Announcement

**george** · 09-Jan-2005, 05:23 PM

I use Spybot, I'm sure your one is up to date.

Might be worth trying this...

http://www.zonelabs.com/store/conten...d=sept_ps_news

**fleetwood** · 09-Jan-2005, 06:25 PM

Thanks George.
Can't get that zonealarms prog to work, but will take another look later.
It only runs under IE, not Firefox, and its my IE thats been taken over.
Have now spent the best part of the weekend trying to get rid of this pest, and I've had enough for now.
Will take a fresh look in the new week.

**garyhay** · 10-Jan-2005, 10:46 AM

Martin

We have suffered the Coolsearch thing and it took us a week to get rid of it.

You will need a program called HiJackThis that will show you all the registry keys of programs that run on startup. From there you can delete these keys.

Always run XP in Safe Mode and look for EliteToolbar in C:\windows\system and C:\windows\system32

Delete these files/folders

Use the list from HiJackThis to go through the registry and manually delete the keys. There are are lot of keys dropped about a dozen I seem to remember.

It infects/drops other files as well and these might have changed since we had problems. They look like Windows files e.g ieupdate

We had to manualy get rid of the scumware after Sophos (who we use for AV software) identified the files and provided a new AV definition file and also (I think) and executable to find all instances of it.

To be honest taking a backup and formatting your system will probably be quicker. I am working at home today but will look out all the info I have on this beast and forward details to you

Good Luck

**oldhasbeen** · 10-Jan-2005, 08:24 PM

Spysweeper got rid of this from our old PC when all others failed. You can get it on a 30 day free trial (Webroot software).

Regards - Helen

**fleetwood** · 10-Jan-2005, 08:32 PM

Thanks Gary

Have run HijackThis, and am working may way through the report generated, but is very time consuming (something we all have too little of I fear).
Will have a look for the Elite Toolbar.
Have been into the registry many many times now, following various bits of advice I have picked up from the web, by the thing is still embedded somewhere.
Am seriously contemplating a full reformat and reinstall, though I'm less confident of doing this than I was pre-XP (I have in the back of mind some scare moungering when XP first came in whereby the need to re-register the software after hardware changes can create problems, but no idea if this actually is true). Have yet to attempt a full re-install of XP, have only used the XP repair route up until now).
I also used to diligently record every upgrade and change I made to my machine(s), but have not kept this up lately. Whilst the thought of clean slate is appealing, I dread the time involved in reinstalling various pieces of software I have built up and upgraded over time
This sort of thing is so annoying and timewasting.
I have a solid hardware firewall, and up to date Norton AV, yet have still been hit!
Any and all advice gratefully accepted.

**fleetwood** · 10-Jan-2005, 08:36 PM

Thanks Helen
Will take a look at spysweeper.
Spybot search & destroy picks up CollWebSearch in the registry and deletes the various keys, but the damn thing just comes straight back. There is obviously something deeply routed which is running in the background, but none of the checkers I have tried have zapped it, and my extensive manual searching has yet to find the problem.
I march on...

**garyhay** · 11-Jan-2005, 09:33 AM

My sophos contact had me send a file called wintua32.exe and this was the offending file

**NormanRouxel** · 11-Jan-2005, 09:51 AM

Martin,

Have you tried Microsofts AntiSpyware Beta? It's at http://www.microsoft.com/athome/secu...e/default.mspx - and may well (although it's probably curing a Microsoft created problem) do the trick.

**Darren B** · 11-Jan-2005, 12:06 PM

I recently purchased spyware eliminator cost me about �16 and works really well. I searched the internet and read a number of reviews and it actualy came out on top. it has weekly updates.

have a look here but it was a must for me http://www.aluriasoftware.com/homeproducts/spyware/

i did try a couple of other freebees and the did not find half the stuff this did

Cheers
Darren

**NormanRouxel** · 11-Jan-2005, 07:27 PM

Here's a quote from The Register ( http://www.theregister.co.uk/2005/01...clean-up_tool/ ) today.

Microsoft debuts a malicious software removal tool today. It represents the first tangible fruits of Microsoft's June 2003 acquisition of Romanian anti-virus firm GeCAD Software.

This is a different bit of code from the Anti-Spyware beta. You get it via Windows Update from today.

Of course, if it works properly, its first job should be to remove Internet Explorer and drop Firefox in its place.

**OldWelshGuy** · 11-Jan-2005, 09:36 PM

You must disable system restore before cleaning the system as it hides itself in there.

**OldWelshGuy** · 11-Jan-2005, 09:40 PM

Download spybot S&D, adaware by lavasoft, Hijack this, and also IE restrictions http://camtech2000.net/Pages/Restrictions.htm IE restrictions is fantastic, it prevents any future hijacking from taking place.

I got bitten by LOP once and it is a bugger to get rid of. As I mentioned above though, it will hide itself in the system restore, so you need to turn it off before getting rid.

**fleetwood** · 12-Jan-2005, 06:49 AM

Thanks for all the advice. Am working my way through the various suggestions.
Have System Restore switched off, and have already tried many of the above, but will keep at it.
Currently have Webroot Spy Sweeper running.
This identified 4 bits of scum (including CWS), and claims it eliminated them.
IE still redirects though.
I am getting the impression that many of these sweepers/cleaners can't actually rid the menace, but work instead by residing on your taskbar, fighting an ongoing battle ie as the rogue program triggers, so the cleaner undoes its work. It fights it, but can't actually rid it.
I will persist for now, but a full reformat at some stage is looking more likely.
I think I may need a clean install THEN install one or more of the cleaners to run permanatly, much like Norton AV does.
For now, Firefox is replacing IE.

**Heidi** · 15-Jan-2005, 08:16 PM

A layered approach to spy/adware

As someone else has mentioned, most of the spyware-killers don't seem to get everything. My brother and I run a consulting firm in Pennsylvania, USA and spyware is probably the #1 problem our individual clients have. We take a layered approach using the following products:

1. Ad-Aware www.lavasoftusa.com (free for personal use)
2. Spybot S&D (www.spybot.info) (free)
3. HijackThis! (http://www.spywareinfo.com/downloads.php - scroll down)
4. Spywareinfo free ActiveX scan: http://www.spywareinfo.com/xscan.php

The best CoolWeb killer is CoolWebShredder by the folks at spywareinfo.com - it's been purchased by someone else but is still available at
http://www.intermute.com/spysubtract..._download.html

And definitely turn system restore off. If your winxp machine is not showing system restore, you have a piece of spy/adware that is targeting it. (right click on my computer > properties)

Best,

Heidi

Announcement

Coolwebsearch spyware and adware

Coolwebsearch spyware and adware

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment