CoolWWWSearch.SmartSearch

[Kerim]

Hi,

A week ago, SpyBot S&D detected on my other PC (also running XP, SP2):
CoolWWWSearch.SmartSearch in C:\autorun.exe

So I scheduled a boot time scanning with avast Pro on that PC.
The result was... a clean one.

Yesterday, I presented the situation in the spybot forum. They were kind, as it is the case here, to offer their support to go with me step by step to clear up the problem (perhaps it is a false positive). So do you think it is good, since now, to email you that exe file from the Avast Chest... or it is too early for that 

Kerim

[Lisandro]

It's strange a file called C:\autorun.exe
You can submit it to virus (at) avast.com
To be sure, the better will be test the file against on-line scanners. Submit the file to:
Virustotal
Jotti

[avatar2005]

Hello Kerim
In addition to what have just said Tech, I also can advise you to install a program called   AVG AntiSpyware this is a good software if you need to clean up your PC from different kinds of malware.

[polonus]

Hi Kerim,

Here are the uninstall instructions for the removal of SmartSearch malware:
http://www.spywareremove.com/removeSmartSearch.html

polonus

[Kerim]

Hi Tech.
I will follow your advice and submit first the file to the on-line scanners you have recommended. I will write here the results.

======================

Hi Avatar2005,

Thank you for the link.

======================

Hi polonus,
I found out on the internet that CoolWWWSearch has relatively too many variants. And as you have already noticed, autorun.exe is not listed for the removal malware you have proposed. But maybe the name of the file is not important in some cases as the one here. What do you think?

[polonus]

Hi Kerim,

For a good identification of the type at hand, and the tools and measurements to take, go to this page and follow the instructions there:
http://www.wiktel.net/rojobo/tools.htm

polonus

[Kerim]

Thank you... polonus

For instance, before lunch time, I worked on the infected PC for more than an hour.
I tried the site:
http://www.virustotal.com/en/indexf.html
and uploaded "C:\autorun.exe" (though it was hidden as a system file). The result given by all AV engines was... Virus Not Found.

Then I gathered the suspicious files (about 10 and all named "autorun" on the C: root) with some notes in one zipped folder. And tried to email it to my clean PC for a deeper study. But the AV engine of Yahoo! email ended up to say that the file is indeed infected and cannot be cured. Of course the attachment was rejected.

Just before going to lunch, I re-emailed it to Avast (Alwil team) but via Chest.

Now you gave me something to try when back to my infected PC.

[mauserme]

Will CWShredder not handle this?   Its an older program but it does handle some forms of Smartsearch.

http://www.trendmicro.com/cwshredder/

Some variants of CWS will close CWShredder unexpectedly.  If this happens start CWShredder again and see if it works. 

Also note that it if you use a host file it may remove some entries you would have liked to keep, so you may need to restore these.

[Spiritsongs]

   Hi Kerim :

      CoolWebSearch is very bad SPYWARE, best dealt with by Malware
      Experts usually found on antiSPYWARE Support Forums, such as the
      Spybot ones. You MAY have more than just the SmartSearch "Species",
      which the experienced and trained Experts there are well able to guide
      you . A Spybot "detection" should be dealt with by Spybot Experts .

[DavidR]

Why do you continue to try to drive people away from the forums when people are prepared to help within these forums. Yes CoolWebSearch can be a pain, but there are tools specifically designed to tackle it such as CWShreader as has been suggested.

By driving people away neither they or others that follow with the same problem will have any advice or things to try. Not to mention those who regularly monitor and contribute to the forums also gain experience. As Spybot already detected it and Kerim had you checked his post you would have see he has already visited the Spybot forum http://forums.spybot.info/showthread.php?t=12433.

Why not devote your time to helping people on the forums that they have sought help rather than drive them away, it really is becoming tiresome.

[mauserme]

He's been there a couple days already, Spiritsongs.

http://forums.spybot.info/showthread.php?t=12433

http://forums.spybot.info/showthread.php?t=12477

@ Kerim

Its best not to combine advice given on different forums.  It leads to confusion and possibly bad results.  Now that you've posted the HijackThis log on the Spybot Forum give them some time with it.


