I'm a member of the Alliance of Security Analysis Professionals. We deal with all computer security, but lately we have mostly been dealing with malware and spyware. Well, for the last couple of months, we've been dealing with a variant of CWS. CWS is also referred to as CoolWebSearch, CoolWWW and other names. In all of its variants, CWS is one of the most insideous bastards I've run up against. I've seen it take on the attributes of a Hijacker, Backdoor, Dialer, Downloader, Dropper, Nuker and a Trojan. It can be a bitch to get rid of.

The latest variant has been giving everyone fits. All of the spyware removal and protection programs are (still) not able to remove it from your system. And, manual removal using all of the tools at our disposal have proven to be fruitless. The problem is that this variant uses a hidden file that constantly renames itself.

I purposely infected a test PC here in my office over a month ago. This thing is truly a bastard. Although it has been fun explaining to my wife, "No dear. I'm not surfing porn sites. I'm working."

So, for the unfortunates that have been hit by this thing, here is the only known method of removing this prick from your systems. This method was discovered and crafted by another ASAP member.

Warning! This process is not for the timid!


SUMMARY
=======

SUBJECT: CoolWWW spyware persistance and removal.


PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol)
do not remove the cause (a "super"-hidden .dll program) but only remove
symptom files and registry settings.

"This dll is loaded with very strange file permissions. It has all permissions but ‘copy’ denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS
prompts like dir. It also can not have its attributes set so that you can see it."


SOLUTION: Manual removal by using a revealing xfind.com error message,
then by using theWindows XP Recovery Console.

NOTE: the byte verifier patch does not protect against the latest variations
(6/24/04-7/7/04) of CoolWWW.

===============


INSTRUCTIONS

Step 1
Download xfind.com
(Note: at least a few programs are named xfind, so do not just search the
web and download any one of these. I did this and wasted time with
xfind.exe, which is not a bad program but not the one needed for our task.)

Download from here:
http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip
file)
or
http://home.mnet-online.de/horst.muc/index.html (parent page of download;
click the "Find" link then download [9k])


Step 2
Install xfind.com (simply unzip it; I prefer running it from the c:\, and
so I dragged a copy of xfind.com to c:\, which is also called the "root"
directory.


Step 3
(a) Run xfind.com in a command line window. Click Start, Run, type CMD
(then click OK). A black window opens with a blinking white cursor. Type
cd\ then press enter. The cursor should now show
"C:\" and not "C:\Windows."

(B) type this:
xfind "gibberishjdkfkd" c:\windows\system32\ *.dll
(then press the "Enter" key on your keyboard).

("gibberishjdkfkd" can really be anything, but the results are clearer
if
you type something strange so it won't be found inside any legitimate
files). We're hoping for an error message, not actually finding a file
containing the search text.

© Now wait.... If it comes back with a read error about a file, that's
good! The file it complained about is the evil program (.dll file). WRITE
the file name down EXACTLY as listed in the error message (for example,
Mofohell.dll).

"This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the
file completely invisible inside windows. You cannot see it using File
explorer or DOS prompts like dir. It also can not have its attributes set so
that you can see it."


Step 4
Prepare to remove the evil program. This can't be done in normal Windows
nor in Safe Mode. Showing system and hidden files doesn't help. You must
restart in a special mode called the "Recovery Console," which is not
available until you install it separately.

(a) Find a Windows XP Home or Professional installation CD. While still in
Windows, insert the CD then exit any automatic window that appears.

(B) Click Start, Run, type the following:
d:\i386\winnt32.exe /cmdcons
(then click OK) and follow the instructions to install the Recovery Console
(click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a
different letter than "d" type your CD drive’s letter instead of "d.")


Step 5
Rename or delete the evil program from within the Recovery Console.
(a) Restart the computer and press the F8 function key before Windows starts
as if you're trying to get into Safe Mode.

Choose "Return to OS Menu" where you will see at least two choices:
“Windows XP Home” (or Professional) and “Recovery Console.” Use the arrow
keys and Enter key to highlight and select "Recovery Console."

(B) When prompted, select the choice listing the Windows directory your
computer normally uses (usually "C:\Windows").

© When prompted, type the Administrator password (which might be blank on
your system) and press the Enter key.

You're now in the Recovery Console and can control the evil program file.

(d) Type cd\ then cd windows , then
cd system32 , then (to confirm that it’s present) type dir
MOFOHELL.dll (but substitute the name of the evil program you found
on your system). If it doesn't find anything, type this: attrib -h
MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll
(and press Enter).

(e) Rename or delete it. I renamed it to be really safe in case it was
something good (doubtful). Type this:
ren mofohell.dll harmless.btch (substituting the name of your evil
program for mofohell.dll)
(then press the Enter key).

(f) type this:
dir harmless.btch
(then press Enter) to confirm it's there.


Step 6
Type this: EXIT (and press Enter) to reboot.
Press F8 to enter SAFE MODE as Window starts.


Step 7
Use the registry editor to find the evil reference to the evil program, both
of which were hidden before renaming the latter.
(a) Click Start, Run, then type this: regedit (and click OK).
(B) Use the up-arrow and scroll to the top then click once on "My Computer"
then click the EDIT menu and click FIND. Type the name of the evil program
(e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side
of the window that contains the name of the evil program (e.g.,
mofohell.dll); click once on the evil name then tap the keyboard's DELETE
key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it
is
not found, stop looking and exit the registry editor.


Step 8
Scan your entire computer using the anti-spyware programs you have (which
you updated BEFORE all of this). I prefer running at least two (Spysweeper
and Ad-aware Pro) -- one at a time, of course.


Step 9
Run HijackThis and delete any suspicious BHO entries and other known bad
stuff.


