CoolTooBar/Adssite - "adssite" reg key

[hockeykong]

Hi,

I have a problem with some malware that SpyBot detects as "CoolTooBar" and which is linked to the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\adssite.

I have made SpyBot delete it several times and I have deleted it manually many times also using Regedit, but it keeps on coming back. It comes back specifically when I start my browser (FireFox).

This key is huge (1,2 Mb). It includes one subsection which is a WEB PAGE ! Another subsection called "related_sites" is also quite large.

SYMPTOMS:

Pop-up page with title "Ads served by Adssite". The page
in question is advertizing for mainstream products, well known companies.

Once this page took the form of a form to fill out with my name, city, zip code, my age, etc. and it poped-up just when I loaded this forum's page. "Spybot" was displayed quite large on the pop-up page in question.

I have been getting help from another forum (one person)
for the last four days, downloaded and used about a dozen progs, in addition to my security programs already installed (ZoneAlarm, SpyBot, AVG Antivirus, SpywareGuard, SpywareBlaster) but no success.

I need help please.

Marc

[tashi]

Hello.

Sorry to hear of the problem you are experiencing.

I have been getting help from another forum (one person)
for the last four days, downloaded and used about a dozen progs, in addition to my security programs already installed (ZoneAlarm, SpyBot, AVG Antivirus, SpywareGuard, SpywareBlaster) but no success.

Please give a link to the topic in question.

Best regards.

[hockeykong]

It's a French forum:

http://forum.pcastuces.com/forum.asp...ID=25&SSCAT=77

If you ask me questions about it (the thread) I can answer them. At least you'll be able to see all the programs he had me install and use on my machine.

There is the content of that Registry key also you might want. It's in the thread also, towards the end of it.

Thanks.

Marc

[tashi]

Hello Marc,

A lot of tools were used on that machine, including one for hard core cases, which can make it difficult for another helper; especially as the dialogue is in French. http://forum.pcastuces.com/sujet.asp?f=25&s=37122

Did he ask you to look in Add/Remove Programs for Search Assistant Adssite?

Which version of Spybot-S&D are you using.
Open Spybot Search & Destroy > Help > About.

Regards.

[hockeykong]

Hello Marc,

Did he ask you to look in Add/Remove Programs for Search Assistant Adssite?

He did not and did not need to because I had done that already. I did most of the obvious stuff, unistalling via uninstall prog, via control panel if necessary, doing searches in the Registry and System files for certain names: CoolToolBar, adssite, rightonadz. Deleting what I could.

The main problem is the Adssite Registry Key:

[HKEY_CURRENT_USER\Software\Microsoft\adssite]

I have deleted it several times with SpyBot and manually via Regedit but it keeps on reappearing. It's when I launch my browser (FireFox) that the key is created.
===========================================

Which version of Spybot-S&D are you using ?

ANSWER: 1.5.1.18
===========================================
I dont need to follow a specific procedure. Not yet anyway. The person helping me in the PCastuce forum
seems out of ideas. I've been working at this problem for two weeks and he's been helping me for three or four days.

If someone from a forum or another comes along and says "Hey, I've dealt with this bug before, I'll tell you how to get rid of it, then I would simply inform the other forums and let them know when it is solved and inform them on how it was done, and with whose help for credit.

In fact I just did something that was suggested by tetonboy on the SUPPORT TECH FORUMS
(http://www.techsupportforum.com/secu...te-spybot.html)
and it looks like it may have done the trick ! Not certain yet. I'll have to make some tests.

He suggested I delete the following file:

E:\COMMUNICATIONS\Mozilla\FireFox\components\rsBrowserOpt.dll

I did. Now I can tell you and Fill in PCastuces, and maybe later come back to say that it worked, or not.

Thank you for you understanding.

Marc

[tetonbob]

Actually, it was me, tetonbob, and this file:

C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll

%ProgramFiles% is different per language though, and there are always %systemdrive% considerations.

Looks like you did the work though.

[tashi]

tetonbob, didn't know that was you.

[tetonbob]

Hi tashi!

[hockeykong]

Hi tashi,

So I guess you guys know each other. Thanks a lot ! The Reg key seems gone for good and no pop-ups. Yep, removing the rsBrowserOpt.dll from the FireFox folder was the key.

I must thank Fill at the PCASTUCES forum also. Although he did not find the final cure he did spent quite a bit of time helping me. He's probably a bit less experienced than you guys.

Thanks again.

Marc

[tashi]

Cheers Marc.

As tetonbob said, "Looks like you did the work though."

Well done.