EDIT: 

David - You know I completely agree with what you said but since Kerim started the process on the Spybot Forum maybe he should see it through there.  I would hope the Spybot helpers would suggest the same if the situation was reversed.

[polonus]

Hi Kerim,

It is recommendable that you go through the routines at the forums.spybot.info.
Whatever the conclusions there, come back here and report here as well.
Another recent good removal tool for this rather persistent malware can be found here:
http://www.spywareremove.com/SpywareScanner93736p2s2.exe

polonus

P.S. A glimpse of your HJT log file brought up Super Net Accelerator (sn.exe & sngui.exe). Have to investigate that. Upload these files to virustotal to check.

D

[Kerim]

Hi all,

First I like to say that I am a member in two forums; here and spybot. Why? because my PCs are protected by both Avast and SSD (and spywareBlaster).

Second, I don't look when I got an infection to just clean my PC but to let others be aware of it because it may be a new one. Sorry I couldn't realize that just presenting a problem in two forums only could be considered a big deal. Unless ALL members of one forum are also members in the second.

Third, I was surprised that Avast was able, a month ago, to detect a similar infection (duplicating at autorun) while this time it couldn't. That is why it was natural for me to write a note about it here without expecting a help. But polonus (and others here) were kind to give me some clues to follow. At least I knew that Avast group got an idea about the existence of that infection. For instance, it spreads very fast in our area.
   
Fourth, It was also natural to point out my problem in Spybot forum because SSD was the first in detecting it.

Fifth, I agree with you that in case one needs help he should choose just one helper and follow his/her instructions. Then if that helper will direct him to another, he might change him. By the way, the choice (mainly on the internet) could not be based on which helper is better. It is rather based most of the time on mere coincidences exactly as real friendships might happen.

Sixth, because the infected PC wasn't the one I work on, it wasn't easy for me to follow quickly any instruction. And if you will have time to read the today posts in my thread in Spybot forum you will surely get what I mean. Without my intention I think I hurt a nice person called Shaba. In real life, things may not run as we wish and this is the main reason for many misunderstandings. Fortunately that doesn't happen everyday.

Seventh... day of rest     My son 29 years (actually my spiritual son since I didn't know (closely) any woman in my 57 years... a rather long story... unless you like to hear it) has downloaded NOD32 form Eset without my knowldege. And it seems that NOD32 was able to paralyse the infection and let the files to be easily deleted. As you see, I didn't have the time to even know for sure what could be the real name of the infection!

Finally I would like to say.
To me, it doesn't matter where viruses attack me as long they don't attack my soul and be able to defeat the unconditional love in my heart.

Kerim

It becomes late here... see you later... polonus

[mauserme]

Hi Kerim,

I take it from your posts here and in the SpyBot forum that your problem is solved.  I think I speak for all of us in saying that is the goal for the members of both forums.  A problem solved is a good thing no matter how that comes about.  But I think you see from this how confusing it can get when many pepole are doing different things to solve the same problem.  That was the point I was making earlier.

There was another point being made that was not addressed to you at all.  That is the frustration some of us feel when, in the middle of rendering help, a member expresses the opinion that better help can be had elsewhere.  Its a slap in the face to some very talented people by a member who would seemingly rather give up than look a problem squarely in the face.  Most of us do not run from problems and, for myself at least, I would prefer the faint of heart to stay out of our way.

     CoolWebSearch is very bad SPYWARE, best dealt with by Malware
      Experts usually found on antiSPYWARE Support Forums, such as the
      Spybot ones. ...

@ Spiritsongs

We recommended CWShredder.  They recommended CWShredder.

Will you now explain how their link to the same tool is better than ours? 

[Kerim]

Hi polonus,

About an hour ago and to be in the safe side I uploaded the two files. The results were the same for both and by all engines; no virus found. But I like to also thank you for your care... and time.

By the way, the good thing a malware might bring with, is to let someone leave his daily routines to meet old/new friends while trying to cure the mess created by that malware.

So... may I hope that I will get soon... another malware to see you again... 
and the other friends here... 
and there      

Meanwhile I will miss you all because, we like it or not, some forums cannot be maintained to become a social one 

Cheers,
Kerim