A CoolWebSearch Sunday
So I arrive at around 4:00pm Sunday afternoon and am shown the patient, a Dell system running XP. The symptom that was keeping him from accessing the internet was that IE kept crashing as it loaded. I verified that his connection was infact good, and it was, so I figured he must have a corrupt copy of IE. Time for a reinstall I thought. I fired up the control panel and removed IE, rebooted, went back to the control panel and added IE again and rebooted. Same problem.
I started asking my friend what he had installed lately and he mentioned his son who was home from college had been using the computer a lot and may have installed some stuff. This sounded like a infection scenario so I fired up the control panel and started to look through the installed programs looking for something that a teenager might install. I noticed a few odd things and on a whim pressed the link that directed me to the products home page. Surprise, IE loaded and took me to the page. I now clicked on the desktop IE icon and it too loaded. The home page it took me to was a local file on the c drive. I asked my friend why he had this as his home page. He said he didn't and it had just started to appear recently. I opened internet options, and changed the home page to google and rebooted the system.
Feeling less than totally confident I clicked on the desktop IE icon again and it crashed just as before. I had already spent about 45 minutes getting to this point so I decided to install a back door to the internet. I used the trick I had discovered earlier of opening IE through the control panel to downloaded Mozilla 1.6 and installed it on the machine. If I couldn't get IE to work, at least I would be able to get him setup on Mozilla.
Now that I was back on line I figured it should be able to google around and find some more info on the problem. I couldn't find anything exactly that described what I was seeing but I saw enough info on the CoolWebSearch trojan that I figured it was the root cause of the problem. I downloaded two pieces of software:
HijackThis and CWShredder, both from Merijn.org. The instructions called for using CWShredder first from a Safe Mode prompt, rebooting, running HijackThis to remove the registry crap and rebooting again. Thankfully it worked, IE loaded and went to the blank:about page. I reset it to Google, rebooted and all was well.
In the end it took about an hour and a half to diagnose and clean the machine. The initial lack of access to the internet was probably the most frustrating part. In the end, I learned a lot about the current state of tojans and have a new respect for how heinous they can be.
Comments