RE: IE default Page

From: Hagen, Eric (ehagen_at_DenverNewspaperAgency.com)
Date: 07/16/04

  • Next message: Security Guy: "RE: Backdoor-CGT" 
    To: wnorth <wnorth@verizon.net>, incidents@securityfocus.com
Date: Fri, 16 Jul 2004 09:21:54 -0600

    I use "HijackThis" and have had success beating it. For most of my
    intensive Adware removal, I copy HiJackThis and CWShredder to the hard disk
    and then reboot the machine in safe mode. Then I manually kill all of the
    processes that it will allow me to kill... then run Hijackthis and
    cwshredder and take note of where the files are. I then go in and manually
    delete those files. CoolWebSearch hasn't been nearly as much problem for
    us as "TVMedia" and "WinTools" or a few of the other ones that have multiple
    threads and/or system services that watch the system processes and restart
    each other when one of them is killed. WinTools is an amazingly resilient
    program that uses this method with 2 processes PLUS a system service all
    watching each other.

    Interestingly enough, aren't they one of the companies who sued Symantec
    when they tried to add CWS as a "virus" to their definitions. After all,
    it's an "advertising engine" not a "virus" and they (like GMT and Gator)
    have been aggressive in pressing legal action against anyone who tries to
    "automatically" remove their "program".

    Eric

    -----Original Message-----
    From: wnorth [mailto:wnorth@verizon.net]
    Sent: Thursday, July 15, 2004 6:46 PM
    To: incidents@securityfocus.com
    Subject: IE default Page

    Interesting bug going around, coolwebsearch, has anyone been successful in
    removing this virus from a system? It looks like it recreates the DLL under
    c:\windows\system32 and renames it after a few reboots. It's pretty annoying
    and I haven't been able to fully contain it.

    Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware
    detectors, but nothing is really fixing the problem.

    Thanks,

    -Wes

  • Next message: Security Guy: "RE: Backdoor-CGT"

    Relevant Pages

    • RE: IE default Page
      ... Early versions of CoolwebSearch were trivial to defeat. ... I copy HiJackThis and CWShredder to the hard disk ... >cwshredder and take note of where the files are. ... >threads and/or system services that watch the system processes and restart ...
      (Incidents)
    • Re: about:blank page - where is this setting?
      ... even CWShredder, but the coolweb thing just comes back after a reboot. ... Next step is to hack the registry, ... I will try downloading HijackThis, though I'm losing so much time on ... >> any of the spyware apps to make any difference. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: cant set home page
      ... HijackThis and expert advice. ... >Start by downloading each of the following free tools: ... >Start by closing all Internet Explorer and Outlook ... >CoolWebSearchSmartKiller, then CWShredder. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Internet Explorer will not open
      ... If CWShredder doesn't help, HijackThis should be used to ... post a log to the appropriate forum at one of these sites. ... HijackThis instructions and download: ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • RE: IE default Page
      ... trojan, per housecall.antivirus.com's virus scanner. ... kill off those services (regedit and delete the references after you ... run hijackthis and kill whatever you see that doesn't belong ... threads and/or system services that watch the system processes and ...
      (Incidents)