popped up at each log on - but only in the limited accounts. I now
think that MS AntiSpyware is giving a false positive.
Roger
mikeFNB
2005-07-12 22:01:27 UTC
Permalink
i seem to recall there was a thread about this somewhere before.
loading sp2 caused the false postive to be displayed.
it was a known error, i think reported on the site as well.
let me do a google and i'll try and find it.
so maybe the MS software does it as well

mike

"Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)"
Post by Bloke at the pennine puddle (Replace n.a.v.d with vodafone.net.)
Problem is that CWshredder needs low level access to the operating
system. In some cases there is a program or DLL that is stored in the
user's profile and an entry in the user's registry hive that can
trigger re-infection.
But, considering CWshredder, you may have a hernia on the next bit of
advise, could make the limited account into a administrative account,
log in, run CWshredder as soon as the desktop appears, log out, log in
to a clean account and return `limited account` status to the user
account.
Post by Roger K
Thanks but as I said in my origianl post I tried CW Shredder and still the
messages popped up at each log on - but only in the limited accounts. I now
think that MS AntiSpyware is giving a false positive.
Roger
Loading...