Spyware, Viruses, & Security forum

General discussion

CoolWWWSearch.SmartSearch

by Harv / April 11, 2005 2:05 PM PDT

CoolWWWSearch.SmartSearch, MySoft and SpywareStormer were detected on my pc after a Spybot S&D scan in safe mode. I was able to delete everything except for three entries in CoolWWWSearch.SmartSearch, despite turning off System Restore: Zero Spyware.com, Enigma Software Group and www.Enigma Software Group. I had to go into Safe Mode in order to scan with Spybot S&D, because the screen would disappear midway through the process in normal mode.

After rebooting my pc, I was able to scan my pc in normal mode to completion, and this time only CoolWWWSearch.SmartSearch showed up with the three entries, which I was unable to delete by clicking fix selected problems.

BTW, when I updated Spybot S&D to the latest version, I was able to run a scan in normal mode and CoolWWWSearch.SmartSearch, MySoft and SpywareStormer were detected at that time. I was able to eliminate all of them at one point, but they all showed up again during my last scan in safe mode, even though I still have System Restore turned off. Confused

Discussion is locked
You are posting a reply to: CoolWWWSearch.SmartSearch
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: CoolWWWSearch.SmartSearch
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Harv, Have You Tried???
by Grif Thomas Forum moderator / April 11, 2005 2:33 PM PDT

..using CWShredder...It's designed to get rid of CoolWebSearch.

Download it from the link below, then run it in "normal" Windows and in "Safe Mode". No updating required, simply download and run it.:

CWShredder 2.1x Hijack Removal Tool

Hope this helps.

Grif

Collapse -
CWShredder does not detect SmartSearch
by Harv / April 12, 2005 11:16 AM PDT

in either normal or safe modes. I ran Spy Sweeper and Microsoft Antispyware (MSAS) in normal mode and neither one detected any spyware, but MSAS did detect a Possible Browser Hijack (Browser Modifier), Internet Explorer Start Pagein safe mode. I removed the entry and ran another scan (in safe mode) with Spybot S&D (SSD), which showed no spyware entries.

However, I am deeply concerned that I cannot run a scan with SSD in normal mode, as the screen disappears before the process terminates. Could this problem be caused by SpywareStormer which showed up again, when I ran a SSD scan in safe mode? There were three registry entries listed under it:

Class ID
HKEY_Classes_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}

Root class
HKEY_CLASSES_ROOT\InetCtls.Inet.1

Root class
HKEY_CLASSES_ROOT\IntCtls.Inet

This is the second time I removed the items listed above in SSD by clicking fix selected problems, but they reappear at some point, even though a subsequent scan with SSD after their removal no longer detects them.

BTW, I still have System Restore turned off and have removed my Hpguru hosts file for the time being.

Collapse -
Harv, Could It Be This??
by Grif Thomas Forum moderator / April 12, 2005 1:05 PM PDT
Collapse -
Don't think so.
by Harv / April 12, 2005 1:39 PM PDT

I could not find InetCtls.Inet.1, InetCtls.Inet or {48E59293-9880-11CF-9754-00AA00C00908} in HKEY_LOCAL_MACHINE or in HKEY_CLASSES_ROOT.

Collapse -
Just ran an SSD scan in NORMAL mode
by Harv / April 12, 2005 1:07 PM PDT

and 10 entries for CoolWWWSearch.SmartSearch were detected, but the screen disappeared just as scanning was ending for CoolWWWSearch. Confused

Collapse -
And Another From Symantec
by Grif Thomas Forum moderator / April 12, 2005 1:07 PM PDT

More manual removal instructions with registry entries and files to check for:

Spyware.SearchPounder

Hope this helps, too.

Grif

Collapse -
This one doesn't apply either.
by Harv / April 12, 2005 1:41 PM PDT

It also involves HKEY_LOCAL_MACHINE, which is not the case for my problem.

Collapse -
Is a False Positive in Spybot 1.4 RC
by Marianna Schmudlach / April 13, 2005 4:26 AM PDT
Collapse -
Thanks, Marianna---One down, one more to go
by Harv / April 13, 2005 5:30 AM PDT

Regarding CoolWWSearch.SmartSearch, it's keeps showing up when I run Spybot S&D (SSD), both in safe and normal mode, although in normal mode, SSD scan terminates just before scanning for CoolWWSearch items ends---it never finishes. I can only get a full scan in safe mode, but never in normal mode.

Last time, in safe mode, I found 9 entries and was only able to eliminate 6 of them with SSD. When I ran SSD again, 3 of them were detected. Then on a subsequent scan, 10 items were found. Confused

CWShredder does not find any traces SmartSearch in either safe or normal mode. What course of action do you suggest next?