Step 10
Empty every Temp folder, Temporary Internet folder and Cookie folder on your
computer. Empty the Recycle Bin.


Step 11
Turn security up to high in the Internet Options control panel (HIGH for
every category: Internet, Local Area Network, Trusted Sites [delete any
trusted sites listed] and Restricted sites. Go to the Advanced tab and
click the button "Restore Defaults" then modify individual check box items
manually if you want; go to the Programs tab and click the button "Reset Web
Settings" but uncheck the "reset home page prompt unless you like MS's
default page. Click OK.


Step 12
Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the
window over your LEFT shoulder.


Step 13
Restart your computer.


Step 14
Go online and download other browsers to use for everything but Windows
Update. Download Firefox from mozilla.org and Opera from opera.com and
install both. They're safer than Internet Explorer (a.k.a., the Devil's
Helper).

To run Windows Update, first go to the Internet Options control panel,
Security tab, click the Internet category icon, then click the DEFAULT
button, then OK. Then run Windows Update. Afterwards, go back to the
Internet Options control panel and slide the security back up to HIGH for
the Internet category, then click OK, and continue using Mozilla's Firefox
and/or Opera for web browsing.


Step 15
Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will
identify as coolwww even with its different name.

It's as simple as that!
As simple as 1,2,3ab,4abc,5abcdef,6,7abc,8,9,10,11,12,13,14,15!!!"

Total elapse time: 45 minutes to 1.5 hr depending on the number of files
your anti-spyware programs scan.

================
================

MICROSOFT CULPABILITY


(1) Microsoft allows by design or by flaw the creation of "super"-hidden
files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
find and remove this stuff.


(2) Also…Hey Microsoft!! Fix the design flaws that allow anything to write
to the registry and place files on the computer as users browse the web with
IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
Coolwww without xfind or a clean install.


================
================

HOLY CRAP!!!!

A couple of weeks back I got a really bad trojan (just a home page grabber) that took me about four hours to get rid of. This one sounds ten times worse! Thanks for the instructions.

Is there a symptom we should be aware of to know if we've been infected?

There are so many variants of this bugger that it is difficult to specify the symptoms. However, there are a couple of things that will let you know for sure that you have CWS.

1.) Your homepage has been reset to c o o l w e b s e a r c h . c o m (I spaced out the spelling so the BBS didn't create a link to it.

2.) Your IE search feature now takes you to c o o l w e b s e a r c h . c o m

3.) If you run Spybot Search & Destroy or Ad-aware, they will detect that you have CWS. And, they will both tell you that they have removed it. But, they don't. If you have this variant of CWS, right now it must be removed manually.

I've been using Mozilla for quite some time now. Also have Opera. Started with Opera and now use mozilla. No hijacks, no pop ups/unders. What a nice way to surf the web. I have netcaptor on another system, it's good too but not as good as mozilla. Using netcaptor I also use POW and popupkiller. That combo after a while has pretty much eliminated any annoyance pops.]

Great info on getting rid of coolweb. Took me a while to get rid of it and czjump. It may still be on that one system but has not yet resurfaced in about 1 1/2 months. Maybe it has a clock on it to reinject itself later.

Yea! That was the name of the bugger I had:

C o o l W e b S e a r c h . m t w i r l 3 2

What a B'otch to get rid of. By the way I'm running Spybot Search and Destroy and it has a feature to lock out changes to your homepage. Will it block this new variant?

If your system is already clean and you want to try to prevent another infection, there are a couple of things you can do.

1.) Switch to Firefox

2.) If you are like a lot of my clients and must use IE, there is a neat utility called Bugoff. This was written by the same guy that wrote HijackThis. Run this once, set up the protection and you should be good until another variant is released. I'm mirroring this download because the author's site is under a DOS attack from someone who is upset that he is writing software that combats malware.

Is the CWS Shredder still being updated? It used to be the easy way.

Merijn last updated CWS Shredder at the end of June. He said that it would be the last update for a while. However, it does not handle this variant.

paul,

so i went through step 3 and the program found nothing. no error report was given. can i presume my system is clean?

thanks,

scott

hey! downloaded firefox and this is what the 914club home page looks like.....

any thoughts on what needs to be adjusted?

Scott,

It's not your problem, I've got it too. However, I've notified the authorities.

I'll add a "me too" to that. I did notice that I could highlight with my mouse and it would reveal the text in the black boxes. I'm not all that surprised that Firefox has trouble. It's on release 0.9 after all! It also has problems with Flash player. It's a great start but not ready for primetime yet.

I use Mozilla at home, and I noticed when sending PM's, only about 3/4s of the message box was dispalyed on the screen, but there was no scroll bar at the bottom of the screen to be able to see the entire box. Anybody have this problem? Other than that, I really like Mozilla. No popups, and it's not a crappy Microsoft product.

Paul:

I was donw at the puter store looking to replace or update my anti virus software. The guy there recommended to download AVG Virus Protection rather than buy 2004 Norton from him!

I could use a second opinion.

we use AVG on all the systems here at Ross-Tech -- 'course too we all use some flavor of Mozilla for browsers and Outlook is expressly banned from all company computers...

it has been very good about automagically quarantining emails with suspicious attachments; i can't speak for everyone here, but on my system it's been 100% accurate with no false positivies and no nasties slipping through...

AVG is very good.

When looking at anti-virus software, the most important thing is timely updates. IMO, Norton and McAfee are too slow in releasing updates.

AVG, and my favorite avast!, get new virus definitions released very quickly. I've had times when I have received three new updates a day from avast!.

As a consumer against popup ads, this is the latest break for John and Susie Public.

http://www.ftc.gov/opa/2004/08/dsquared.htm