Virus and Security

Don's Home

Technology

Virus and Security

CoolWebSearch (CWS)

Contact

See: http://www.spywareinfo.com/~merijn/cwschronicles.html

This usually gets installed by just visiting a web page or being redirected to a page when you type a domain name wrong which exploits a security hole in Microsofts JavaVM. Make sure you run the security updates (Select "Windows Update" from the Tools menu in IE) from microsoft to prevent this in the future.

CoolWebSearch (CWS) variants:

CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as well as bogus runtime errors at system startup. IE will quit with message "Error has occured... msiesh.dll". It drops a fake Winlogon.exe file in the 'All Users' Startup group of the Start Menu, or in the Startup group of the current user. The file is always running, and hard to remove. If CWShredder repeatedly reports removing this variant, it cannot remove winlogon.exe. To remove this file manually, move it out of the Startup folder, restart, and then delete the file.

Solution posted by dvk01 at TechSupportForum.com/ worked for us:

First download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once youÕve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R291 14.04.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it«s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

_____________________________________________________

Then search for and delete the file IEengine.exe

Then have HJT (HijackThis v1.97.7) fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

___________________________________

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - HKLM\..\Run: [ie] iexplore.exe

O4 - HKLM\..\Run: [update32] C:\windows\configs.exe

O4 - HKLM\..\Run: [cmd32] C:\configs.exe

O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhelp.exe

O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=

O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=

O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://216.240.137.40/g1.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19056d45646a1e...ip/RdxIE601.cab

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".

Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

Now find and delete:

The C:\configs.exe file

The C:\windows\configs.exe file

The c:\windows\dllhelp.exe file

Do a file search for iexplore.exe and let me know exactly what locations you find it in. It should only be in the C:\Program File\Internet Explorer folder, but you are going to have a bogus one somewhere.

_____________________________________________________

CWShredder fixed it