CoolWebSearch nightmare.

[nlinecomputers]

I've got a laptop on my bench that has me stumped. It has some kind of new CoolWebSearch trojan on it and it is a tough little SOB. I am unable to run to install Hijackthis, Spybot S&D, Spywareblaster, CWSShredder. AVG runs and crashes and can't be reinstalled. And GET THIS. Directories that have the installer files on them don't display the programs. I put my USB drive on the laptop and my Spyware directory was blank. Rename the files to not obvious names and they show up but still can't run.

[Ed_P]

Wow!! Sounds like a good time to backup the data files and then FDISK the hard drive. If you can backup the nb's drivers too. I recommend WinDriversBackup for that.

[ross549]

If I remember correctly, Ad-Aware 6 should be able to get rid of it. I think one of my clients had it on their machioe.

[Guest LilBambi]

Did you try the latest version of CWShredder in Safe Mode Nathan?Haven't had to do that yet. But it might work. Or maybe this is a job for a Bart's PEBuilder specialized CWShredder disk.

[Peachy]

Can you boot CD-based operating system or temporarily boot from another hard drive and clean the infected drive?

[nlinecomputers]

Did you try the latest version of CWShredder in Safe Mode Nathan?Haven't had to do that yet. But it might work. Or maybe this is a job for a Bart's PEBuilder specialized CWShredder disk.

Fran,I couldn't at first run CWS. It runs and removes stuff but it comes back. I was able to run ONCE Hijackthis.

Logfile of HijackThis v1.97.7Scan saved at 4:43:13 PM, on 5/6/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG6\avgcc32.exeC:\Program Files\HPQ\One-Touch\OneTouch.EXEC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXEC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exeC:\WINDOWS\system32\HPConfig.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exeC:\Program Files\Common files\WinTools\WToolsS.exeE:\spyware\nathan\nathan.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CompaqO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUPO4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exeO4 - HKLM\..\Run: [ScRunCdRomSetupExe] D:\USBDRV\..\setup.exeO4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXEO4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -dO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXEO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exeO4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /sO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exeO4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exeO4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exeO4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

The Nathan.exe file is hijackthis. Could only run it under a different name. Same story with CWS and now Spybot. Just installed AVG and it found Backdoor.Hacdef.C It killed it but it reapears on reboot. Other odd item is that WToolsA.exe line. Have also killed that bast*rd only to have it come back. I think I'm missing a third element. Sigh. I may just give up and fdisk this thing.

[Guest LilBambi]

I would suggest deleting this one with HiJackThis!:

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

See this thread from SpywareInfo.com:http://www.spywareinfo.com/forums/index.ph...showtopic=41859Wow, that malware is pretty bad you encountered ... both of you!Nathan, I am sure you already did this but I have to ask ... Did you turn off system restore first thing?Although, sounds like Temmu has the best answer ... lastest ref update (suggest downloading the updated ref file on the Ad-aware website in zip format then create a CDR with it unzipped so you can hand place it in the Ad-aware directory) and run it after you get the latest update put there while you are still in safe mode.Might also be able to run the latest version of CWShredder in safe mode as well just to be sure.Thanks for the heads up Temmu!

[nlinecomputers]

Fran,Thanks for the link. I had just found it and was trying that now. I trying to run every thing I can in safe mode before I reboot into normal mode. The services stuff is probably key to this dang thing. Did you see the LEGACY Services reference. This sucker hides as both a Windows NT service and as a 2000 based service!?! When one is killed the other replaces it! Then just for fun they have a DLL based virus that can spawn this stuff too. Maybe I have enought to kill the thing.

[Guest LilBambi]

Wouldn't you just know it ....sheesh! And all this after the Spyware Summit. Sure hope they make some inroads on these nasty pieces of code soon. This is ridiculous.Great Nathan :thumbsup:Good luck ... I am sure I will be battling this particular one myself very soon!

[nlinecomputers]

Only partial success so far the backdoor isn't going away but the WToolA thing apears dead. Perhaps they are not related. I seem to have stable internet on this box so I'm now scaning with Trend Micro's online scanner. Maybe it will pick up the other half of this D*** thing.

