Jump to content


Photo

Coolweb fix


  • Please log in to reply
3 replies to this topic

#1 dmforst

dmforst

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 June 2004 - 01:04 PM

This one cost me nearly a week, too bad so much effort is expended trying to free ourselves from these jerks.

Before removing the hidden stage of the infection, run the latest file of adaware at least twice to clean out the primary infection. This is a very clever infection and the hidden dll waits a while before reinfecting you with the 2nd stage. It is important to have all of the 2nd stage of the infection gone before working on the 1st or hidden stage.

Coolweb is a 2 stage infection. The current version of Adaware does not deal with the initial or 1st stage of the infection. The software installs a completely hidden DLL with a registry entry that controls it. This hook is not new. I do not know how I got it as I had the byteverfier patch, so they are using some other approach.

The dll file is placed in \%systemroot%\system32 which in my W2K install was \winnt\system32. It can not be seen as they set the permission off for all functions except copy to everyone, including administrators. I found the file using "find-all" a small utility you can easily find on the web. "Find-all" uses another utility called "xfind" to actually locate the file. "xfind" is a search for text within a file utility. It turns out that the text you search for is irrelevant. The file is located becuase it is locked by security and cannot be read. "xfind" posts a list of all of the files it finds in the directory that it can not open to read. Once you have the name of the dll, the rest is easy.

The only way to remove this little devil, since no other program including "killbox" can find it is to start up the system in recovery console for W2K/XP or from a clean boot floppy for W98. Now you can see it with a simple dir command. I renamed it so I could take a look at it.

Once it is no longer loaded on startup, you can search the registry for it and find the hook. It somehow makes the registry value invisible while it is running. The hook is to:

\HKLM\Software\Microsoft\Windows NT\Current Version\Windows\AppInit_DLLS

This is a hook that runs this dll when most applications start. The data area for this entry is usually blank. It will now have the rouge dll's name in it. Just delete the data field, not the AppInit_DLL entry.

I am not a support expert, just a determined user and programmer. Please ask others for help in using the information provided here.

Thank you to Adaware and all those who wrote the tools I have used to solve this one. Good luck to all.

#2 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 20 June 2004 - 03:03 PM

dmforst,
You were absolutely correct in the hidden locked .dll file(mine was sqloo.dll). This process is definately not for the inexperienced or the timid. I had to reset the attributes and renamed the file and when I got back into windows I moved the file to the recycling bin incase Adaware or some antispyware company wants it. Usually Adaware would show the CWS OldHomeSP as fast as I could delete it but this time it come up with no problems. Time will tell. I wasn't to worried about hurting my system and have been messing with computers since 286's were the latest craze.
If your theory proves sound, (which I don't mind being a lab rat) then the cure for this thing has been found once and for all now all they would need to do is automate the process.

*NOTE: as dmforst said, please don't try this unless your absolutely positive what your doing. Deleting files from a command prompt can render your computer inoperative if you delete the wrong file.
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here

#3 dmforst

dmforst

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 June 2004 - 03:06 PM

I am relatively sure this is the final cure. My system was clean for hours after. I am holiday this week and working from my laptop. I posted this because it took so long to find and I was determined to beat the absolute idiots who did this to my system. No one should have to spend the time it took me!

#4 BCGovtMartyr

BCGovtMartyr

    Bug Hunter

  • Full Member
  • Pip
  • 29 posts

Posted 20 June 2004 - 03:43 PM

Yeah I'm thinking so too. I submitted the dll to lavasoft. Hopefully they can automate the process.
My mistake was going after the sypmtoms and not heading for the root of the problem. I have countless filemon logs watching every little process my system was doing. Now I'm going to go back through them and look for the dll file I dumped and see if I can find referances to that.
And to think those morons are getting paid for our misery. Everytime one of us gets redirected to the site a large cash register goes "cha-ching!"
I appreciate your hard work and I sincerely hope that it puts an end to this parasite once and for all for everyone infected. Many will have to wait till the process is automated but this is a start.

Thanks again
Bug Fighting Tools
Ad-Aware ~ HijackThis ~ CWShredder ~ Spybot

Other pesticides
Registrar Lite ~ Winfile

Help this site keep helping you
Please donate here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button