OT: Spyware Removal, CoolWebSearch |
|
Porsche, and the Porsche crest are registered trademarks of Dr. Ing. h.c. F. Porsche AG.
This site is not affiliated with Porsche in any way. Its only purpose is to provide an online forum for car enthusiasts. All other trademarks are property of their respective owners. |
|
OT: Spyware Removal, CoolWebSearch |
Part Pricer |
Aug 8 2004, 05:43 AM
Post
#1
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
I'm a member of the Alliance of Security Analysis Professionals. We deal with all computer security, but lately we have mostly been dealing with malware and spyware. Well, for the last couple of months, we've been dealing with a variant of CWS. CWS is also referred to as CoolWebSearch, CoolWWW and other names. In all of its variants, CWS is one of the most insideous bastards I've run up against. I've seen it take on the attributes of a Hijacker, Backdoor, Dialer, Downloader, Dropper, Nuker and a Trojan. It can be a bitch to get rid of.
The latest variant has been giving everyone fits. All of the spyware removal and protection programs are (still) not able to remove it from your system. And, manual removal using all of the tools at our disposal have proven to be fruitless. The problem is that this variant uses a hidden file that constantly renames itself. I purposely infected a test PC here in my office over a month ago. This thing is truly a bastard. Although it has been fun explaining to my wife, "No dear. I'm not surfing porn sites. I'm working." So, for the unfortunates that have been hit by this thing, here is the only known method of removing this prick from your systems. This method was discovered and crafted by another ASAP member. Warning! This process is not for the timid! SUMMARY ======= SUBJECT: CoolWWW spyware persistance and removal. PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol) do not remove the cause (a "super"-hidden .dll program) but only remove symptom files and registry settings. "This dll is loaded with very strange file permissions. It has all permissions but ‘copy’ denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS prompts like dir. It also can not have its attributes set so that you can see it." SOLUTION: Manual removal by using a revealing xfind.com error message, then by using theWindows XP Recovery Console. NOTE: the byte verifier patch does not protect against the latest variations (6/24/04-7/7/04) of CoolWWW. =============== INSTRUCTIONS Step 1 Download xfind.com (Note: at least a few programs are named xfind, so do not just search the web and download any one of these. I did this and wasted time with xfind.exe, which is not a bad program but not the one needed for our task.) Download from here: http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip file) or http://home.mnet-online.de/horst.muc/index.html (parent page of download; click the "Find" link then download [9k]) Step 2 Install xfind.com (simply unzip it; I prefer running it from the c:\, and so I dragged a copy of xfind.com to c:\, which is also called the "root" directory. Step 3 (a) Run xfind.com in a command line window. Click Start, Run, type CMD (then click OK). A black window opens with a blinking white cursor. Type cd\ then press enter. The cursor should now show "C:\" and not "C:\Windows." (B) type this: xfind "gibberishjdkfkd" c:\windows\system32\ *.dll (then press the "Enter" key on your keyboard). ("gibberishjdkfkd" can really be anything, but the results are clearer if you type something strange so it won't be found inside any legitimate files). We're hoping for an error message, not actually finding a file containing the search text. © Now wait.... If it comes back with a read error about a file, that's good! The file it complained about is the evil program (.dll file). WRITE the file name down EXACTLY as listed in the error message (for example, Mofohell.dll). "This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS prompts like dir. It also can not have its attributes set so that you can see it." Step 4 Prepare to remove the evil program. This can't be done in normal Windows nor in Safe Mode. Showing system and hidden files doesn't help. You must restart in a special mode called the "Recovery Console," which is not available until you install it separately. (a) Find a Windows XP Home or Professional installation CD. While still in Windows, insert the CD then exit any automatic window that appears. (B) Click Start, Run, type the following: d:\i386\winnt32.exe /cmdcons (then click OK) and follow the instructions to install the Recovery Console (click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a different letter than "d" type your CD drive’s letter instead of "d.") Step 5 Rename or delete the evil program from within the Recovery Console. (a) Restart the computer and press the F8 function key before Windows starts as if you're trying to get into Safe Mode. Choose "Return to OS Menu" where you will see at least two choices: “Windows XP Home” (or Professional) and “Recovery Console.” Use the arrow keys and Enter key to highlight and select "Recovery Console." (B) When prompted, select the choice listing the Windows directory your computer normally uses (usually "C:\Windows"). © When prompted, type the Administrator password (which might be blank on your system) and press the Enter key. You're now in the Recovery Console and can control the evil program file. (d) Type cd\ then cd windows , then cd system32 , then (to confirm that it’s present) type dir MOFOHELL.dll (but substitute the name of the evil program you found on your system). If it doesn't find anything, type this: attrib -h MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll (and press Enter). (e) Rename or delete it. I renamed it to be really safe in case it was something good (doubtful). Type this: ren mofohell.dll harmless.btch (substituting the name of your evil program for mofohell.dll) (then press the Enter key). (f) type this: dir harmless.btch (then press Enter) to confirm it's there. Step 6 Type this: EXIT (and press Enter) to reboot. Press F8 to enter SAFE MODE as Window starts. Step 7 Use the registry editor to find the evil reference to the evil program, both of which were hidden before renaming the latter. (a) Click Start, Run, then type this: regedit (and click OK). (B) Use