Results 1 to 14 of 14
  1. #1
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    CWS:HomeSearchAssistant

    G'day:
    This morning both my laptop(XP Home -SP2 and fully patched to 9 August and my desktop - W2K SP4 - fully patched - opened with a warning from MS AntiSpyware that it had blocked CWS HomeSearchAssistant from changing my browser default page. I ran the latest version of CWS Shredder and it found nothing. An updated AdAware found nothing. Running the free scans from SpySubtract and Aluria Spyware Eliminator didn't find it, although they did find some spyware not detected by the other programs.

    The reason I find this odd is that I seldom use the laptop for web browsing, so I can't think of how the CWS HomeSearchAssistant got on there. Is it possible that the latest definitions for MS AntiSpyware are issuing a false positive? Whatever MS blocked hasn't resurfaced, and I don't see any difference in the computers' running speeds, etc.

    Should I just add this to the long list of mysterioius and inscrutable events that plague computers or is there really something there?

    Ed

  2. #2
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: CWS:HomeSearchAssistant

    This item seems to be a topic of conversation in a number of places and the general consensus is that it's a browser hijacker and yes there is something out there. Personally, I would be somewhat leery of trusting CWS to remove their own hooks from your machine, but then I'm paranoid.

    Try Sunbelt's CountySpy. It finds and removes some nasties that other very good products miss.
    Charlotte

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: CWS:HomeSearchAssistant

    I think he meant CW Shredder, which found a home at Intermute after its developer became exhausted keeping up with its variations, and which now is available from Trend Micro's web site here: Trend Micro CWShredder. Yeah, clearly the people behind Cool Web Search are not going to help remove their own adware!

  4. #4
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: CWS:HomeSearchAssistant

    Charlotte and JSCher:
    Thanks for the advice.
    I downloaded and ran CounterSpy on both computers. It didn't find the CWS nasty ( maybe the MS Antispyware had removed it).
    However, it did find TIny Spy Agent Commercial Key Logger on both computers in the C:ATIsupportMMC_7_2_noDVD file. This seems to suggest that someone at ATI is following up on their customers. I removed the Key Logger.
    Counter Spy also found 11 instances of TracePlus Ethernet 3.05.00. I allowed it to remove these from the registry.

    Thanks again,
    Ed

  5. #5
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: CWS:HomeSearchAssistant

    Charlotte & JSCher:

    A slight correction to the previous post. The address of the keylogger is correct, except that I forgot to add that it was a "setup.exe" file.

    This morning Counter Spy found another keylogger - Win Spy Software Pro 8.3 in a Kodak Software Updater.

    These don't sound too ominous, except I wonder why Kodak and ATI need to monitor keystrokes.

    Cheers,

    Ed

  6. #6
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: CWS:HomeSearchAssistant

    I'd suspect that those might be false positives based on the outfits that the software in question is issued by. Often the update function of a program is mistaken for a keylogger or other tracking software because of the similarity to that type of nasty. Hold the items in quarintine for a few weeks and if you don't have any problems then they should be safe to delete. I'd also try to run that Kodak Software updater to see if it still works and if it doesn't I'd contact Kodak or CounterSpy and find out what's up. HTH <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  7. #7
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: CWS:HomeSearchAssistant

    Interesting, because my PC has an ATI video card and CounterSpy didn't find any such animal on it. I would also question why you would have an ATIsupport folder in the root directory anyhow. <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>
    Charlotte

  8. #8
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: CWS:HomeSearchAssistant

    Charlotte/Doc:

    You may be right about the false positives. My two sons, quiite knowledgeable in these matters, have downloaded Counter Spy and not had the same results with ATI. They don't have Kodak on their systems.

    As another factor in favour of false positives, I understand that Counter Spy uses the same definition files as MS AntiSpyware, which I have and which has never detected these two key loggers.

    Unfortunate that Counter Spy is so highly rated. Perhaps I should just pitch it in favour of remaining with MS AntiSpyware, Ad-Aware, Spybot, etc., which I was running happily up until now.

    I guess that I should let the trial period on Counter Spy run out, unless someone thinks that this would be unwise. I will contact them and let them try to work this out.

    Cheers,

    Ed

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: CWS:HomeSearchAssistant

    Strange folder name, strange location. Possibly an updated firmware or utilities for an ATI graphics card? I know that when I unpack updates from Dell, they usually go into cell. Just a thought. Probably that folder isn't needed any more after the update, but if you are expecting a response from ATI support, I'd find out from them.

  10. #10
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: CWS:HomeSearchAssistant

    jscher2000:

    Well, I am assuming that the Kodak "key logger" is a false positive.

    Incidentally, my Panda Titanium Firewall just announced proudly that it had stopped and deleted the CWS: HomeSearchAssistant. I think that this one is a genuine "baddie".

    I have updated Counter Spy to the latest definition file 218, and re-run it. No new "key loggers" and I told it to ignore the Kodak instance. Not too happy with the "work around" needed to update Counter Spy.

    Thanks for the help,

    Ed

  11. #11
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: CWS:HomeSearchAssistant

    You can do what you like, but ALL antispyware products sometimes produce false positives. None of them permits you to just set and forget and be protected. I use a variety of products but only CounterSpy found a keylogger on my machine (the real thing, not a false positive) that was missed by PestPatrol, AdAware and SpyBot S&D. I run all those, plus CounterSpy, plus TrojanHunter, plus ZoneAlarn Pro. Personally, I like CounterSpy and do not use the MS antispyware product at all. I do not know if they use the same definition files, but if they do, they handle the definitions differently, since CounterSpy definitely recognizes and recommends the removal of Claria. <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>
    Charlotte

  12. #12
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: CWS:HomeSearchAssistant

    Any idea what your computer was doing when the firewall intercepted CWS: HomeSearchAssistant? There are only so many vectors that you would be allowing through your firewall that I think Panda would bother to scan and intercept. These include, of course, web browsing and email traffic, instant messaging programs, peer-to-peer networking, and multiplayer games, bu possibly also others. If you can correlate the timing back to a particular application, it might help track down the source of your difficulties.

  13. #13
    Lounger
    Join Date
    Feb 2002
    Location
    Ottawa, Ontario, Canada
    Posts
    43
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: CWS:HomeSearchAssistant

    jscher2000:
    In all instances so far, it has occurred at startup as various applications are being automatically loaded. It doesn't happen at every startup.
    AFAIK, there were no program additions or deletions or changes just before this all started, and it has happened on two computers. They are on a WiFi home network, if that is of any help. I don't do any peer-to-peer networking or instant messaging. Well, I guess that I do use Yahoo Messenger from time to time but that is only on the laptop.
    I think that all I can do is follow Charlotte's advice and accept that false positives happen to the best of families ( this covers the two keyloggers).
    As for Panda, I'll keep an eye on things and see if there is any pattern to the detection of CWS; HomeSearchAssistant.
    I appreciate all the help, folks.

    Ed

  14. #14
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: CWS:HomeSearchAssistant

    Firewalls will sometimes spit up on applications that automatically check for updates when they load. When the update check happens as the machine is starting up and the startup apps are being loaded, you may get a rash of "blocks", so it pays you to determine what is loading and sometimes to turn off the automatic updates and check for yourself after everything is loaded. <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>
    Charlotte

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •