Frankly, I'm stumped: CoolWebSearch
GHoosdum
Icrontian
I've been rebuilding my soon to be mother-in-law's PC for the past three days. You should have seen the dirt that was caked inside - I'll post pics in the Cases/Cooling forum later on. Anyway, here's the issue: I just freshly formatted the HDD and installed XP Home, SP2, Via 4-in-1s, Video Driver, Sound Driver, Avast Antivirus, (then plugged in the network cable), updated AV defs, then Windows Update (in that order). I then used the Files and Settings Transfer Wizard to import her old profile from the prior PC build. That's when the fun began. 
I have Microsoft AntiSpyware, Adaware SE 1.06, and Spybot S&D all installed and fully updated. This profile that I imported with the F&STW is set to a Limited account by default. Scanning with Avast, MS AntiSpyware, Adaware all come up clean even with a deep search. However, in this imported profile ONLY, Spybot finds 7 variants of CoolWebSearch, with 12 entries in total. Spybot cannot remove them, even with a boot-time search. (//edit: On the last boot-time search, these entries showed up under the Admin account as well). I temporarily granted the transfered account Admin privileges to see if it could remove them then. No dice. I turned off System Restore temporarily, thinking maybe that one of the restore points had the CWS infection, and the same results came up in Spybot. I've run CoolWebShredder, and it finds nothing. I am truly and thoroughly stumped. I have attached an HJT log just for grins, but even that looks clean to me. Any ideas, folks?
(BEGIN HJT LOG)
Logfile of HijackThis v1.99.1
Scan saved at 7:30:48 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Folding\fah502-console.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Folding\FahCore_82.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT-SS\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FAH@C:+Folding+fah502-console - Stanford University - C:\Folding\fah502-console.exe
(END HJT LOG)
I have Microsoft AntiSpyware, Adaware SE 1.06, and Spybot S&D all installed and fully updated. This profile that I imported with the F&STW is set to a Limited account by default. Scanning with Avast, MS AntiSpyware, Adaware all come up clean even with a deep search. However, in this imported profile ONLY, Spybot finds 7 variants of CoolWebSearch, with 12 entries in total. Spybot cannot remove them, even with a boot-time search. (//edit: On the last boot-time search, these entries showed up under the Admin account as well). I temporarily granted the transfered account Admin privileges to see if it could remove them then. No dice. I turned off System Restore temporarily, thinking maybe that one of the restore points had the CWS infection, and the same results came up in Spybot. I've run CoolWebShredder, and it finds nothing. I am truly and thoroughly stumped. I have attached an HJT log just for grins, but even that looks clean to me. Any ideas, folks?
(BEGIN HJT LOG)
Logfile of HijackThis v1.99.1
Scan saved at 7:30:48 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Folding\fah502-console.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Folding\FahCore_82.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT-SS\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FAH@C:+Folding+fah502-console - Stanford University - C:\Folding\fah502-console.exe
(END HJT LOG)
0
Comments
Also, does SpywareShooter make its registry entries on a per-logon-ID basis? If so, that would explain why I saw those results in the Admin account later, I didn't add the SpywareShooter reg entries on that account until later.