CoolWWWSearch.SmallIM - Is this Spyware?

simsun

I need the collective brain power of all MSEs......

I think that my machine has been infected with some spyware that I can't seem to shift.

I am protected via Spybot Search & Destroy as well as NAV Corporate and XP firewall (SP2). All are up to date in terms of definitions and I haven't downloaded anything dodgy (as far as I can tell).

Upon running Spybot it finds entries for "CoolWWWSearch.SmallIM". I delete the entries usually numbering around 103 and carry on as normal until the next time that I run Spybot.

As a result of this spyware I have 6 extra icons on my desktop for different things like Poker, Travel etc and these are links to a search engine that I have never used and IE (which I use very rarely anyway) now has an extra search toolbar that again, I am assuming comes from the spyware.

It is really starting to annoy me now - has anyone come across this spyware before? A Google search doesn't help as it can't find any entries. How can I get rid of it?

Cheers
simsun

D.A.

I had a similar problem on my work PC a while back - none of the spyware programs would remove this scum at all. A Google search for CoolWWWSearch or CoolWebSearch (they seem to be related) should help you. In my case it just involved changing a few registry settings, renaming a DLL, rebooting, deleting the DLL and a few other files, and it was gone.

blinky

I think it's more a browser hijacker than spyware, but you want to get rid of it.

simsun

I've done a Google search and followed instructions but I still haven't been able to shift the damn thing. Which registry and Dll files did you have to sort D.A.?

Anyone else got any ideas?

cheers
simsun

peter_the_piper

If all else fails download Hijack this and run a scan. Save scan and ask for help on http://www.d-a-l.com/help/forumdisplay.php?f=8
or
http://forums.tomcoyote.org/index.php?showforum=27
These sites (and others) are experts at removing this and other malware/hajackers etc.
You will see they are very busy but will get to you as soon as possible. Unless you are very happy with editing Dll's and registry I would suggest it might be best to try them first.
Peter.

simsun

OK here we go - Log File anyone help?

Am I right in thinking that entries R1 & R0 could be the offending items?

cheers
simsun

---

Logfile of HijackThis v1.98.2
Scan saved at 13:14:41, on 26/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\runservice.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\CELCAT\CELCATMailer\CC32MAIL.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Simon\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seuyjtbtysghpmxlqdbuc.com/PHv9Y1UOl4FBVXo5lBUrj0M2v30vZ98sw_mhq_Q/S5dKeT/P9ggjaPSjhc9mguYo.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jndqnmfyeblcaxvgajcvsk.biz/PHv9Y1UOl4EMngpYDZsvDhdHnQyEQ3IC47gxYWXMFEU.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {6A3031D2-90C6-EEE9-1BD7-D2E42D7FF17D} - C:\DOCUME~1\Simon\APPLIC~1\Soft32\64 Grey.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PSDrvCheck] "c:\program files\pinnacle\edition 5\program\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Audio once kind body] C:\Documents and Settings\All Users\Application Data\Locks dvd audio once\rdrgrid.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Flagsite] C:\DOCUME~1\Simon\APPLIC~1\WAYREG~1\holedashdoes.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: CELCAT Mailer.lnk = C:\Program Files\CELCAT\CELCATMailer\CC32MAIL.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17e125ca594405ac0d16/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69E01608-2D19-4AFC-8472-7CF5157E0E94}: NameServer = 157.228.12.1,157.228.13.65

LincsLad_3

CWS is one of the nastier infections to get rid of. Apparently the later versions are immune to the CWShredder program, which used to be the cure.

As p_t_p suggests, post your log file to one of the sites given - the guys there will take you through removal step-by-step.

peter_the_piper

How did you get on, did the sites help you?

simsun

Yes the problem has now been sorted.

Apparently, it was down to Messenger Plus!, an add on for MSN Messenger. Upon install it asks if you agree to install the programme *with* sponsorship. Upon closer inspection it can be installed without the sponsor bar

So please beware any othe MSEs who are going to install / have installed Messenger Plus!

Thanks for your help guys.

cheers
simsun

F1F1

Always remember to check for updates with Adaware and Spybot before running them. I got rid of something similar recently.

student100

Davey Winder's excellent column in the latest PC Pro covers this nasty piece of 'scumware'.