CoolWWWSearch or not?

P

peggy08

New member
I'm running Spybot SD V1.3. I updated today and ran a scan. It found a couple of tracking cookies, which were deleted, and also found CoolWWWSearch.hjg, which was one of the new items in the June 11 update. I selected to fix it, and the green checkmark appeared. But when I ran another scan, it was detected again. I fixed it again, then scanned, and it was found yet again. Then I downloaded and ran CWShredder, which didn't find any CoolWWSearch on my PC. Now I don't know whether I have a problem or not. Advice would be appreciated. One other thing, when I downloaded the new Spybot definitions, I wasn't logged on as an administrator. Do you have to be admin for the spyware updates to install?

Thanks for your help.
 
Hello peggy.

You are using a VERY dated version of Spybot-SD ; ).

The latest version is 1.5.2.20. This version improves program stability and many other fixes.

I would suggest you upgrade to it ASAP.

Also as a note: Uninstall Spybot-SD 1.3 first. Disable SDHELPER and TEATIMER. Also, undo the immunization. You can immunize once you updated.
 
hi, I have added my post to this thread as it is the same subject. I found the same item yesterday, and it related to a particular registry key (I can post it if you wish but it is three lines long). I followed the advice given to the original poster and removed the older Spybot program and downloaded 1.5.2. A scan with that showed nothing wrong, and I also downloaded Malwarebytes and that scan came up with nothing. Firstly, does it seem as if my computer is actually free of CoolWWWSearch. Secondly, why did the older version find it - was it a false positive. I would be grateful for advice, because I ran Spybot yesterday prior to a disk image and naturally I am worried about imaging the disk now as I don't feel it is safe to do so. Any help/guidance gratefully received.
 
m3a7t9:

MalwareByte's AntiMalware would be usually used on infected computers.

What was your Spybot version prior to installing the latest one (1.5.2.20)?

If you downloaded all the updates, immunized, and ran a full scan with the latest version of Spybot, I'm assuming Spybot will be running at it's full potential. Of course, you can tweak it but I would stay away from it for now.

If CoolWWWSearch does not show up in Spybot-SD, it is safe to assume it has been gone.
What I was thinking was to "SEARCH" with Windows Explorer for all Files and Folders related to CoolWWWSearch on your primary drive. The primary drive for me would be "C:\".

Also, you said that Spybot detected a registry key.

Can you tell me the results?
 
Hi, thanks for your reply. The following is the registry key:
HKey_Users\S-1-5-21-357895349-1559929237-3824168032-1006\software\
microsoft\windows\currentversion\internetsettings\privdiscuishown!=W-0.

I think the SpyBot previous version was 1.2 but I uninstalled and am not sure, but it was certainly old. I'll have a search via windows explorer to see if the file name that the old spybot found shows up.
 
hi, as I said earlier I did uninstall the earlier version, and then installed 1.5.2.20. I ran a scan with that and the item the previous version found was not found in the 1.5.2.20 scan.
 
hi, thanks for your reply. I had a look at the MS article, and I actually have IE7 on the computer not ie 6, and tbh I use Firefox as my browser. There have been rare occasions when I have used IE7, but not many. Do you think I should still delete the key the article refers to - I don't want to jump in and do that if it should not be done re IE7. (Just to let you know that I have been in to the registry before under guidance so, if absolutely necessary, I am prepared to do this).
 
m3a7t9:

I am using Internet Explorer 7 and my current setting for "PrivDiscUiShown" is:

Code: 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivDiscUiShown"=dword:00000001
The detection that you posted indicated "!=W-0" which means "not equal to dword zero". My registry entry is "not equal to dword zero" and I did not get a detection using Spybot 1.5.2.20. I changed the registry entry to dword:00000000 and still no detection.

It seems as of the old software reacts diferently than the current version using the same rule set.

I would just leave the registry entry as is.
 
md, many thanks for your reply, I will do as you recommend. If you think it is now ok for me to do a disk image I will be very relieved, it's overdue.
 
m3a7t9:

If your system is clean, by all means back it up. Even if the system was not 100% clean, having a dirty backup is better than not having one at all.
 
False Positive? - really causing confusion.

md usa spybot fan said:
m3a7t9:

Spybot is detecting that you (or something) set "Do Not Show This Message Again" on the "Privacy" Dialog Box in Interner Explorer. See:
Click to expand...

That is interesting since I do use IE6 and I am using SB1.3 and am getting a CoolWWWSearch.hjg Spyware found at that exact location in my registry, in fact 3 different locations actually (one of which is this specific setting you mentioned here). Each time SB1.3 tells me it is "fixed" but each time the next scan tells me that the problem remains for all 3 registry settings.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet\ Settings\PrivDiscUiShown!=W=0

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\HideFleExt!=W-1

HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\InternetExplorer\
Control Panel\Homepage!=W=0

There is speculation on this board as to what Spybot does to fix these registry settings.