the up-arrow and scroll to the top then click once on "My Computer" then click the EDIT menu and click FIND. Type the name of the evil program (e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side of the window that contains the name of the evil program (e.g., mofohell.dll); click once on the evil name then tap the keyboard's DELETE key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it is not found, stop looking and exit the registry editor. Step 8 Scan your entire computer using the anti-spyware programs you have (which you updated BEFORE all of this). I prefer running at least two (Spysweeper and Ad-aware Pro) -- one at a time, of course. Step 9 Run HijackThis and delete any suspicious BHO entries and other known bad stuff. Step 10 Empty every Temp folder, Temporary Internet folder and Cookie folder on your computer. Empty the Recycle Bin. Step 11 Turn security up to high in the Internet Options control panel (HIGH for every category: Internet, Local Area Network, Trusted Sites [delete any trusted sites listed] and Restricted sites. Go to the Advanced tab and click the button "Restore Defaults" then modify individual check box items manually if you want; go to the Programs tab and click the button "Reset Web Settings" but uncheck the "reset home page prompt unless you like MS's default page. Click OK. Step 12 Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the window over your LEFT shoulder. Step 13 Restart your computer. Step 14 Go online and download other browsers to use for everything but Windows Update. Download Firefox from mozilla.org and Opera from opera.com and install both. They're safer than Internet Explorer (a.k.a., the Devil's Helper). To run Windows Update, first go to the Internet Options control panel, Security tab, click the Internet category icon, then click the DEFAULT button, then OK. Then run Windows Update. Afterwards, go back to the Internet Options control panel and slide the security back up to HIGH for the Internet category, then click OK, and continue using Mozilla's Firefox and/or Opera for web browsing. Step 15 Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will identify as coolwww even with its different name. It's as simple as that! As simple as 1,2,3ab,4abc,5abcdef,6,7abc,8,9,10,11,12,13,14,15!!!" Total elapse time: 45 minutes to 1.5 hr depending on the number of files your anti-spyware programs scan. ================ ================ MICROSOFT CULPABILITY (1) Microsoft allows by design or by flaw the creation of "super"-hidden files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to find and remove this stuff. (2) Also…Hey Microsoft!! Fix the design flaws that allow anything to write to the registry and place files on the computer as users browse the web with IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove Coolwww without xfind or a clean install. ================ ================ |
sgomes |
Aug 8 2004, 11:25 AM
Post
#2
|
Electric Member Group: Members Posts: 815 Joined: 6-May 04 From: Campbell, CA Member No.: 2,029 |
HOLY CRAP!!!!
A couple of weeks back I got a really bad trojan (just a home page grabber) that took me about four hours to get rid of. This one sounds ten times worse! Thanks for the instructions. Is there a symptom we should be aware of to know if we've been infected? |
Part Pricer |
Aug 8 2004, 11:48 AM
Post
#3
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
There are so many variants of this bugger that it is difficult to specify the symptoms. However, there are a couple of things that will let you know for sure that you have CWS.
1.) Your homepage has been reset to c o o l w e b s e a r c h . c o m (I spaced out the spelling so the BBS didn't create a link to it. 2.) Your IE search feature now takes you to c o o l w e b s e a r c h . c o m 3.) If you run Spybot Search & Destroy or Ad-aware, they will detect that you have CWS. And, they will both tell you that they have removed it. But, they don't. If you have this variant of CWS, right now it must be removed manually. |
p914 |
Aug 8 2004, 11:50 AM
Post
#4
|
Senior Member Group: Members Posts: 518 Joined: 7-September 03 From: Sunny South Florida Member No.: 1,117 Region Association: None |
I've been using Mozilla for quite some time now. Also have Opera. Started with Opera and now use mozilla. No hijacks, no pop ups/unders. What a nice way to surf the web. I have netcaptor on another system, it's good too but not as good as mozilla. Using netcaptor I also use POW and popupkiller. That combo after a while has pretty much eliminated any annoyance pops.]
Great info on getting rid of coolweb. Took me a while to get rid of it and czjump. It may still be on that one system but has not yet resurfaced in about 1 1/2 months. Maybe it has a clock on it to reinject itself later. |
sgomes |
Aug 8 2004, 02:31 PM
Post
#5
|
Electric Member Group: Members Posts: 815 Joined: 6-May 04 From: Campbell, CA Member No.: 2,029 |
Yea! That was the name of the bugger I had:
C o o l W e b S e a r c h . m t w i r l 3 2 What a B'otch to get rid of. By the way I'm running Spybot Search and Destroy and it has a feature to lock out changes to your homepage. Will it block this new variant? |
Part Pricer |
Aug 8 2004, 03:00 PM
Post
#6
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
QUOTE(sgomes @ Aug 8 2004, 03:31 PM) Yea! That was the name of the bugger I had: C o o l W e b S e a r c h . m t w i r l 3 2 What a B'otch to get rid of. By the way I'm running Spybot Search and Destroy and it has a feature to lock out changes to your homepage. Will it block this new variant? If your system is already clean and you want to try to prevent another infection, there are a couple of things you can do. 1.) Switch to Firefox 2.) If you are like a lot of my clients and must use IE, there is a neat utility called Bugoff. This was written by the same guy that wrote HijackThis. Run this once, set up the protection and you should be good until another variant is released. I'm mirroring this download because the author's site is under a DOS attack from someone who is upset that he is writing software that combats malware. |
PAPERBOY |
Aug 8 2004, 03:16 PM
Post
#7
|
Newbie Group: Members Posts: 10 Joined: 22-December 03 From: MIL, WI Member No.: 1,459 |
Is the CWS Shredder still being updated? It used to be the easy way.
|
Part Pricer |
Aug 8 2004, 03:22 PM
Post
#8
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
Merijn last updated CWS Shredder at the end of June. He said that it would be the last update for a while. However, it does not handle this variant.
|
scottb |
Aug 8 2004, 03:45 PM
Post
#9
|
who wants a PEZ?! Group: Members Posts: 1,993 Joined: 27-December 02 From: south-(not north)-wick, MA Member No.: 32 Region Association: North East States |
paul,
so i went through step 3 and the program found nothing. no error report was given. can i presume my system is clean? thanks, scott |
scottb |
Aug 8 2004, 06:21 PM
Post
#10
|
who wants a PEZ?! Group: Members Posts: 1,993 Joined: 27-December 02 From: south-(not north)-wick, MA Member No.: 32 Region Association: North East States |
hey! downloaded firefox and this is what the 914club home page looks like.....
any thoughts on what needs to be adjusted? |
Part Pricer |
Aug 9 2004, 07:10 AM
Post
#11
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
Scott,
It's not your problem, I've got it too. However, I've notified the authorities. (IMG:http://www.914world.com/bbs2/uploads/post-3-1092056848.jpg) |
sgomes |
Aug 9 2004, 08:45 AM
Post
#12
|
Electric Member Group: Members Posts: 815 Joined: 6-May 04 From: Campbell, CA Member No.: 2,029 |
I'll add a "me too" to that. I did notice that I could highlight with my mouse and it would reveal the text in the black boxes. I'm not all that surprised that Firefox has trouble. It's on release 0.9 after all! It also has problems with Flash player. It's a great start but not ready for primetime yet.
|
mike_the_man |
Aug 9 2004, 10:51 AM
Post
#13
|
I like stuff! Group: Members Posts: 1,338 Joined: 11-June 03 From: Regina, Saskatchewan, Canada Member No.: 809 |
I use Mozilla at home, and I noticed when sending PM's, only about 3/4s of the message box was dispalyed on the screen, but there was no scroll bar at the bottom of the screen to be able to see the entire box. Anybody have this problem? Other than that, I really like Mozilla. No popups, and it's not a crappy Microsoft product.
|
J P Stein |
Aug 9 2004, 10:52 AM
Post
#14
|
Irrelevant old fart Group: Members Posts: 8,797 Joined: 30-December 02 From: Vancouver, WA Member No.: 45 Region Association: None |
Paul:
I was donw at the puter store looking to replace or update my anti virus software. The guy there recommended to download AVG Virus Protection rather than buy 2004 Norton from him! I could use a second opinion. |
ArtechnikA |
Aug 9 2004, 11:00 AM
Post
#15
|
rich herzog Group: Members Posts: 7,390 Joined: 4-April 03 From: Salted Roads, PA Member No.: 513 Region Association: None |
QUOTE(J P Stein @ Aug 9 2004, 08:52 AM) ...recommended to download AVG Virus Protection rather than buy 2004 Norton from him! we use AVG on all the systems here at Ross-Tech -- 'course too we all use some flavor of Mozilla for browsers and Outlook is expressly banned from all company computers... it has been very good about automagically quarantining emails with suspicious attachments; i can't speak for everyone here, but on my system it's been 100% accurate with no false positivies and no nasties slipping through... |
Part Pricer |
Aug 9 2004, 11:45 AM
Post
#16
|
Believe everything I post Group: Benefactors Posts: 1,825 Joined: 28-December 02 From: Danbury, CT Member No.: 35 |
AVG is very good.
When looking at anti-virus software, the most important thing is timely updates. IMO, Norton and McAfee are too slow in releasing updates. AVG, and my favorite avast!, get new virus definitions released very quickly. I've had times when I have received three new updates a day from avast!. |
cooltimes |
Aug 9 2004, 12:14 PM
Post
#17
|
Advanced Member Group: Members Posts: 2,508 Joined: 18-May 04 Member No.: 2,081 Region Association: None |
As a consumer against popup ads, this is the latest break for John and Susie Public.
http://www.ftc.gov/opa/2004/08/dsquared.htm |
Lo-Fi Version | Time is now: 9th May 2024 - 05:13 PM |
All rights reserved 914World.com © since 2002 |
914World.com is the fastest growing online 914 community! We have it all, classifieds, events, forums, vendors, parts, autocross, racing, technical articles, events calendar, newsletter, restoration, gallery, archives, history and more for your Porsche 914 ... |