scranch said:
Hi,
I have run Spybot with my system in safe mode,it still hangs when the search bar gets to CoolWWWSearch.At the moment will stop trying Spybot.Why doesn't it complete the scan,then come up with a can't be deleted message,unless Spybot has been compromised?
Tried Secunia,have got 4 versions of Macramedia,none of them the latest.Apparently none are deleted as you update.
Told me I have old version of adobe.Uninstalled adobe last year when it stopped working,have run foxit ever since.Must be adobe still there somewhere.
Have started backing up all I can,just done over 2000 family photos,irreplaceable if something crashes.
Might think about rebuild one day.Have thougt it would be better to go to 1G ram and a seperate harddrive for my share and charting stuff.
Don't look at pr0n sites and download all windows updates.One of the reasons I am a bit doubtful of google is the fact that I searched for something a few weeks ago,nothing to do with sex or pr0n,and the 1st entry must have been hijacked or a form of trojan because it led straight to a pr0n site.All the google searches under the 1st one were fine.
Had 3 grand kids over the hols and they were all on chat rooms.The oldest boy is 15 so say no more.
Leo Leparte on the Call for help show also says if a computer is compromised you can never tell for sure if it is completely clean again.
Brian
I have Norton and this what they say about `coolsearch`......
Trojan.NorioRisk Level 1: Very Low
SUMMARY TECHNICAL DETAILS REMOVAL Discovered: September 4, 2003
Updated: May 24, 2004 10:36:24 AM PDT
Also Known As: TrojanDownloader.Win32.Small.be [Kaspersky], Downloader-EA [McAfee]
Type: Trojan Horse
Infection Length: 5632, 9216 (multiple files)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Trojan.Norio is executed, it does the following:
Adds at least one of the following values:
"Windows Update"="<file name>"
"service"="<file name> delete"
"service_ls"="<file name> delete"
"Network Service"="<file name> -sr -0"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Creates the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WinUpdate
which is used to store a unique identification number.
Adds entries to one of the files, %Windir%\Hosts or %Windir%\System32\drivers\etc\Hosts.
These entries may redirect the following URLs to point to the local computer, which may result in error messages when you try to access them:
www.coolwebsearch.org
coolwebsearch.org
www.coolwebsearch.info
coolwebsearch.info
www.searchcomplete.com
searchcomplete.com
www.coolsearcher.net
coolsearcher.net
www.adulthyperlinks.com
adulthyperlinks.com
www.allhyperlinks.com
allhyperlinks.com
www.white-pages.ws
white-pages.ws
www.clearsearch.net
clearsearch.net
www.youfindall.net
youfindall.net
www.coolwwwsearch.com
coolwwwsearch.com
www.unipages.cc
unipages.cc
www.sexy18.cc
sexy18.cc
www.trafficswitcher.com
trafficswitcher.com
www.trafficback.com
trafficback.com
www.selfbookmark.com
selfbookmark.com
Modifies the value for:
"SearchURL"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
Modifies the values for:
"Search Page"
"Search Bar"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Modifies the values for:
"Default_Search_URL"
"Search Page"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
Modifies the values for:
"SearchAssistant"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
Modifies the values for:
"SearchAssistant"
"CustomizeSearch"
in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
Monitors open Web browser windows. If the title of an open Web page contains strings that the Trojan determines are characteristic of a pr0n site, it will open another pr0n site in a new browser window.
Periodically contacts a Web server for instructions. The response contains the URL for a file, which the Trojan will download and execute. This functionality may be used to update the Trojan or run any other code on a compromised system.
The Trojan may delete itself when the computer restarts.
RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Writeup By: Heather Shannon
Removal Summary