What Spybot does is change each setting to "" after the first "=" sign in the registry for all three.

What is also interesting in regards to the registry setting related to the "do not show" I have been using IE6 for many years and long ago set that setting to "do not show" but I have been getting that message box again now asking me this same question again. I am sure this is because SB1.3 is setting the values to "" and because the registry is not set to the "W=0" any longer I then get the message again.

Scans take so long for me (over 2 hours) so I have always done subsequent scans after a boot and assumed that the boot was responsible for re-inserting the Spyware.

I am now running another scan to see what the settings are for each registry setting directly following the last scan (still another 1½ hours to go).

There has been suggestions that users like myself should upgrade to minimally 1.5.2.

I cannot successfully do this on my WIN98SE since no matter what I do the teatimer will not successfully close (exit) when I shut down thus my OS crashes with a blue screen error because teatimer has this problem that is somehow related to my system (link below). I have no problem closing (exiting) teatimer manually but for some reason teatimer cannot close (exit) when the OP system tries to close (exit) teatimer through my 98SE (see link below for details). It is possible this is a combination and/or regarding my 98SE or my limited (96 RAM) resources.

http://forums.spybot.info/showthread.php?t=29644

Thus since I have to stay with SB1.3 I have a question: Will this problem remain with SB1.3? or will newer updates on the database fix this?
 
Last edited:
you do know not to FIX and REMOVE anything with 1.3
RIGHT
someone else will come along about the removal of 1.3

should this be a new thread???
and not in THIS forum
you may get more response
perhaps continue your other thread although I do not remember that the T-timer issue was addressed
did you try turning off t-timer in Mode>advanced?
 
Last edited:
Addendum (edit) to last post above

EConsidering that older versions are now not supported I think the answer to my question (see prior post) is "this will not be fixed" (for older versions). (I take it this is the forum w/ the 15 min limit for editing).

To address the "false positive" CoolWWWSearch:

If the user doesn't "repair" using SB1.3 (in my case I "fixed" so many times I can't tell which one has the original setting since each subsequent time I "fixed" the settings just remained "") each of those settings will still be set back to the correct setting when the user "resets" the values using the specific application relative to the registry setting:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet\ Settings\PrivDiscUiShown!=W=0

Will be set back from the "" setting that SB1.3 set it at for "fix" to whatever whatever setting the user chooses after launching IE6 - either "W=0" if the user clicks on "do not show" or "W=1" if the user doesn't.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\HideFleExt!=W-1

Will be set after the user "resets" the "hidden files" setting in Windows Explorer. The setting will show whatever it was last to get the registry setting correct the user can set the "radio button" to the another setting and then back to what they had originally (which will then have the correct registry setting that matches the "View>Folder Options>View tab setting" for Windows Explorer.

HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\InternetExplorer\
Control Panel\Homepage!=W=0

Same principle as above.

There are MANY other "false positives" in SB1.3 (I will post a separate entry on this in the "False Positives" forum).
 
Last edited:
wyrmrider said:
you do know not to FIX and REMOVE anything with 1.3
RIGHT
someone else will come along about the removal of 1.3

should this be a new thread???
and not in THIS forum
you may get more response
perhaps continue your other thread although I do not remember that the T-timer issue was addressed
did you try turning off t-timer in Mode>advanced?
Click to expand...

Thanks for asking. Yes all of this was covered (if you notice I had a link to the (old) topic thread that was in the correct forum in my post above). I removed everything possible in multiple ways. Yes as I posted (above and in the original thread) I can "turn off" t-timer with no problem it is when I "shutdown" that the 98SE OS has a problem "shutting down" teatimer) which causes the crash (every time). I could always have to "remember" to "turn off" teatimer when ever I did a reboot or shutdown to avoid the problem but that is a real nuisance and clearly should not be necessary anyway.
 
caterwaul:

re: false positives in Spybot 1.3.

I trust that you are aware that false positives in Spybot 1.3 cause by resent detection rules designed for later releases, cause major problems for users running Spybot 1.3 under Windows XP. Fixing those false positives cause the users to no longer be able to log onto their systems.

I suggest that you attempt to update to Spybot 1.6 (or at lease Spybot 1.5.2) and if that does not work for you that you, I strongly recommend you consider just abandoning using Spybot on your Windows 98SE system.

Using Spybot 1.3 with resent detection rule update presents a risk that I believe that you should not subject yourself to.
 
Last edited:
Perhaps I missed something,but I wonder if,since your problems seem related to teatimer,if you could just update to Spybot 1.6 (or at least Spybot 1.5.2) and then just run Spybot as a scanner only,and not use teatimer at all?Not the best solution,I know,but better than nothing.
 
You must log in or register to reply here.
Back
Top