Getting rid of the CoolWebSearch Trojan

Anything and Everything. Chat about stuff not related to PopTray.

Moderators: KY Dave, jojobear99, Rdsok

Post Reply
User avatar
ComputerBob
Guru
Posts: 278
Joined: Sat Jun 14, 2003 5:27 pm
Location: The Gulf Coast of the Sunshine State, USA
Contact:

Getting rid of the CoolWebSearch Trojan

Post by ComputerBob » Sun May 02, 2004 1:38 am

My April 30, 2004 online Journal entry describes how I spent much of the past 4 days trying to get rid of the CoolWebSearch (CWS) trojan browser hijacker from the computer of one of my cousins.

CWS is now recognized as one of the most intelligent, most difficult to remove trojans ever created. Some of its many variants now have the capability to
  • Hide themselves from the Windows Task Manager.
    Block you from visiting Web sites that contain information or tools that help you get rid of CWS.
    Re-install themselves after you have removed them.
    Other details as described in the articles to which my Journal entry links.
My Journal entry includes details of my adventures with CWS, as well as links to information and tools to help you get rid of it.
ComputerBob - Making Geek-Speak Chic™
http://www.computerbob.com
One Of The Largest One-Person Sites On The Web
With Tons of Information, Software, Help, and Fun

GaryGo
Enthusiast
Posts: 48
Joined: Mon Mar 29, 2004 7:37 pm
Location: Upstate NY, USA

Post by GaryGo » Sun May 02, 2004 2:55 am

The info I saw on your journal doesn't go into great detail. The good news is that once you learn how to kill something like CWS, you've pretty much mastered the art of cleaning up your Windows environment. My kids got CWS or something like it onto our PC, but fortunately I had a separate laptop on the Net, and found an obscure reference that pointed me to the hosts file that was redirecting all the major search engines.

Gary

User avatar
ComputerBob
Guru
Posts: 278
Joined: Sat Jun 14, 2003 5:27 pm
Location: The Gulf Coast of the Sunshine State, USA
Contact:

Post by ComputerBob » Sun May 02, 2004 3:50 am

GaryGo wrote:The info I saw on your journal doesn't go into great detail.
That's because the articles to which I link provide much more detail.
GaryGo wrote:The good news is that once you learn how to kill something like CWS, you've pretty much mastered the art of cleaning up your Windows environment.
CWS is unlike anything I've ever dealt with, and having spent over 30 hours trying to get rid of it in the past 4 days, I can tell you from sad experience that, if you haven't dealt with its newest, most intelligent variants, you have no idea how pervasive it is, and how nearly impossible it is to eradicate. It anticipates everything that you do to try to kill it, while blocking you from getting any online help, and corrupting the tools that you try to use against it. Getting rid of the latest CWS variants feels like playing a game of chess with a mad genius. :wink:
ComputerBob - Making Geek-Speak Chic™
http://www.computerbob.com
One Of The Largest One-Person Sites On The Web
With Tons of Information, Software, Help, and Fun

User avatar
ComputerBob
Guru
Posts: 278
Joined: Sat Jun 14, 2003 5:27 pm
Location: The Gulf Coast of the Sunshine State, USA
Contact:

Post by ComputerBob » Sun May 02, 2004 4:21 am

Here's more detail on the situation:

It appears that my cousin's computer has either the newest or second newest CWS variant, and unfortunately, none of the normal trojan removal methods work on this CWS variant.

For example, the HijackThis log doesn't display any of the signs of the MadFinder variant, yet CWShredder keeps finding that variant and removing it, only to have it return on the next reboot and immediately invite some "friends" to join it.

The Windows Task Manager doesn't show ANY of the CWS applications or processes running.

Regedit doesn't show ANY of the registry entries that are installed by ANY of the CWS variants, yet CWShredder keeps finding and removing 1-9 different CWS variants each time the computer is rebooted.

The ZoneAlarm Pro firewall is still running, but it doesn't show up in the Windows Task Manager. The only indication that it is running is that there are several ZoneAlarm dlls in the Windows System 32 folder that cannot be deleted because they're in use. It appears that CWS has corrupted ZoneAlarm Pro.

Norton AntiVirus recognizes that the computer is infected with CWS, but it cannot do anything to remove it, despite the fact that the Norton site says that NAV has been able to remove CWS since last March.

Any attempt to even visit an antivirus site or an online scan site or a CWShredder download site causes the browser to be redirected to a porn site.

When we ran CWShredder from a locked floppy disk, we got a message saying that CWS was attempting to corrupt CWShredder.

This thing is REALLY, REALLY evil.
ComputerBob - Making Geek-Speak Chic™
http://www.computerbob.com
One Of The Largest One-Person Sites On The Web
With Tons of Information, Software, Help, and Fun

User avatar
Renier
Site Admin
Posts: 1957
Joined: Mon Oct 15, 2001 12:54 pm
Location: Cape Town, South-Africa
Contact:

Post by Renier » Mon May 03, 2004 10:11 am

Nasty (and interesting).

This reminds me of the days I spent trying to remove EXEBUG in it's early days. It changed your BIOS to disable the floppy drive, so even when you think you booted with a clean floppy the virus was already loaded.

User avatar
ComputerBob
Guru
Posts: 278
Joined: Sat Jun 14, 2003 5:27 pm
Location: The Gulf Coast of the Sunshine State, USA
Contact:

Post by ComputerBob » Tue May 11, 2004 7:56 am

Just to follow-up on this thread, I was not able to rid my cousin's computer of the CWS trojan. :cry:

My cousin and her husband finally took the computer to a local guy who formatted the hard drive, reinstalled all of their software, restored all of their data, and organized their folders for them. All for only $60 US (about 40 pounds UK). 8)

Then they called me again, and we went through the steps of locking down their computer to prevent that sort of thing from getting on it again. :wink:
ComputerBob - Making Geek-Speak Chic™
http://www.computerbob.com
One Of The Largest One-Person Sites On The Web
With Tons of Information, Software, Help, and Fun

User avatar
KY Dave
Not the Developer
Posts: 1599
Joined: Thu Mar 14, 2002 7:29 pm
Location: Burkesville, KY. U.S.A.
Contact:

Post by KY Dave » Mon Jun 07, 2004 1:47 pm

This may help.
CoolWebShredder (CWShredder) will find and destroy all traces of CoolWebSearch on your system. This includes redirections or hijacking to www.coolwwwsearch.com and coolwebsearch.com, youfindall.net and white-pages.ws. If you find that your browser is sending you to these sites all of a sudden, this little program will take care of it.

CoolWebSearch removal program download.

I haven't tried it, due to the fact I don't have CWS on my computer.
KY Dave

Family Blog
You can STOP SPAM using PopFile and PopTray.

User avatar
ComputerBob
Guru
Posts: 278
Joined: Sat Jun 14, 2003 5:27 pm
Location: The Gulf Coast of the Sunshine State, USA
Contact:

Post by ComputerBob » Mon Jun 07, 2004 1:55 pm

KY Dave wrote:This may help.
Thanks, Dave. That was the first thing we tried, but, at that time, the CWS trojan had evolved faster than CWShredder had evolved, so CWShredder was useless to remove the CWS trojan. :wink:
ComputerBob - Making Geek-Speak Chic™
http://www.computerbob.com
One Of The Largest One-Person Sites On The Web
With Tons of Information, Software, Help, and Fun

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests