I thought that my question above is not so hard.
Anyway, now I'm going to tell you the whole story about our friend called "CoolWebSearch or about:blank" .
First, I have this new version "res://<random>.dll/<random>.html" and you should know that Symantech, Kapersky and Panda online scan, PestPatrol, Spybot Search&Destroy and CWS shredder don't recognize it at all. Lavasoft Ad-aware has recognize couple files but the biggest thanks goes to my Trend Micro Pc-cillin 2002 and their knowledge base. HijackThis also couldn't help and even it's author say's that this new version of trojan is hell.
I was using some file sharing programs (Warez P2P, iMesh 5, BearShare 5) and at the same time surfing suspicious pages when I get that warning: "Do you want to install and run ... blah blah ... ...that is safe." and my antivirus immediately show warning "JAVA_BYTEVER.A virus". Well, I know that warnings, I so them a lot of times and normally that I don't want to install that crap, but instead to click No button I click Yes in a hurry. "So what" I thought, that's just same stupid dialer or something else and my antivirus will take care of that, if not then; Task Manager-> End Process , Regedit-> delete run entry and delete new file. But ...
Suddenly, I get warning TROJ_EMT.A virus for C:\WINDOWS\syssr.exe and TROJ_WINSHOW.G for C:\WINDOWS\system32\qporv.dll . After that I get numerous (59 exactly) warnings for TROJ_AGENT.Z2 viruses founded in WINDOWS and system32 folder. And that's not all, I was constantly getting new processes which my antivirus didn't recognize. That and next day I have killed and deleted 26 such files. I have also removed some .dat files from WINDOWS folder. Summary; I found these files:
- .exe files , 29 Kbytes in size , all packed with UPX , all with random names
- .dat files , 7 of them , 29 Kbytes in size , all packed with UPX , all with random names
- .dat files , 7 of them , 89 Kbytes in size , UPX packed , random names
I also used Ad-aware which find this <random>.dll file in WINDOWS folder along with some .dat file and some .dat file in system32 folder. But these files were always coming back when I remove them. Ad-aware and HijackThis also find changing of home page in registry but after removing it, it's always come back.
First, I packed all that files that I find in 1MB zip archive and send them to Trend Micro and Lavasoft.
Then I go to Trend Micro and read everything about above mentioned viruses. After that I have remove all HKCU_CLSID subkeys related to those files I have removed.
After removing that keys from registry I had no more problems with downloading more viruses from internet. But my home page is still changing. I scanned WINDOWS folder and subfolders and I found couple UPX packed files. One of them was some <xxxxxx>.dll . I run Ad-aware to remove registry entries from Internet Explorer\main subkey and then I have removed those two files which are always coming back in WIDOWS folder ( .dat and .dll ) . Then. Miracle!
That files and registry entries never returned again
! But my home page is still hijacked
. Then I read someware that on Symantech pages can be found one file that reverse some registry entries to their original state. I downloaded that file , run it , reboot and finally - Goggle is back
More good news, today's Trend Micro update recognize those 29 KB files (.exe and .dat) as TROJ_AGENT.Z1 and those <random>.dll as TROJ_WINSHOW.AB.
But like in all bad horror movies, the dead man is not dead yet.
I can freely use IE to surf the net, there are no new viruses and no new popups, but if I open Mozila's or Opera's home page I'm being redirected to same old page "Buy this stupid product..." and I get those popups.
Any comment? Advice? Help?
Do you want my logs?