XP File System, CoolWebSearch Addware and hidden file

G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

I somehow got the CoolWebSearch addware/spyware on my fully patched WinXP Professional install. I have tried all of the removal tools (ie ad-aware, cwshredder, spybot, etc), all detect it and remove most of it's components, but the single hidden loader DLL (c:\windows\system32\comlnm.dll) remains and since it is hidden, I cant delete it. It is hidden even if you attempt to view all hidden files and the attrib command can't locate the file, however in viewing running processes and the disk's partition table, I see the file there, I just cant delete it using standard methods. I know I could run the Windows Recovery Console, however I have a preloaded IBM computer, which IBM loads in mass quantities and sets a random initial Administrator password, so even if I reset the Administrator password, I cant run Recovery Console as I don't know the initial Administrator password. IBM has suggested that I delete my partiton and reinstall everything from scratch.

HELP!! How can I delete this file?

Thanks,
Dave
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

The recovery console administrator password is the current local
administrator password.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"DBADave" wrote:
|I somehow got the CoolWebSearch addware/spyware on my fully patched WinXP
Professional install. I have tried all of the removal tools (ie ad-aware,
cwshredder, spybot, etc), all detect it and remove most of it's components,
but the single hidden loader DLL (c:\windows\system32\comlnm.dll) remains
and since it is hidden, I cant delete it. It is hidden even if you attempt
to view all hidden files and the attrib command can't locate the file,
however in viewing running processes and the disk's partition table, I see
the file there, I just cant delete it using standard methods. I know I
could run the Windows Recovery Console, however I have a preloaded IBM
computer, which IBM loads in mass quantities and sets a random initial
Administrator password, so even if I reset the Administrator password, I
cant run Recovery Console as I don't know the initial Administrator
password. IBM has suggested that I delete my partiton and reinstall
everything from scratch.
|
| HELP!! How can I delete this file?
|
| Thanks,
| Dave
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

Unfortunately, in this case it is not. I can reset the Administrator password and login interactively with it in XP, but when I reboot and run Recovery Console, it indicates that the password is incorrect. In checking with IBM tech support, they said that Recovery Console does not work with imaged PCs as the RC Admin password is the original pw used when installing Windows.

I can fix my problem, if I can unhide this comlnm.dll file in windows\system32, but I can't figure out how (again, the file is even hidden to attrib/etc, even though it appears in the registry, taskman and in the disk's FAT table.

If anyone knows how I can delete this file, without having to completely wipe out my hard drive and reinstall the OS, please let me know.

Thanks,
Dave

"Dave Patrick" wrote:

> The recovery console administrator password is the current local
> administrator password.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
>
> "DBADave" wrote:
> |I somehow got the CoolWebSearch addware/spyware on my fully patched WinXP
> Professional install. I have tried all of the removal tools (ie ad-aware,
> cwshredder, spybot, etc), all detect it and remove most of it's components,
> but the single hidden loader DLL (c:\windows\system32\comlnm.dll) remains
> and since it is hidden, I cant delete it. It is hidden even if you attempt
> to view all hidden files and the attrib command can't locate the file,
> however in viewing running processes and the disk's partition table, I see
> the file there, I just cant delete it using standard methods. I know I
> could run the Windows Recovery Console, however I have a preloaded IBM
> computer, which IBM loads in mass quantities and sets a random initial
> Administrator password, so even if I reset the Administrator password, I
> cant run Recovery Console as I don't know the initial Administrator
> password. IBM has suggested that I delete my partiton and reinstall
> everything from scratch.
> |
> | HELP!! How can I delete this file?
> |
> | Thanks,
> | Dave
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

You'll need to first stop the process that loads the DLL. This tool may
help.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"DBADave" wrote:
| Unfortunately, in this case it is not. I can reset the Administrator
password and login interactively with it in XP, but when I reboot and run
Recovery Console, it indicates that the password is incorrect. In checking
with IBM tech support, they said that Recovery Console does not work with
imaged PCs as the RC Admin password is the original pw used when installing
Windows.
|
| I can fix my problem, if I can unhide this comlnm.dll file in
windows\system32, but I can't figure out how (again, the file is even hidden
to attrib/etc, even though it appears in the registry, taskman and in the
disk's FAT table.
|
| If anyone knows how I can delete this file, without having to completely
wipe out my hard drive and reinstall the OS, please let me know.
|
| Thanks,
| Dave
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

I have used this utility. It shows the comlnm.dll as a process of svchost and sometimes of iexplore. I am able to kill the processes (svchost or Internet Explorer) but still can't do anything with the actual file. With nothing referencing the file at the time, I can try and delete it, but since Windows Explorer (or even using DOS commands) can't see the file (since it's hidden) all I get is a 'file does not exist' type errors. But the file does actually exist, it's just uses some internal-windows proprietary method of being hidden where common Windows/DOS commands can't see the file. All I have to do is restart IE and the comlnm.dll will come back up in Task Manager. Using tools like Ad-aware, SpyBot and CWShredder will pick up registry entries for this file and the cookies that it and IE create, but the only way that I can disable this adware/spyware is to delete conlnm.dll and I can't get to the file.

With no processes accessing the file, is there any way that I can either unhide this file and/or delete it seeing that Recovery Console is not an option for me?

