Allneedsearch Coolsearch etc.

[cpr-tx]

I have a real problem that started out as fairly trivial ( I thought! ) and has progressed to the point that overnight my laptop (when left online to it's own devices, becoms a virtual porn machine!),
it all started out as something called coolsearch which decided it should be explorer's home page.
I was able to take it out with ad-aware which deleted it's registry entries.
Well it came back! As of Dec 5/6 Symantec identifies it as a trojan.digit virus, I did all the specified removal tips to the registry plus found another entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\search.URL\www.allneedsearch.com.
At present Symantec shows no virus, specified registry entries aren't there ( until some how a porn page pops up!), I cant set up a custom search engine in explorer so I set it to lycos in the registry.
As a final solution I'll probably have to reload everything, but for curiosity and future knowledge I'd like to know if anyone has any other non-lethal solutions?? This thing brings up some really nasty crap!

[cpr-tx]

Forgot to mention I picked this up from my son's network over Thanksgiving and presently my laptop is on my local network, it seems that if the network host has it you'll pick it up. So far if the infected computer isn't a host or gateway it doesn't spread it. Symantec recognizes and quaranteens the virus but it always returns. Also the windows firewall is active on the internet gateway.

[Narasinha]

I found some info about this one at SpywareInfo.com. It may be a variant of CoolWebSearch (see The CoolWebSearch Chronicles).

There was a post in the forum there about an attempt to remove Coolsearch. They used CWShredder, a tool specifically for the CWS variants, available from the first link above. Here's what they say about the origins of this thing:

Epilogue - The Origin

We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.

Good luck in getting rid of this beast.

Narasinha

[cpr-tx]

Thanks I'll look that up! last night's fiasco had Symantec working overtime and did identify a trojan.byteverify... But as I said A complete reload does get rid of it .... That was my son's remedy!

[cpr-tx]

I just went to that page you linked and downloaded cwshredder, also there were 2 links for Microsoft Security Updates. I downloaded and installed the patches then ran shredder. Shredder fond 5 total entries in the registry and fixed them!
So far, Knock on Wood!, I have the normal MS search stuff on explorer and things look promising!
So thanks very much for the info!

[mikmik]

I went out checking up on the trojan.byteverify, which looks like a BHO - Browser Highjack Object, at least anyway.
I really like 'Spybot Search and Desstroy', mostly 'cause I 'think' it is better than LavaSoft AdAware (they seem about evenly rated amongst techies), and I really respect the programmer's philosophy.

So, II found out that it has been updated to include the ability to moniter system files, and you can also create/edit a list and include specific files that will be 'locked' against any attempted modifications.
It is also available as an addition to browser toolbars, but I haven't installed it yet.
Lastly, it also can be set to 'lock' against changes to the home page setting being changed fron inside IE. Not sure if that would've helped in this case though.
I very highly recommend this baby! Find it here:

http://www.safer-networking.org/inde...&page=resident

[cpr-tx]

Thanks, after I did the stuff with shredder yesterday this thing morphed into alfa-search. So options are getting slim!

[mikmik]

Yes, let us know how it goes, I think that Spybot may just alert you to the Blackbox.dll being mocified, but there are some more steps to take if that happens.
One is a great little app, 'Process Viewer' that shows the running processes like Task manager does, only you can view all the modules, process tree, loaded dll's, the source of the command, and it is freeware, very tiny, and once extracted, it is a stand alone app - you can move the folder around and it still runs, I guess that it doesn't integrate with Windows OS.
http://www.prcview.com

No special installation is required. Simply unzip archive to a new, empty folder.

What’s new in 3.0
- Displays complete task tree
- DLL usage summary
- Displays Task list like the standard task manager
- Display process start-up parameters
- PrcView distribution now includes PV.EXE - a new utility that provides PrcView functionality from the command-line. Use pv -h for more information about available options.


What's new in 2.0
· Get the full list of DLL’s for each running process including FULL PATH for each loaded module - discover what DLL’s your process really uses and where they are located.
· Double click on any module or process to get the full version information
· Save any view as a tab-separated text file by just pressing F2
· Process Finder Tool - just drag the finder icon and drop it to the process Window to select the desired process
· Smooth update - you don’t need to press the refresh button to get the updated list of all processes, PrcView will periodically update the process list for you
· Resize window, change settings, PrcView saves configuration information and appears on the screen the same next time you start it.
· New look and nice icons

[Narasinha]

I did a google search on +"alfa-search" +virus and found others with similar problems. There are a varied results in getting rid of it.

Symantec has detailed removal instructions for the trojan.digits virus, if this indeed is the culprit. This is quite recent:

Trojan.Digits
Discovered on: December 05, 2003
Last Updated on: December 06, 2003 12:47:43 PM

All this makes me glad I rarely use Internet Explorer, and that I use Sun's Java instead of Microsoft's.

[mikmik]

Narasinha said this:

All this makes me glad I rarely use Internet Explorer, and that I use Sun's Java instead of Microsoft's.

I wondered if that made a difference, they did refer to "MS" JVM.