Jump to content


After removing this new version of CWS(random.dll)

  • Please log in to reply
1 reply to this topic

#1 JCDenton



  • New Member
  • Pip
  • 4 posts

Posted 26 June 2004 - 03:49 PM


I had this new version of CWS/about:blank , which CWS shredder don't recognize and I have manage to remove it ( I hope so). I don't have problem with IE and I can surf the net freely but if I open Mozila Firefox's home page (goggle) it opens some spybouncer.com page. OK, that's not some hard problem 'cose I can just uninstall mozila and continue use IE but I have other question:

Is it normal that when I delete these files:

C:\Program Files\Windows Media Player\wmplayer.exe

that they are immediately coming back after one second ???

Btw; ad-aware, spybot, CWS shredder,HijackThis, Pc-cillin, Norton and Panda couldn't remove it.

Edited by JCDenton, 26 June 2004 - 03:59 PM.

#2 JCDenton



  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 03:03 PM

I thought that my question above is not so hard.

Anyway, now I'm going to tell you the whole story about our friend called "CoolWebSearch or about:blank" .

First, I have this new version "res://<random>.dll/<random>.html" and you should know that Symantech, Kapersky and Panda online scan, PestPatrol, Spybot Search&Destroy and CWS shredder don't recognize it at all. Lavasoft Ad-aware has recognize couple files but the biggest thanks goes to my Trend Micro Pc-cillin 2002 and their knowledge base. HijackThis also couldn't help and even it's author say's that this new version of trojan is hell.


I was using some file sharing programs (Warez P2P, iMesh 5, BearShare 5) and at the same time surfing suspicious pages when I get that warning: "Do you want to install and run ... blah blah ... ...that is safe." and my antivirus immediately show warning "JAVA_BYTEVER.A virus". Well, I know that warnings, I so them a lot of times and normally that I don't want to install that crap, but instead to click No button I click Yes in a hurry. "So what" I thought, that's just same stupid dialer or something else and my antivirus will take care of that, if not then; Task Manager-> End Process , Regedit-> delete run entry and delete new file. But ...

Suddenly, I get warning TROJ_EMT.A virus for C:\WINDOWS\syssr.exe and TROJ_WINSHOW.G for C:\WINDOWS\system32\qporv.dll . After that I get numerous (59 exactly) warnings for TROJ_AGENT.Z2 viruses founded in WINDOWS and system32 folder. And that's not all, I was constantly getting new processes which my antivirus didn't recognize. That and next day I have killed and deleted 26 such files. I have also removed some .dat files from WINDOWS folder. Summary; I found these files:

- .exe files , 29 Kbytes in size , all packed with UPX , all with random names
- .dat files , 7 of them , 29 Kbytes in size , all packed with UPX , all with random names
- .dat files , 7 of them , 89 Kbytes in size , UPX packed , random names

I also used Ad-aware which find this <random>.dll file in WINDOWS folder along with some .dat file and some .dat file in system32 folder. But these files were always coming back when I remove them. Ad-aware and HijackThis also find changing of home page in registry but after removing it, it's always come back.
Btw, I had this changing of home page, blocking of some pages (PestPatrol, Panda antivirus), popups and one message box which MessageBoxTitle was JavaScript and MessageBoxText was "You get lot of popups so by this popup killer..." .

First, I packed all that files that I find in 1MB zip archive and send them to Trend Micro and Lavasoft.
Then I go to Trend Micro and read everything about above mentioned viruses. After that I have remove all HKCU_CLSID subkeys related to those files I have removed.


After removing that keys from registry I had no more problems with downloading more viruses from internet. But my home page is still changing. I scanned WINDOWS folder and subfolders and I found couple UPX packed files. One of them was some <xxxxxx>.dll . I run Ad-aware to remove registry entries from Internet Explorer\main subkey and then I have removed those two files which are always coming back in WIDOWS folder ( .dat and .dll ) . Then. Miracle!
That files and registry entries never returned again :) ! But my home page is still hijacked :( . Then I read someware that on Symantech pages can be found one file that reverse some registry entries to their original state. I downloaded that file , run it , reboot and finally - Goggle is back :) !!!

More good news, today's Trend Micro update recognize those 29 KB files (.exe and .dat) as TROJ_AGENT.Z1 and those <random>.dll as TROJ_WINSHOW.AB.

But like in all bad horror movies, the dead man is not dead yet.

I can freely use IE to surf the net, there are no new viruses and no new popups, but if I open Mozila's or Opera's home page I'm being redirected to same old page "Buy this stupid product..." and I get those popups.

Any comment? Advice? Help?

Do you want my logs?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!