CoolWebSearch/Trojan Downloader.XS

[chameleon]

Hello! I am writing for a friend who is an avast! user however he is currently nearly speechless due to computer problems.

This morning he opened an emailed attachment from an ostensibly trusted source (his sister). It was supposed to be a video of something amusing, however before he could view the video a window popped up informing that an update of some video-viewing software would need to be installed. He clicked on the update and then the .exe file. The video was then able to be viewed (It was of an American woman complaining about Barac Obama at a Democrat Party meeting; quite naff. The original email was titled simply "Fwd: video", BTW. Beware of it!)

Soon a red window popped up, apparently from Windows Security Center, stating that CoolWebSearch was infecting computer. Then a yellow triangle with exclamation mark  came up on bottom of screen stating that computer was infected with spyware. When triangle was clicked a browser window popped up (still in Windows Security Center style format) directing toward spyware scans named Spymaxx and AntiSpywareStorm2008 ( these are actually fraudulent programmes).

The pop-ups are frequent, every 2 minutes or so. Also, there is a message on desktop saying " Warning: Spyware threat has beeen (sic) detected on your PC. Your computer has several fatal errors due to spyware activity. We strongly recommend to install an antispyware software to close all security vulnerabilities. Antispyware software helps protect your PC against spyware and other security threats. CLICK HERE TO SCAN YOUR PC FOR SPYWARE." (and the link leads back to Spymaxx etcetera.)

HELP!!!!! We have run avast! Cleaner & detected nothing. We ran avast! boot-time scan and nothing was detected. We also ran Spybot Search & Destroy and it detected the presence of CoolWebSearch and associated files. Spybot failed to eliminate the real problem however. We have read the forum instructions for virus/trojan removal but we wondered if there was a specific tool you recommend to get rid of this.

The only names of the condition we have so far are those generated by the pop-ups: CoolWebSearch & Trojan Downloader.XS

Computer runs Windows XP Home, avast! current, Windows Patches up to date.

Any advice would be greatly appreciated! Please keep in mind though that myself & my friend are computer dummies so we would need to be walked through with simple instructions.

[FreewheelinFrank]

Hi chameleon,

The warnings in the pop-ups are a scam to get you to pay for a useless program, a program from the very people that sent you the Trojan horse in the first place, so don't pay too much attention to what they tell you.

You are right to look to a well known and respected anti-spyware product to remove the infection. I would also recommend trying the following.

Ad-Aware Free
SUPERAntiSpyware Free

Scamware/foistware removers:

RogueRemover FREE
SmitFraudFix

Download, install and update the programs. (Also update Spybot.) Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

If still having problems, post a HijackThis! log.

[chameleon]

Thanks FreewheelinFrank.

My friend ran Ad-Aware and SuperAntiSpyware (in safe mode, and these detected trojan, apparently quarantined, but didn't eliminate problem). Also ran Trend Micro Housecall (parasites detected but Housecall froze and computer froze). Then he called a computer tech. in and the tech. ran SmitFraudFix (as tech. believes the bug is SmitFraud variant) but that also did not get rid of it. The bogus message still takes over his wallpaper, and the pop-ups still persist.. all leading back to "Spymaxx" product page and task manager is disabled too.

The computer tech. wants to now reformat his computer but if there is another tool he can try we'd prefer that option as my friend has already a hefty bill from the technician for time spent on problem. I will encourage my friend to post a HijackThis! log though he is already quite exhausted from hours & hours of various scans.

[Spiritsongs]

   Hi :

 Your friend need expert technical Assistance; there are many experienced,
  trained, certified, VOLUNTEER "Malware-Fighters" in the "Malware Removal"
  sub-forum on the Spybot Support Forums at http://forums.spybot.info .
  He should follow the "Guidelines" published on that Forum .

[Dan Harmon]

I've been browsing the internet since around 1995 and have never gotten hit with a virus...until now (I'm really paranoid) This stupid one. 

I'm an IT professional and attempted to help a friend with the same virus and after a day finally gave up.  They didn't have a system restore point that was any good.  In my case I THINK I was able to remove it by using System Restore back a few days.

The only new website that I've visited a lot lately is watchtvsitcoms.com.  I clicked on Dexter Season 2, Left Turn Ahead episode when what you mentioned started happening.

I ran CWShredder and it showed clean, though the update failed (I think that may be normal).  I started running a standard scan using Avast and it came up with a problem in my temp folder (just one so far).  I'm doing a system cleanup (start >> programs >> Accessories >> System Tools) and just plain deleting everything they will delete.

After all that, I'm going to browse for a bit to see if I show any symptoms.  If not, I'm going back to watch that show (it's addicting).  If it fries my laptop again...I'll probably reformat.  But I'll let you all know.

[Lisandro]

I'm an IT professional

Sorry if I sound obvious... but I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

I'll probably reformat.  But I'll let you all know.

At least, try the steps above... can help troubleshooting and getting cleaner. Also, you'll have some experience to help others in the future

Welcome to avast forums.

[Dan Harmon]

I find reformatting to be the fastest way to fix most problems. LOL

I went to watchtvsitcoms again, and got infected again as soon as I went to the Dexter page.  Since it looks like my computer is screwed again I'll try your steps (like you said, for the experience).

[CharleyO]

***

Reformatting should be a last chance effort after all other possiblities have been tried. You will learn much by using the correct methods to solve problems. In time, these methods will be less time consuming than reformatting.   

Spybot - Search & Destroy is effective against know versions of CWS variants.


***