coolwebsearch = headache

[Tesla]

Software:
Windows XP SP2
Nortan AV
Adaware

Customer's computer had been infected by coolwebsearch.

After a lot of messing around eventually removed it from the main user's profile.

Than ran adaware and it finds it on just one of the user profiles but not the other 4.

This is odd as it seems to make a file called "guard.tmp" in Sys32.

From what I can gather it loads a DLL very early on and this remains present and un-terminatable (if thats even a word).

I have tried CWSweeper but it failed to find the problem.

Hijack This picks up the registry entry for the infection but is unable to remove it.

I find it odd that it is only acting on one of the user profiles yet is propagating from a system directory accesible by all users.

Would deleting the infected user profile and then creating a new one fully remove the virus?

I would appreciate any advice on this annoying problem.

Many thanks,

Chris

 

[Hawk Tuah]

Software:
Windows XP SP2
Nortan AV
Adaware

Customer's computer had been infected by coolwebsearch.

After a lot of messing around eventually removed it from the main user's profile.

Than ran adaware and it finds it on just one of the user profiles but not the other 4.

This is odd as it seems to make a file called "guard.tmp" in Sys32.

From what I can gather it loads a DLL very early on and this remains present and un-terminatable (if thats even a word).

I have tried CWSweeper but it failed to find the problem.

Hijack This picks up the registry entry for the infection but is unable to remove it.

I find it odd that it is only acting on one of the user profiles yet is propagating from a system directory accesible by all users.

Would deleting the infected user profile and then creating a new one fully remove the virus?

I would appreciate any advice on this annoying problem.

Many thanks,

Chris

I would give Microsoft Anti Spyware a go.

 

[Roady]

Have you checked all the run areas in the registry for all users when booted in safe mode?

ie:
HKCU/software/microsoft/windows/currentversion/run
HKLM/software/microsoft/windows/currentversion/run
see if HKLM/software/microsoft/windows nt/currentversion/run exists
check all the run keys in HK_Users etc etc

If it only loads in 1 user profile then removing that profile, should remove the infection registry entries...

 

[BigBoy]

search google for CWSshredder.exe download and run and all will be gone

 

[Tesla]

As I said in my OP:

I have tried CWSweeper but it failed to find the problem.

 

[the_brainaic]

NOD32? It worked for a trojan dll file that I had that I couldn't get rid of normally.

 

[BigBoy]

As I said in my OP:

Not cswsweeper but CWSshreadder.exe its a standalone that will always do the trick i have never found a version of CSW it could not remove.

 

[TriedandTested]

http://www.trendmicro.com/cwshredder/

 

[Tesla]

Sorry, Shredder is the version I tried, not sweeper.

It failed to find any trace

 

[bledd]

follow this guide

http://www.msfn.org/board/index.php?showtopic=65071

 

[rickyt]

Unfortunately , this is one hell of a thing to fully get rid of . A neighbor had it on his PC , I tried every remover there was to get rid of it and ended up formatting the PC and starting again . Newgenlook was another nasty hard to get rid of.

 

[barnettgs]

Sometimes it is quicker to do a clean format & re-install. It is guaranteed way to get it fixed.

 

[Tesla]

Sometimes it is quicker to do a clean format & re-install. It is guaranteed way to get it fixed.

Yes this is what I was originally going to do however the user has LOTS of data and as the virus seemed account limited I think it will be easier to tackle than clean install + back up/restore hassle.

 

[Duke]

have you tried running the anti spyware programs in safe mode?