CoolWebSearch not removed

  • Thread starter Thread starter Adam Landefeld
  • Start date Start date
A

Adam Landefeld

I ran a full scan on my system which
detected "CoolWebSearch Browser Hijacker". I told it to
remove the spyware. After about 30 minutes I ran the scan
again and it detected CoolWebSearch again.

Is the software not removing the spyware properly, is
there a detection bug, or did I just get infected again?
 
Looks like this is probably the issue posted by Rick
in "other false positives":

"App showed tapicfg.exe as CoolWebSearch and remote.exe
(support tool under W2K3 server) as Cyanure. Both
legitimate files from MS."
 
|I ran a full scan on my system which
| detected "CoolWebSearch Browser Hijacker". I told it to
| remove the spyware. After about 30 minutes I ran the scan
| again and it detected CoolWebSearch again.
|
| Is the software not removing the spyware properly, is
| there a detection bug, or did I just get infected again?

Check what file it is exactly - expand the node - and make sure it is not
one of the false positives, e.g. tapicfg.exe
 
I tried that in the past, and it temporarily fixed it
until I got it again :/. I heard that the author was
giving up on it though because the removal procedures were
getting insanely complex. I'll have to check what version
I tried last.

Thanks!
 
I ran into this, and I believe it's a legit file. If the
file is reappearing it's probably because Windows File
Protection is enabled. Open event viewier and check your
system log. If WFP restores the file, then it's further
confirmation it's legit.

--jeff
 
If you are running on Windows Server 2003, then there is currently a FALSE
POSITIVE about coolwebsearch.

If the file name it identified is called TAPICFG.EXE in the Windows\System32
folder, then this is the false positive. (The date should be March 25, 2003,
6:00 AM)

It is a protected windows file, therefore if deleted, windows file
protection kicks in and re-extracts it from the .cab file holding all the
important windows files.

This has been reported by a few others.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jeff anderson wrote:
| I ran into this, and I believe it's a legit file. If the
| file is reappearing it's probably because Windows File
| Protection is enabled. Open event viewier and check your
| system log. If WFP restores the file, then it's further
| confirmation it's legit.

If unsure about a file, make sure you've scanned it with at least an
up-to-date anti-virus product, Ad-Aware SE, Spybot S&D (and AntiSpyware!),
as well as submitting it to www.virustotal.com.

Also with something as virulent as C.W.S., I would do ALL scanning in Safe
Mode in an effort to stop it executing and hiding itself.

Some Microsoft-issue files have an integrated digital signature to verify
their authenticity. If present this will be found in the file's Properties
page, "Digital Signatures" tab.


Adam Piggott,
Proprietor,
Proactive Services (Computing)

- --
Please replace dot invalid with dot uk to email me.
OpenPGP key ID: 0xD3EC5C39
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFB3b0E7uRVdtPsXDkRAoQLAJ0QXMZakZsTQy184F4VMPzL8OlqkACfRCff
IUT3WsavLf0jn1P0jSTWJeM=
=RLdr
-----END PGP SIGNATURE-----
 
I have tried several anti-spyware programs to get rid of
CoolWebSearch and none of them did the job. The MS program
finally got rid of mine. I did some searches on Google and
it said that CoolWebSearch is very hard to remove because
in some instances it can move from one location to
another. I am just glad that MS got rid of mine.

Dave
 
You can submit the file in question from the tools menu (Suspected Spyware
Report) for further analysis by our research team.

There has been speculation in this thread about it being a false positive
but I would caution not to take that advice without *first* verifying that
the file name is indeed tapicfg.exe *and* the OS is Windows Server 2003. If
this is not the case, it is possible that CoolWebSearch *is* present and
there is something which is causing re-infection after removal.

Jeff Williams
PSS Security
 
Back
Top