"Dave Patrick" wrote:

> You'll need to first stop the process that loads the DLL. This tool may
> help.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
>
> "DBADave" wrote:
> | Unfortunately, in this case it is not. I can reset the Administrator
> password and login interactively with it in XP, but when I reboot and run
> Recovery Console, it indicates that the password is incorrect. In checking
> with IBM tech support, they said that Recovery Console does not work with
> imaged PCs as the RC Admin password is the original pw used when installing
> Windows.
> |
> | I can fix my problem, if I can unhide this comlnm.dll file in
> windows\system32, but I can't figure out how (again, the file is even hidden
> to attrib/etc, even though it appears in the registry, taskman and in the
> disk's FAT table.
> |
> | If anyone knows how I can delete this file, without having to completely
> wipe out my hard drive and reinstall the OS, please let me know.
> |
> | Thanks,
> | Dave
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

I think you're after the wrong culprit. You'll want to search out and stop
the service and or application that loads it.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"DBADave" wrote:
|I have used this utility. It shows the comlnm.dll as a process of svchost
and sometimes of iexplore. I am able to kill the processes (svchost or
Internet Explorer) but still can't do anything with the actual file. With
nothing referencing the file at the time, I can try and delete it, but since
Windows Explorer (or even using DOS commands) can't see the file (since it's
hidden) all I get is a 'file does not exist' type errors. But the file does
actually exist, it's just uses some internal-windows proprietary method of
being hidden where common Windows/DOS commands can't see the file. All I
have to do is restart IE and the comlnm.dll will come back up in Task
Manager. Using tools like Ad-aware, SpyBot and CWShredder will pick up
registry entries for this file and the cookies that it and IE create, but
the only way that I can disable this adware/spyware is to delete conlnm.dll
and I can't get to the file.
|
| With no processes accessing the file, is there any way that I can either
unhide this file and/or delete it seeing that Recovery Console is not an
option for me?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.file_system (More info?)

This variant of CoolWebSearch uses two DLLs, one hidden dll (in this case conlnm.dll) and a viewable dll. The hidden dll is activated upon startup of IE. When IE starts, if your default web page is not the hijacker page, the viewable DLL changes your IE settings to set it's own page as the default page, and also changes other components of IE. If the viewable DLL is deleted, the hidden DLL recreates the viewable dll, the hidden dll then reloads and reset the IE settings. If you use a tool such as Registrar Lite you can locate the Cool Web Search entry that includes the hidden dll name/path, but if you try to delete the reg key/value, the hidden DLL will promptly re-add the entry to the registry. The only way to delete the hidden DLL is to use Windows Recovery (but do this after you have deleted the viewable DLL and reset your IE settings). There are several tools (CWShredder, Ad-aware, Spybot) that will delete the viewable dll and reset your IE properties, but with this variant of CoolWebSearch, removal of the hidden DLL is a seperate manual process.

In my case, because I am running on an imaged PC setup by my hardware vendor (IBM). I can't run Windows Recovery Console as I don't have the original Admin password used during installation (the current Administrator password will not work). What I ended up doing, was use a disk editor *, opened up the conlnm.dll file and changed certain byte values in the file to corrupt it. Once I rebooted, I was then able to remove the file's reference from the registry (using Registrar Lite) and then delete the now corrupted file.

This was the most annoying spyware/adware/trojan that I have ever had to deal with.

* Unless you know what you are doing and you have a full backup of your hard drive, I do not advise using a disk editor. Writing changes to disk from a disk editor can very easily corrupt/destroy your disk's MFT or FAT tables, which would cause you to loose data on your hard dsk and would require reformatting the drive.

To this date, I can't figure out how the CoolWebSearch trojan got installed on my machine, as my XP machine is current with Windows Update, IE patches, and is running ZoneAlarms v5 firewall. I also have my IE settings set to Medium securityu and privacy settings.

Anyway, thats a bit off topic, but in summary, I was able to disable the trojan and delete the file using a disk editor.

Thanks for the assistance and suggestions that you offered.

Dave

"Dave Patrick" wrote:

> I think you're after the wrong culprit. You'll want to search out and stop
> the service and or application that loads it.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
>
> "DBADave" wrote:
> |I have used this utility. It shows the comlnm.dll as a process of svchost
> and sometimes of iexplore. I am able to kill the processes (svchost or
> Internet Explorer) but still can't do anything with the actual file. With
> nothing referencing the file at the time, I can try and delete it, but since
> Windows Explorer (or even using DOS commands) can't see the file (since it's
> hidden) all I get is a 'file does not exist' type errors. But the file does
> actually exist, it's just uses some internal-windows proprietary method of
> being hidden where common Windows/DOS commands can't see the file. All I
> have to do is restart IE and the comlnm.dll will come back up in Task
> Manager. Using tools like Ad-aware, SpyBot and CWShredder will pick up
> registry entries for this file and the cookies that it and IE create, but
> the only way that I can disable this adware/spyware is to delete conlnm.dll
> and I can't get to the file.
> |
> | With no processes accessing the file, is there any way that I can either
> unhide this file and/or delete it seeing that Recovery Console is not an
> option for me?
>
>
>