Re: [Full-Disclosure] Cool Web Search

• Previous message: Rmuge NineFive : "Re: Re: [Full-Disclosure] Cool Web Search"
• In reply to: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Cool Web Search"
• Maybe reply: Rmuge NineFive : "Re: Re: [Full-Disclosure] Cool Web Search"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Cool Web Search"
• Reply: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
• Reply: Raj Varada: "Re: [Full-Disclosure] Cool Web Search"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Disclosure Full" <full-disclosure@lists.netsys.com>
Date: Fri, 30 Jul 2004 23:36:49 +1000

----- Original Message -----
From: "Andrew Clover" <and-bugtraq@doxdesk.com>
To: <full-disclosure@lists.netsys.com>
Sent: Friday, July 30, 2004 9:44 PM
Subject: Re: [Full-Disclosure] Cool Web Search

> Gregh <chows@ozemail.com.au> wrote:
>
> > It was used by me to list various entries in registry which, when lumped
> > together like that, show off CWS quite easily. Once they are there,
removing
> > them and the progs started by some of them is easy.
>
> This is not the case for all variants of CWS. The newer, sneakier
> variants can rebuild themselves if they detect a program like HijackThis
> removing their registry entries.

Sorry but totally and utterly incorrect. You just do NOT understand what I
have typed. I said that I used HiJackThis to list the entries in a group
then ticked them manually and then removed them. Along with that, it allowed
you to identify the exe files that went with it.

If you dont understand that then I can understand that you dont know how to
get rid of it but the truth is that this way DOES get rid of it. There are
at LEAST 5 variants of CWS. I have met them all and beat them all.

>
> This is part of a strong trend in unsolicited commercial software,
> copying survival techniques learned from virus authors. The use of
> constantly-loaded multiple DLLs and/or processes and/or services that
> all restart and repair each other if tampering is detected, is becoming
> widespread (see also CommonName, ClearSearch, TVMedia etc.).

All easily beaten by using HiJackThis in the way I described. If I can do
it, anyone with just a small amount of registry knowledge also can.

>
> Where there are not short-cut workarounds this means removing the
> software manually is simply impossible. Currently a trip into Safe Mode

Absolute and utter rot! I understand YOU may not be able to do it but it CAN
be done. It is simple logic if you want to look at it another way - whatever
can be DONE can be UNdone. The way I described works perfectly every time an
d takes 10 minutes or less to get rid of it though admittedly the first time
you use HiJackThis it can take longer.

> can do the trick, by stopping any of the software running, but I'm sure
> that'll be worked around too eventually. (Rootkit-like spyware?)
>

No, you are utterly wrong there, too. I have run Spybot and Adaware in safe
mode. Spybot sees and removes CWS but it comes back on next boot anyway. You
have to use HiJackThis to list the registry entries which stand out like a
sore thumb at that point. If you cant identify incorrect registry entries,
though, naturally it will elude you!

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Rmuge NineFive : "Re: Re: [Full-Disclosure] Cool Web Search"
• In reply to: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Cool Web Search"
• Maybe reply: Rmuge NineFive : "Re: Re: [Full-Disclosure] Cool Web Search"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Cool Web Search"
• Reply: Andrew Clover: "Re: [Full-Disclosure] Cool Web Search"
• Reply: Raj Varada: "Re: [Full-Disclosure] Cool Web Search"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]