BTW, I've had System Restores turned off since SSD detected CoolWWSearch.

Collapse -
Harv,
by Marianna Schmudlach / April 13, 2005 5:36 AM PDT
Collapse -
I already tried it with no success.
by Harv / April 13, 2005 5:43 AM PDT
In reply to: Harv,

It did not detect CoolWWWSearch, although it keeps showing up in SSD scans in safe mode. Confused

Collapse -
Update CoolWWSearch.SmartSearch
by Marianna Schmudlach / April 13, 2005 5:42 AM PDT

Harv,

seems to be also a False Positive -

have a look here

Collapse -
Here, I'll solve your problem
by Berimbau / April 23, 2005 6:07 AM PDT

Ok dude... This is a very simple situation! Don't worry about that! Wink

First of all, download this program: HOSTS Manager 1.4 at http://www.majorgeeks.com/download4568.html

Them, find for www.zerospyware.com/ After that, delete and save your new host files in your computer.

Try to use you SSD again and DONE! Hmmmmm, don't forget to upgrade your Spybot: SpyBot-Search & Destroy 1.4 RC1 at http://www.majorgeeks.com/downloadget.php?id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118

Ok, if you use Windows XP, download the Microsoft Windows AntiSpyware 1.0.509 Beta 1 here: http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

OK...?

Collapse -
Harv, By The Way...If You're Using a HOSTS File...
by Grif Thomas Forum moderator / April 11, 2005 2:36 PM PDT

..some of the new Spybot detections are the result of LEGITIMATE HOSTS file redirections...When it detects the malware, click on the + sign next to "MySoft" and you should see the redirection of 127.0.0.1 listing. That means it's in your HOSTS file and can probably ignore it..

Hope this helps.

Grif

Collapse -
...another SpyBot SD question
by Jmichaels / April 11, 2005 10:09 PM PDT

Grif:

I ran into the same problem Harv did recently, about the same time I updated my Hosts file. Spybot showed the CoolWWWSearch error as well as MySoft. I even saw an access violation to 0057CE5E and a few other errors, which are now gone because I installed an earlier 'Ghost' image.

I even got some other errors the first time I ran Spybot again, but it still indicated that I was 'clean' at the conclusion of the search. This was with the same 'Hosts' file in place. Subsequent searches indicate no problem whatsoever.

The new question is, when trying to locate the origin of my error messages, I opened regedit and typed in "CoolWWW" and ran a 'find' on it. It opened up to a folder titled Domain, which contains a long list of what appear to be undesireable websites. There is a domain file in the Spybot program folder which I can't open and I'm wondering if this is what the registry is picking up when I do the regedit search.

Win98SE, AVG, Spybot, Ad-Aware, etc.

btw, I also tried CWShredder, Stinger and a few other programs in attempting to fix the initial problem with no luck.

Collapse -
Here's some more info
by roddy32 / April 11, 2005 10:51 PM PDT

As Grif already mentioned, these new Spybot detections are detecting some of the things that are in your hosts file. This is just a little bit more of an explanation of how this works. The first link is from Net-Integration which is Spybot's forum and explains how Spybot protects.
http://forums.net-integration.net/index.php?showtopic=23797

These other links are for current discussions going on about these "127.0.0.1 localhost" detections that Spybot is picking up since these new detections were added. I would think and hope that this problem will be fixed soon.
http://forums.net-integration.net/index.php?showtopic=29814

http://www.dozleng.com/updates/index.php?act=calendar&code=showevent&eventid=12890

http://forums.net-integration.net/index.php?showtopic=29756

Collapse -
Jmichaels, I Find No Such Listing In My Registry...BUT....
by Grif Thomas Forum moderator / April 12, 2005 12:47 AM PDT

....there is a "Hosts.sbs" file within the "C\Program Files\Spybot Search and Destroy\Includes" folder that can be opened with "Notepad" and you'll find the redirected listing that Spybot uses. The "domains.sbs" file within that folder can be opened using "Notepad" but it's computer language and can't be read.

In my case, I haven't had any real "errors" but instead are getting false positives on the HOSTS file. I simply exclude them for now.

Hope this helps.

Grif

Collapse -
Harv, are you using the Spybot 1.4 Beta??
by roddy32 / April 13, 2005 4:08 AM PDT
Collapse -
Yes, I am.
by Harv / April 13, 2005 5:39 AM PDT

To be specific, version 1.4 B2. It's been pure hell, since downloading the latest SSD update. Up until then, I haven't had any spyware detected by SSD, except the first time I installed it years ago.

