View Full Version : CoolWWWSearch or not?
I'm running Spybot SD V1.3. I updated today and ran a scan. It found a couple of tracking cookies, which were deleted, and also found CoolWWWSearch.hjg, which was one of the new items in the June 11 update. I selected to fix it, and the green checkmark appeared. But when I ran another scan, it was detected again. I fixed it again, then scanned, and it was found yet again. Then I downloaded and ran CWShredder, which didn't find any CoolWWSearch on my PC. Now I don't know whether I have a problem or not. Advice would be appreciated. One other thing, when I downloaded the new Spybot definitions, I wasn't logged on as an administrator. Do you have to be admin for the spyware updates to install?
Thanks for your help.
drragostea
2008-06-12, 03:54
Hello peggy.
You are using a VERY dated version of Spybot-SD ; ).
The latest version is 1.5.2.20. This version improves program stability and many other fixes.
I would suggest you upgrade to it ASAP.
Also as a note: Uninstall Spybot-SD 1.3 first. Disable SDHELPER and TEATIMER. Also, undo the immunization. You can immunize once you updated.
hi, I have added my post to this thread as it is the same subject. I found the same item yesterday, and it related to a particular registry key (I can post it if you wish but it is three lines long). I followed the advice given to the original poster and removed the older Spybot program and downloaded 1.5.2. A scan with that showed nothing wrong, and I also downloaded Malwarebytes and that scan came up with nothing. Firstly, does it seem as if my computer is actually free of CoolWWWSearch. Secondly, why did the older version find it - was it a false positive. I would be grateful for advice, because I ran Spybot yesterday prior to a disk image and naturally I am worried about imaging the disk now as I don't feel it is safe to do so. Any help/guidance gratefully received.
drragostea
2008-06-14, 00:07
m3a7t9:
MalwareByte's AntiMalware would be usually used on infected computers.
What was your Spybot version prior to installing the latest one (1.5.2.20)?
If you downloaded all the updates, immunized, and ran a full scan with the latest version of Spybot, I'm assuming Spybot will be running at it's full potential. Of course, you can tweak it but I would stay away from it for now.
If CoolWWWSearch does not show up in Spybot-SD, it is safe to assume it has been gone.
What I was thinking was to "SEARCH" with Windows Explorer for all Files and Folders related to CoolWWWSearch on your primary drive. The primary drive for me would be "C:\".
Also, you said that Spybot detected a registry key.
Can you tell me the results?
Hi, thanks for your reply. The following is the registry key:
HKey_Users\S-1-5-21-357895349-1559929237-3824168032-1006\software\
microsoft\windows\currentversion\internetsettings\privdiscuishown!=W-0.
I think the SpyBot previous version was 1.2 but I uninstalled and am not sure, but it was certainly old. I'll have a search via windows explorer to see if the file name that the old spybot found shows up.
just to add, I have searched via Windows Explore and nothing was found.
drragostea
2008-06-15, 01:39
Did you upgrade to v.1.5.2.20?
Uninstall version 1.2 from your computer first.
The download link for the latest version of Spybot-SD is:
http://www.safer-networking.org/en/mirrors/index.html
--
hi, as I said earlier I did uninstall the earlier version, and then installed 1.5.2.20. I ran a scan with that and the item the previous version found was not found in the 1.5.2.20 scan.
md usa spybot fan
2008-06-15, 14:39
m3a7t9:
Spybot is detecting that you (or something) set "Do Not Show This Message Again" on the "Privacy" Dialog Box in Interner Explorer. See:
The "Privacy" Dialog Box Is Not Displayed After You Select the "Do Not Show This Message Again" Option
http://support.microsoft.com/kb/298599
hi, thanks for your reply. I had a look at the MS article, and I actually have IE7 on the computer not ie 6, and tbh I use Firefox as my browser. There have been rare occasions when I have used IE7, but not many. Do you think I should still delete the key the article refers to - I don't want to jump in and do that if it should not be done re IE7. (Just to let you know that I have been in to the registry before under guidance so, if absolutely necessary, I am prepared to do this).
md usa spybot fan
2008-06-15, 17:44
m3a7t9:
I am using Internet Explorer 7 and my current setting for "PrivDiscUiShown" is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivDiscUiShown"=dword:00000001
The detection that you posted indicated "!=W-0" which means "not equal to dword zero". My registry entry is "not equal to dword zero" and I did not get a detection using Spybot 1.5.2.20. I changed the registry entry to dword:00000000 and still no detection.
