PDA

View Full Version : CoolWWWSearch.SmartSearch



Kerim
2007-03-25, 13:49
Hi,

A few days ago, SSD has detected, on my other PC running XP SP2, "CoolWWWSearch.SmartSearch" in C:\autorun.exe. So, I let SSD scan again at system startup to fix it more freely. After fixing and by scanning again, that CoolWWSearch seemed to be gone.

Today and after updating SSD, I tried another scan (as I used to do after each update) to find out that our dear autorun.exe has reappeared. For instance, the System Restore is off. Actually I am not sure how harmful that autorun.exe might be (I also noticed other autorun files at the C root having other extension than exe). Because apparently the PC is fine now. But in case it is not a false positive I wish someone here will help me remove it completely. Thanks in advance for any support.

Kerim

Kerim
2007-03-26, 11:26
Hi...
Just to say that I still hope to know here anything on that "autorun.exe" ;)

While searching, I found out that "CoolWWWSearch" has relatively too many variants that are day after day harder to be detected.

I take the opportunity to add that since many years I have depended on "SpyBot Search&Destroy" to protect my 2 PCs (a PC for the guests :) ) Now I have no doubt that SS&D is one of the most professional programs in its field... Cheers to its creator and developpers.

Kerim

tashi
2007-03-26, 18:12
Hi there.

Please run SpyBot.
Check for problems, when finished right click and choose copy results (not the full report) to clipboard and post that back here please.

Or, we could take a different look at the system if you start a topic here: Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Read the instructions "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288) for producing a HJT log after running an on-line anti virus scan.

A helper would then advise you as soon as available.

Cheers. :)

Kerim
2007-03-26, 20:41
Thank you Tashi for your kind reply.

This time, as in the previous scan, I didn't fix it.
But I did it once, when SSD has detected it for the first time.


CoolWWWSearch.SmartSearch: Executable (File, nothing done)
c:\autorun.exe

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-02-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-21 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-21 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-21 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-21 Includes\KeyloggersC.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-21 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-21 Includes\PUPSC.sbi (*)
2007-03-21 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-21 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-21 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-21 Includes\TrojansC.sbi (*)

tashi
2007-03-27, 05:06
Kerim,

Could you go ahead and start a topic in the malware forum so that a HJT log can be analysed.

Preliminary Steps (http://forums.spybot.info/showthread.php?t=288) Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Thanks.

Kerim
2007-03-27, 11:02
After reading the links you have proposed, I will start the topic in the malware forum. Thank you... tashi.

tashi
2007-03-27, 18:06
Thanks, it may be an F/P but wouldn't hurt to take a closer look. :)

Kerim
2007-03-27, 18:08
Hi again tashi,

Before lunch time, I worked on the infected PC for more than an hour.

First I dind't know why nothing happened when I tried to scan on-line via:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

So I went to:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
At that site, only the scanning of disks and folders was possible but the supposed infected files are in the root of C:
I tried scanning C: but then I stopped it a few minutes later since it would take hours to scan the rather large hard disk.

Then I remember from Avast Forum a site that scans only one uploaded file:
http://www.virustotal.com/en/indexf.html
But unlike SSD, all AV engines said... Virus Not Found.

Meawhile, I still believe that SSD dectection of malware is right this time. And to avoid any risk to spread the infection, I copied/renamed the 10 'autorun' files into a folder then zipped that folder. The next step was to send it by email to my other PC. While uploading the zipped folder, the AV engine of Yahoo! email ended to say that the file is indeed infected and cannot be cured. Of course the attachment was rejected.

After that, I had the idea since I use Avast Pro, to send this infected files (zipped in one) to Avast by email via their Chest. I did it while I am not sure if I will get a reply sooner or later. I always remember that I am not the only one who needs support :)

By the way, I also downloaded and run HJT. I didn't find any trace of "autorun" in its log though about 10 files still have the name, on the root of C:

Sorry for posting here once again since I am not sure how to write my first post in the Malware Removal Forum... I couldn't get more details than what I had at the beginning of this thread :red: