OT: Spyware Removal, CoolWebSearch Options

[Part Pricer]

I'm a member of the Alliance of Security Analysis Professionals. We deal with all computer security, but lately we have mostly been dealing with malware and spyware. Well, for the last couple of months, we've been dealing with a variant of CWS. CWS is also referred to as CoolWebSearch, CoolWWW and other names. In all of its variants, CWS is one of the most insideous bastards I've run up against. I've seen it take on the attributes of a Hijacker, Backdoor, Dialer, Downloader, Dropper, Nuker and a Trojan. It can be a bitch to get rid of.

The latest variant has been giving everyone fits. All of the spyware removal and protection programs are (still) not able to remove it from your system. And, manual removal using all of the tools at our disposal have proven to be fruitless. The problem is that this variant uses a hidden file that constantly renames itself.

I purposely infected a test PC here in my office over a month ago. This thing is truly a bastard. Although it has been fun explaining to my wife, "No dear. I'm not surfing porn sites. I'm working."

So, for the unfortunates that have been hit by this thing, here is the only known method of removing this prick from your systems. This method was discovered and crafted by another ASAP member.

Warning! This process is not for the timid!


SUMMARY
=======

SUBJECT: CoolWWW spyware persistance and removal.


PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol)
do not remove the cause (a "super"-hidden .dll program) but only remove
symptom files and registry settings.

"This dll is loaded with very strange file permissions. It has all permissions but ‘copy’ denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS
prompts like dir. It also can not have its attributes set so that you can see it."


SOLUTION: Manual removal by using a revealing xfind.com error message,
then by using theWindows XP Recovery Console.

NOTE: the byte verifier patch does not protect against the latest variations
(6/24/04-7/7/04) of CoolWWW.

===============


INSTRUCTIONS

Step 1
Download xfind.com
(Note: at least a few programs are named xfind, so do not just search the
web and download any one of these. I did this and wasted time with
xfind.exe, which is not a bad program but not the one needed for our task.)

Download from here:
http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip
file)
or
http://home.mnet-online.de/horst.muc/index.html (parent page of download;
click the "Find" link then download [9k])


Step 2
Install xfind.com (simply unzip it; I prefer running it from the c:\, and
so I dragged a copy of xfind.com to c:\, which is also called the "root"
directory.


Step 3
(a) Run xfind.com in a command line window. Click Start, Run, type CMD
(then click OK). A black window opens with a blinking white cursor. Type
cd\ then press enter. The cursor should now show
"C:\" and not "C:\Windows."

(B) type this:
xfind "gibberishjdkfkd" c:\windows\system32\ *.dll
(then press the "Enter" key on your keyboard).

("gibberishjdkfkd" can really be anything, but the results are clearer
if
you type something strange so it won't be found inside any legitimate
files). We're hoping for an error message, not actually finding a file
containing the search text.

© Now wait.... If it comes back with a read error about a file, that's
good! The file it complained about is the evil program (.dll file). WRITE
the file name down EXACTLY as listed in the error message (for example,
Mofohell.dll).

"This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the
file completely invisible inside windows. You cannot see it using File
explorer or DOS prompts like dir. It also can not have its attributes set so
that you can see it."


Step 4
Prepare to remove the evil program. This can't be done in normal Windows
nor in Safe Mode. Showing system and hidden files doesn't help. You must
restart in a special mode called the "Recovery Console," which is not
available until you install it separately.

(a) Find a Windows XP Home or Professional installation CD. While still in
Windows, insert the CD then exit any automatic window that appears.

(B) Click Start, Run, type the following:
d:\i386\winnt32.exe /cmdcons
(then click OK) and follow the instructions to install the Recovery Console
(click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a
different letter than "d" type your CD drive’s letter instead of "d.")


Step 5
Rename or delete the evil program from within the Recovery Console.
(a) Restart the computer and press the F8 function key before Windows starts
as if you're trying to get into Safe Mode.

Choose "Return to OS Menu" where you will see at least two choices:
“Windows XP Home” (or Professional) and “Recovery Console.” Use the arrow
keys and Enter key to highlight and select "Recovery Console."

(B) When prompted, select the choice listing the Windows directory your
computer normally uses (usually "C:\Windows").

© When prompted, type the Administrator password (which might be blank on
your system) and press the Enter key.

You're now in the Recovery Console and can control the evil program file.

(d) Type cd\ then cd windows , then
cd system32 , then (to confirm that it’s present) type dir
MOFOHELL.dll (but substitute the name of the evil program you found
on your system). If it doesn't find anything, type this: attrib -h
MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll
(and press Enter).

(e) Rename or delete it. I renamed it to be really safe in case it was
something good (doubtful). Type this:
ren mofohell.dll harmless.btch (substituting the name of your evil
program for mofohell.dll)
(then press the Enter key).

(f) type this:
dir harmless.btch
(then press Enter) to confirm it's there.


Step 6
Type this: EXIT (and press Enter) to reboot.
Press F8 to enter SAFE MODE as Window starts.


Step 7
Use the registry editor to find the evil reference to the evil program, both
of which were hidden before renaming the latter.
(a) Click Start, Run, then type this: regedit (and click OK).
(B) Use the up-arrow and scroll to the top then click once on "My Computer"
then click the EDIT menu and click FIND. Type the name of the evil program
(e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side
of the window that contains the name of the evil program (e.g.,
mofohell.dll); click once on the evil name then tap the keyboard's DELETE
key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it
is
not found, stop looking and exit the registry editor.


Step 8
Scan your entire computer using the anti-spyware programs you have (which
you updated BEFORE all of this). I prefer running at least two (Spysweeper
and Ad-aware Pro) -- one at a time, of course.


Step 9
Run HijackThis and delete any suspicious BHO entries and other known bad
stuff.


Step 10
Empty every Temp folder, Temporary Internet folder and Cookie folder on your
computer. Empty the Recycle Bin.


Step 11
Turn security up to high in the Internet Options control panel (HIGH for
every category: Internet, Local Area Network, Trusted Sites [delete any
trusted sites listed] and Restricted sites. Go to the Advanced tab and
click the button "Restore Defaults" then modify individual check box items
manually if you want; go to the Programs tab and click the button "Reset Web
Settings" but uncheck the "reset home page prompt unless you like MS's
default page. Click OK.


Step 12
Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the
window over your LEFT shoulder.


Step 13
Restart your computer.


Step 14
Go online and download other browsers to use for everything but Windows
Update. Download Firefox from mozilla.org and Opera from opera.com and
install both. They're safer than Internet Explorer (a.k.a., the Devil's
Helper).

To run Windows Update, first go to the Internet Options control panel,
Security tab, click the Internet category icon, then click the DEFAULT
button, then OK. Then run Windows Update. Afterwards, go back to the
Internet Options control panel and slide the security back up to HIGH for
the Internet category, then click OK, and continue using Mozilla's Firefox
and/or Opera for web browsing.


Step 15
Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will
identify as coolwww even with its different name.

It's as simple as that!
As simple as 1,2,3ab,4abc,5abcdef,6,7abc,8,9,10,11,12,13,14,15!!!"

Total elapse time: 45 minutes to 1.5 hr depending on the number of files
your anti-spyware programs scan.

================
================

MICROSOFT CULPABILITY


(1) Microsoft allows by design or by flaw the creation of "super"-hidden
files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
find and remove this stuff.


(2) Also…Hey Microsoft!! Fix the design flaws that allow anything to write
to the registry and place files on the computer as users browse the web with
IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
Coolwww without xfind or a clean install.


================
================