It seems as of the old software reacts diferently than the current version using the same rule set.
I would just leave the registry entry as is.
md, many thanks for your reply, I will do as you recommend. If you think it is now ok for me to do a disk image I will be very relieved, it's overdue.
md usa spybot fan
2008-06-15, 18:26
m3a7t9:
If your system is clean, by all means back it up. Even if the system was not 100% clean, having a dirty backup is better than not having one at all.
many thanks for all help on this issue. Have a good week.
caterwaul
2008-07-14, 12:00
m3a7t9:
Spybot is detecting that you (or something) set "Do Not Show This Message Again" on the "Privacy" Dialog Box in Interner Explorer. See:
The "Privacy" Dialog Box Is Not Displayed After You Select the "Do Not Show This Message Again" Option
http://support.microsoft.com/kb/298599
That is interesting since I do use IE6 and I am using SB1.3 and am getting a CoolWWWSearch.hjg Spyware found at that exact location in my registry, in fact 3 different locations actually (one of which is this specific setting you mentioned here). Each time SB1.3 tells me it is "fixed" but each time the next scan tells me that the problem remains for all 3 registry settings.
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet\ Settings\PrivDiscUiShown!=W=0
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\HideFleExt!=W-1
HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\InternetExplorer\
Control Panel\Homepage!=W=0
There is speculation on this board as to what Spybot does to fix these registry settings.
What Spybot does is change each setting to "" after the first "=" sign in the registry for all three.
What is also interesting in regards to the registry setting related to the "do not show" I have been using IE6 for many years and long ago set that setting to "do not show" but I have been getting that message box again now asking me this same question again. I am sure this is because SB1.3 is setting the values to "" and because the registry is not set to the "W=0" any longer I then get the message again.
Scans take so long for me (over 2 hours) so I have always done subsequent scans after a boot and assumed that the boot was responsible for re-inserting the Spyware.
I am now running another scan to see what the settings are for each registry setting directly following the last scan (still another 1½ hours to go).
There has been suggestions that users like myself should upgrade to minimally 1.5.2.
I cannot successfully do this on my WIN98SE since no matter what I do the teatimer will not successfully close (exit) when I shut down thus my OS crashes with a blue screen error because teatimer has this problem that is somehow related to my system (link below). I have no problem closing (exiting) teatimer manually but for some reason teatimer cannot close (exit) when the OP system tries to close (exit) teatimer through my 98SE (see link below for details). It is possible this is a combination and/or regarding my 98SE or my limited (96 RAM) resources.
http://forums.spybot.info/showthread.php?t=29644
Thus since I have to stay with SB1.3 I have a question: Will this problem remain with SB1.3? or will newer updates on the database fix this?
wyrmrider
2008-07-14, 19:46
you do know not to FIX and REMOVE anything with 1.3
RIGHT
someone else will come along about the removal of 1.3
should this be a new thread???
and not in THIS forum
you may get more response
perhaps continue your other thread although I do not remember that the T-timer issue was addressed
did you try turning off t-timer in Mode>advanced?
caterwaul
2008-07-14, 19:55
EConsidering that older versions are now not supported I think the answer to my question (see prior post) is "this will not be fixed" (for older versions). (I take it this is the forum w/ the 15 min limit for editing).
To address the "false positive" CoolWWWSearch:
If the user doesn't "repair" using SB1.3 (in my case I "fixed" so many times I can't tell which one has the original setting since each subsequent time I "fixed" the settings just remained "") each of those settings will still be set back to the correct setting when the user "resets" the values using the specific application relative to the registry setting:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet\ Settings\PrivDiscUiShown!=W=0
Will be set back from the "" setting that SB1.3 set it at for "fix" to whatever whatever setting the user chooses after launching IE6 - either "W=0" if the user clicks on "do not show" or "W=1" if the user doesn't.
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\HideFleExt!=W-1
Will be set after the user "resets" the "hidden files" setting in Windows Explorer. The setting will show whatever it was last to get the registry setting correct the user can set the "radio button" to the another setting and then back to what they had originally (which will then have the correct registry setting that matches the "View>Folder Options>View tab setting" for Windows Explorer.
HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\InternetExplorer\
Control Panel\Homepage!=W=0
Same principle as above.
There are MANY other "false positives" in SB1.3 (I will post a separate entry on this in the "False Positives" forum).
caterwaul
2008-07-14, 20:08
you do know not to FIX and REMOVE anything with 1.3
RIGHT
someone else will come along about the removal of 1.3
should this be a new thread???
and not in THIS forum
you may get more response
perhaps continue your other thread although I do not remember that the T-timer issue was addressed
did you try turning off t-timer in Mode>advanced?
Thanks for asking. Yes all of this was covered (if you notice I had a link to the (old) topic thread that was in the correct forum in my post above). I removed everything possible in multiple ways. Yes as I posted (above and in the original thread) I can "turn off" t-timer with no problem it is when I "shutdown" that the 98SE OS has a problem "shutting down" teatimer) which causes the crash (every time). I could always have to "remember" to "turn off" teatimer when ever I did a reboot or shutdown to avoid the problem but that is a real nuisance and clearly should not be necessary anyway.
md usa spybot fan
2008-07-14, 20:55
caterwaul:
re: false positives in Spybot 1.3.
I trust that you are aware that false positives in Spybot 1.3 cause by resent detection rules designed for later releases, cause major problems for users running Spybot 1.3 under Windows XP. Fixing those false positives cause the users to no longer be able to log onto their systems.
I suggest that you attempt to update to Spybot 1.6 (or at lease Spybot 1.5.2) and if that does not work for you that you, I strongly recommend you consider just abandoning using Spybot on your Windows 98SE system.
Using Spybot 1.3 with resent detection rule update presents a risk that I believe that you should not subject yourself to.
Perhaps I missed something,but I wonder if,since your problems seem related to teatimer,if you could just update to Spybot 1.6 (or at least Spybot 1.5.2) and then just run Spybot as a scanner only,and not use teatimer at all?Not the best solution,I know,but better than nothing.
wyrmrider
2008-07-14, 21:52
I did see your link but am always concerned when others follow a thread
zenobias Idea could work
even if it does i'd remove- run small fix and reinstall
No duplicate entries in Add remove programs?
removing in safe mode might work
small fix may work
editing your start up programs to exclude t-timer might work
what other hacks are out there?
t-timer is designed to be robust from the bad guys :)
YOU BAD!
I have a 98 machine and had no problem with blue screens and t-timer toggle on/of or at shutdown when I was running earlier versions
something weird has happened
any other old timers remember this issue with 1.3 and t-timer?
and as I said you would get more hits in the other forum
caterwaul
2008-07-14, 23:13
caterwaul:
re: false positives in Spybot 1.3.
I trust that you are aware that false positives in Spybot 1.3 cause by resent detection rules designed for later releases, cause major problems for users running Spybot 1.3 under Windows XP. Fixing those false positives cause the users to no longer be able to log onto their systems.
I suggest that you attempt to update to Spybot 1.6 (or at lease Spybot 1.5.2) and if that does not work for you that you, I strongly recommend you consider just abandoning using Spybot on your Windows 98SE system.
Using Spybot 1.3 with resent detection rule update presents a risk that I believe that you should not subject yourself to.
Actually I'm using WIN98SE but I would presume some of the same issues apply. I also posted (see page 2 link) regarding how I have been unable to get SB1.5.2 to work with a "running" teatimer as far as shutdown in concerned.
I know I can either not run teatimer or I can try and remember to "exit" teatimer before I reboot or shutdown but none of these options are that great as I prefer to use the application and I don't want to always rely on my remembering to "exit" teatimer (besides anyone else using the computer wouldn't be aware of this requirement and would be having the computer crash with the "blue" screen error (mentioned in detail in the other thread link provided earlier in this thread).
It seems SB1.6 or bust. :sad:
caterwaul
2008-07-14, 23:26
I did see your link but am always concerned when others follow a thread
zenobias Idea could work
even if it does i'd remove- run small fix and reinstall
No duplicate entries in Add remove programs?
removing in safe mode might work
small fix may work
editing your start up programs to exclude t-timer might work
what other hacks are out there?
t-timer is designed to be robust from the bad guys :)
YOU BAD!
