Re: [Full-Disclosure] Cool Web Search

From: Gregh (
Date: 07/30/04

  • Next message: "Re: [Full-Disclosure] Re: Automated SSH login attempts?"
    To: "Disclosure Full" <>
    Date: Fri, 30 Jul 2004 23:36:49 +1000

    ----- Original Message -----
    From: "Andrew Clover" <>
    To: <>
    Sent: Friday, July 30, 2004 9:44 PM
    Subject: Re: [Full-Disclosure] Cool Web Search

    > Gregh <> wrote:
    > > It was used by me to list various entries in registry which, when lumped
    > > together like that, show off CWS quite easily. Once they are there,
    > > them and the progs started by some of them is easy.
    > This is not the case for all variants of CWS. The newer, sneakier
    > variants can rebuild themselves if they detect a program like HijackThis
    > removing their registry entries.

    Sorry but totally and utterly incorrect. You just do NOT understand what I
    have typed. I said that I used HiJackThis to list the entries in a group
    then ticked them manually and then removed them. Along with that, it allowed
    you to identify the exe files that went with it.

    If you dont understand that then I can understand that you dont know how to
    get rid of it but the truth is that this way DOES get rid of it. There are
    at LEAST 5 variants of CWS. I have met them all and beat them all.

    > This is part of a strong trend in unsolicited commercial software,
    > copying survival techniques learned from virus authors. The use of
    > constantly-loaded multiple DLLs and/or processes and/or services that
    > all restart and repair each other if tampering is detected, is becoming
    > widespread (see also CommonName, ClearSearch, TVMedia etc.).

    All easily beaten by using HiJackThis in the way I described. If I can do
    it, anyone with just a small amount of registry knowledge also can.

    > Where there are not short-cut workarounds this means removing the
    > software manually is simply impossible. Currently a trip into Safe Mode

    Absolute and utter rot! I understand YOU may not be able to do it but it CAN
    be done. It is simple logic if you want to look at it another way - whatever
    can be DONE can be UNdone. The way I described works perfectly every time an
    d takes 10 minutes or less to get rid of it though admittedly the first time
    you use HiJackThis it can take longer.

    > can do the trick, by stopping any of the software running, but I'm sure
    > that'll be worked around too eventually. (Rootkit-like spyware?)

    No, you are utterly wrong there, too. I have run Spybot and Adaware in safe
    mode. Spybot sees and removes CWS but it comes back on next boot anyway. You
    have to use HiJackThis to list the registry entries which stand out like a
    sore thumb at that point. If you cant identify incorrect registry entries,
    though, naturally it will elude you!


    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] Re: Automated SSH login attempts?"

    Relevant Pages

    • Re: coolwebsearch/res://bsahd.dll/index.html#12802
      ... I'm informed that the 01R325 AdAware update of 6/28 supposedly completely ... Then ran> CWShredder, Hijackthis showed it clean. ... The entries, once>> removed, stay gone even after login. ... >>> CWS is probably the nastiest piece of spyware out there>> these days. ...
    • Re: My browser is hijacked on startup!
      ... > I've used HijackThis as well. ... AdAware SE and SpyBot should be run on ... I removed all relevant entries in IE Tools>Options. ... I also removed some suspicious entries from RUN in registry. ...
    • Re: [Full-Disclosure] Cool Web Search
      ... > entries you need to delete in order to properly rid that machine of CWS. ... HijackThis has its limits: it cannot get rid of some variants, ...
    • Re: I wonder what the feeling are about using CCleaner.
      ... Orphaned entries get created dozens at a time when a system is reinstalled in particular. ... might have been cardfile & cardspace, but I had one orphan entry get picked up by a different program once that turned out to be a real headache to hunt down. ... If program authors wrote programs properly, there would be a lot less need for a registry cleaner. ...
    • Re: Registry cleaner ?
      ... seemingly countless orphan entries in the registry interestingly cause ... attempting to rid their registries of as many useless entries (or ... Most registry cleaners I know come on those discs distributed with rputable ... No one has *ever* offered actual evidence to support ...