I noticed protection for Restricted Sites in SpywareBlaster was turned off. How that happened is a mystery to me. That's probably how CoolWWWSearch.SmartSearch infected my pc. Sad

Collapse -
See Marianna's last update post here Harv
by roddy32 / April 13, 2005 5:47 AM PDT
In reply to: Yes, I am.
Collapse -
New scan with SSD in safe mode detected these entries
by Harv / April 13, 2005 8:25 AM PDT

SpywareStormer, MySoft and CoolWWWSearch.SmartSearch.

Understand that SpywareStormer is a false positive.

MySoft and CoolWWWSearch entries were listed as Redirect Host. The entries in CoolWWWSearch were listed as follows:

Redirected host
ZeroSpyWare.com = 127.0.0.1

Redirected host
www.spycleaner.net = 127.0.0.1

Redirected host
spybot-spyware.com = 127.0.0.1

Redirected host
no-spybot.com = 127.0.0.1

Redirected host
EnigmaSoftwareGroup.com = 127.0.0.1

MySoft had different entries listed, but they also pointed to 127.0.0.1, so I tried an experiment by deleting my hpguru file and rescanned with SSD, which showed no detected items, even though 3 CoolWWWSearch items remained after I deleted found entries by clicking on Fix Selected Problems. However, SSD scan will not finish in normal mode---the screen disappears before the scan ends. I haven't seen anyone reporting this problem in this forum. What's causing this problem?

Collapse -
Harv, those are also false positives
by roddy32 / April 13, 2005 8:50 AM PDT
Collapse -
Just when you think everything is okay...
by Harv / April 13, 2005 9:50 AM PDT

Marianna and roddy32, I was ready to conclude that SSD's detection of CoolWWWSearch.SmartSearch was a false positive caused by the hpguru hosts files.

But, just now, while I was on the internet, several Microsoft Antispyware alerts popped up one after another warning me that there was an attempt to lower my Local Intranet security settings, change my WebBrowser, add a toolbar to Internet Explorer, and that CoolWebSearch was trying to install.

SSD's detection of CoolWWWSearch no longer appears to be a false positive after this event. I scanned my pc with both Microsoft Antispyware and Spy Sweep and neither one detected anything.

Collapse -
I think I remember in an earlier
by roddy32 / April 13, 2005 10:00 AM PDT

thread, cwshredder being mentioned. If you have not tried it yet, then try it and see if it detects anything. All you need to download is the Stand-Alone version. Make sure that once you are ready to use it, that ALL other windows are closed.

cwshredder (stand alone unit)( ALL other windows should be closed)
http://www.intermute.com/spysubtract/cwshredder_download.html

Collapse -
Grif provided the web site earlier.
by Harv / April 13, 2005 11:54 AM PDT

However, CWShredder does not detect any trace of CoolWWWSearch.SmartSearch either in normal or safe modes, although I am getting alert warnings now from Microsoft Antispyware about attempts to change my settings, as mentioned in my previous post. I haven't received any alerts from Spy Sweeper, though, which I find strange.

Is there a security risk with CoolWWWSearch.SmartSearch on my computer, if I log into my brokerage, bank account or bill pay account?

Collapse -
I had thought I read that earlier in
by roddy32 / April 13, 2005 12:09 PM PDT

this thread Harv. This is really wierd what you have going on, expecially since this all happened when you updated Spybot Beta and those definitions have KNOWN false positives. I'm going to see if I can find Marianna and see if she can look at this.

Collapse -
Harv, it seems Spybot seems to be detecting the URL
by Marianna Schmudlach / April 13, 2005 12:16 PM PDT
Collapse -
If the detection of CoolWWWSearch.SmartSearch by SSD is a
by Harv / April 13, 2005 1:16 PM PDT

false positive, why is MSAS suddenly alerting me that a program is attempting to change my WebBrowser and Local Intranet settings, add a new toolbar in Internet Explorer, and modify my browser by installing CoolWebSearch?

One other troubling event is the SSD screen disappearing, when the last CoolWWWSearch item is scanned---the SSD scan never goes beyond this point.

Doesn't this prove that CoolWWWSearch.SmartSearch is somehow involved in all this, and that this is not a false positive reading by SSD?

Collapse -
SSD 1.4RC does not detect CoolWWWSearch.SmartSearch or
by Harv / April 13, 2005 2:05 PM PDT

any of the spyware I reported in this thread. Thanks for your help. I'm sorry I did not see your link to the new SSD version in your post, until roddy32 directed me to it. But, I'm still concerned that some program is trying to make changes on my pc according to the recent alerts from Microsoft Antispyware and is also disabling protection for the Restricted Sites in SpywareBlaster. Refer to my posts after your last entry.

Collapse -
Take it easy, Harv........

Maybe you try tomorrow again after you got a good night's sleep and see IF everything STAYS clean without any alerts.

Did you run The Cleaner and it comes up clean too??

You're Welcome - no problem Happy

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.