I have a 98 machine and had no problem with blue screens and t-timer toggle on/of or at shutdown when I was running earlier versions
something weird has happened
any other old timers remember this issue with 1.3 and t-timer?
and as I said you would get more hits in the other forum
This problem has nothing to do with "older versions". (issue not with 1.3 only 1.5.2).
BOTH SB1.2 and SB1.3 have both worked flawlessly for me for many many years with teatimer RUNNING! (no shutdown issues).
I have had NO ISSUES until SB1.5.2 - this is the only version that has given me any trouble at all (other than "false positives" of course recently*) - more specifically no problems running teatimer AT ALL until SB1.5.2.
*I have posted a detailed list of all of the "false positives" in link: http://forums.spybot.info/showthread.php?t=30970
I have tried about everything - installed it 3 times with very "clean" system.
I can shutdown without any problem if teatimer is NOT RUNNING.
The problem is ONLY shutting down the computer (reboots of course) when TEATIMER IS RUNNING.
As I've posted many times I can "exit" teatimer with no problem which tells me that SB1.5.2 is no problem with it's code as far as "exiting" teatimer it is only a problem with WIN98SE shutting down and for some reason with teatimer running there is some kind of problem "closing" teatimer.
The blue screen error has to do with teatimer "still running" thus SB1.5.2 isn't "exiting" teatimer correctly when the OS shutdown is closing programs. Clearly in my case there is some kind of combination of a coding issue and/or my OS between SB1.5.2, teatimer that causes teatimer to not "exit" properly with the OS closes SB1.5.2 since the application can "exit" teatimer without any problems (but does not when the OS is closing the program(s)).
All of this has been covered in the other thread (link provided on prior page).
Thanks for the interest however. :)
caterwaul
2008-07-15, 20:51
Perhaps I missed something,but I wonder if,since your problems seem related to teatimer,if you could just update to Spybot 1.6 (or at least Spybot 1.5.2) and then just run Spybot as a scanner only,and not use teatimer at all?Not the best solution,I know,but better than nothing.
I like the registry protection that teatimer supplies thus if I can't use it w/ Spybot then I'd have to try and get this protection somewhere else and as far as using Spybot just as a scanner I can do this with an on-line scanner with far less overhead on my machine.
Better yet I can use teatimer but just remember to "exit" the teatimer process prior to shutdown....
My problem with that is that I'll forget or someone else won't know to do this if they need to reboot for example.... a blue screen crash is very troubling for anyone when they get it as you know.
Yes,I can understand that,since I use Teatimer.
And I understand your dilemma.However,with all due respect,I think you really ought to consider some suggestions other than keeping Spybot 1.3.
It was announced support for earlier versions was soon ending:
http://forums.spybot.info/announcement.php?f=4
And in the false positives forum,issues involving Spybot 1.3 are listed as Unsupported outdated version in the title already:
http://forums.spybot.info/showthread.php?t=30132
And:
http://forums.spybot.info/showthread.php?t=29855
I see it was suggested by Yodama that you could move to Spybot 1.4 if Spybot 1.5.2 or Spybot 1.6 will not run properly on your Windows 98 machine.
http://forums.spybot.info/showthread.php?t=30970
If you did not want to apply the fix for teatimer with reshacker if you upgrade to Spybot 1.4,then on English language computers you can press A for Allow or D for Deny on the keyboard to answer the prompts from Teatimer.
If others were using the computer,you could just tell them to do that,also. :)
caterwaul
2008-07-17, 19:54
I see it was suggested by Yodama that you could move to Spybot 1.4 if Spybot 1.5.2 or Spybot 1.6 will not run properly on your Windows 98 machine.
http://forums.spybot.info/showthread.php?t=30970
If you did not want to apply the fix for teatimer with reshacker if you upgrade to Spybot 1.4,then on English language computers you can press A for Allow or D for Deny on the keyboard to answer the prompts from Teatimer.
If others were using the computer,you could just tell them to do that,also. :)
I have considered SB1.4 but one question remains considering that the "announcement" did not really make it very clear as to what will be supported. :scratch:
Will SB1.4 continue to be supported?
Hi. :)
Yodama answered your clarification on support question.That thread is located here:
http://forums.spybot.info/showthread.php?t=31019