[Guest LilBambi]

OK, here's two others I use in conjunction with the others that might help:TrojanHunter 3.85 has been released - trial but could take care of finding it for you.SpySweeper - again a trial version.

[nlinecomputers]

Fran,Thanks for the links. I found out what the heck is going on with this box and I think I've killed it. Backdoor.Hacdef.C stands for Hacker Defender. A stealth Trojan backdoor FTP client! I'm not certain that it is related to the CoolWebSearch issue or not but it was the item that was interfering with the loading of all the spyware tools. Note AVG does NOT fully remove this. I was able to boot off of BartPE disk and use McAfee to remove it. It was the only scan engine that appears to have fully ID'd it. AVG's lousy name for this virus made finding information difficult but info on "Hacker Defender" is all over the place.(Note to self: Stop mentally bashing McAfee. Windows version sucks but the dos tools rock. Should have used it sooner....)New link you guys should add to your armory of combat tools:hacker defender removalIt may be coincidence but CoolWebSearch may be now using the Hacker Defender Rootkit as a means to prevent removal of there trojan. The above link has a link to a Windows Root Kit checker that I will now run on all systems that hit my bench. Look at it and you will see why.

[Guest LilBambi]

Nathan,Happy to help.Glad you figured it out and think you got it all. :thumbsup:My Bart PEBuilder disk also has the DOS tool for McAfee antivirus as well as many other wonderful tools!It really goes against the grain but McAfee did a much better job for their DOS tool than they did on their Windows AV software. It's a shame too. McAfee used to be THE name in antivirus software in the early 90s till their merger.I have now also added that new HackerDefender tool to my arsenal of removal tools.Thanks for helping us all understand it a little better.

[nlinecomputers]

Yep I feel the same way about Norton. The scanning engine is one of the best out there. But the shell that runs it so bloated that it makes it almost useless, especially as a DEFENSE tool at preventing infection in the first place. Once infected it one of the better tools to use to remove them. So is McAfee.Bart's PE is great. I don't have to use it much so you forget the usefullness of the tools on it. I need to update it to a newer version I have 3.0.2. Normally I would have just blown this off after about 2 hours but I wanted to KNOW what the heck was going on. Now that I understand what happend I can fix it much faster. Can't bill the client 10 hours....

[Guest LilBambi]

I hear ya on Norton too!Yes, Bart's PE Builder is fantastic. I had an interesting time cuz I had to slipstream SP1 after copying the files to the harddrive from Windows XP Pro upgrade installation CD before I could build mine. But it was a very successful thing and it has saved me on several occasions.I hear ya on not being able to bill for 10 hrs to figure it it. Been there, done that. Got the T-Shirt! But sometimes you just have to know whether you are compensated on this one job or not. And as you say, you can do it much quicker the next time.

[Guest LilBambi]

Nathan,Just for the record, is this HackDefender, the same one listed here at Symantec:Symantec: hackdefender ?

[nlinecomputers]

Yes but I had what I think was a newer variant then this. The registry entries and files are similar but different but the methods used are the same. AVG called it version C. I think it was modified to block more processes and items then the method listed here.

[Guest LilBambi]

Thanks Nathan ... that's what I thought too when I saw your posts and read up on it, but I wanted to check with you before making that assumption.

[nlinecomputers]

Just an update. I've been lurking in the Spywareinfo forums. It is official. Coolwebsearch IS using Hacker Defender to lockdown and break into PCs to spread there software. Over 20 posting have hit describing the same problem. They are working on a tool to fix this. Not sure if this is possible with out a seperate boot disk as even in safe mode this beast interferes with much of the functioning of the PC. This is just my opinion and I am not a lawyer, nor do I play one on TV. :)The only good thing about this is that this element is that a backdoor is enough of a pure hacker tool that might finally land some CoolWeb Scum in jail. Auto installers are one thing, but a rootkit with a built in backdoor may have crossed that line into computer wire tapping laws. I hope some Atty Gen somewhere is being informed of this.