Re: spyware removal in win 2000

From: Kevin D. Quitt (KQuittUNMUNG_at_IEEIncUNMUNG.com)
Date: 10/04/04

  • Next message: Karl Levinson [x y], mvp: "RE: adjusting firewall in windows2000"
    Date: Mon, 04 Oct 2004 12:56:26 -0700
    
    

    >From the NTBugTraq mailing list:

    Fri, 1 Oct 2004 10:26:28 -0400
    Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
              (LISTSERV-TCP/IP release 1.8e) with spool id 4553548 for
              NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; Fri, 1 Oct 2004 10:26:22 -0400
    Message-ID: <555451230.20040930163536@aya.yale.edu>
    Date: Thu, 30 Sep 2004 16:35:36 +0200
    Subject: CWS = Crummy Windows Security

    Hello,

    CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
    Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I have
    collaborated to develop a simple procedure to remove it from an
    NT4-W2K-WXP box.

    CWS is widely discussed on the web, but it's poorly understood and
    procedures to remove it are often lengthy, cumbersome and ineffective.
    Users are sometimes forced to reformat the hard disk to remove it. CWS
    comes in a variety of flavors. This post will only consider the most
    insidious, which involves two components: a shield-DLL and a BHO
    (Browser Helper Object).

    Shield-DLL
    ----------

    The shield-DLL installs itself to the following registry value in
    NT4-type systems:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

    Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
    application running within the current logon session." IOW, any
    ad-ware found here runs concurrently with _every_ program launched. It
    is truly astonishing that such a registry location exists.

    Here's what the CWS shield-DLL manages to do:

    1. It prevents almost all registry editors from displaying it as an
       AppInit_Dlls value. This list includes, but is not limited to:
       Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
       HijackThis, and, my favorite (because I wrote it), the "Silent
       Runners.vbs" script. The _only_ program known to display it, for
       unknown reasons, is the freeware Registrar Lite 2.0, available
       here: http://www.resplendence.com/reglite/

    2. It prevents all GUI and command line tools from listing it or
       deleting it. This list includes, but is not limited to: Windows
       Explorer, DIR, ATTRIB, CACLS, and DEL.

    3. The .DLL file has eccentric security permissions (SYNCHRONIZE
       and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
       from memory, an Admin must reset security to delete the file.

    4. It has a unique name on every system it infects.

    5. It ensures that a BHO starts up with IE at every boot.

    6. If the BHO is deleted, it restores the BHO under a new name at
       the next boot.

    This combination of features makes it a formidable adversary.

    BHO

    ---
    This is a .DLL that installs itself as a subkey of the following key:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
    Objects\
    The BHO is responsible for the ad-ware symptoms: change of home page,
    profusion of popups, and anything else that foments the users' wrath.
    The BHO registry key and the file are not protected; both can be
    deleted. The BHO will simply be reloaded under a new name at the next
    boot.
    To eliminate CWS, we have developed a relatively simple procedure
    (compared to everything else that's out there) that involves using
    Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script
    to remove it from AppInit_Dlls, the "Silent Runners" script to
    identify the BHO, and, after reboot, a second VBS script to delete the
    shield-DLL and BHO files. The procedure and scripts can be found here:
    http://www.silentrunners.org/sr_cwsremoval.html
    MS please take note:
    AppInit_Dlls is a gaping security hole. Unfettered access to this
    value should be removed ASAP from NT4/W2K/WXP.
    regards, Andrew Aronoff & Rossano Ferraris
                                    *****
     Want to know every program (well, almost every program -- CWS being
                 the exception) that starts up with Windows?
                        Download "Silent Runners.vbs":
                        http://www.silentrunners.org/
                                    *****
    -- 
    #include <standard.disclaimer>
     _
    Kevin D Quitt  USA 91387-4454         96.37% of all statistics are made up
      Per the FCA, this address may not be added to any commercial mail list
    

  • Next message: Karl Levinson [x y], mvp: "RE: adjusting firewall in windows2000"

    Relevant Pages

    • CWS = Crummy Windows Security
      ... CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... a shield-DLL and a BHO ... is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ...
      (NT-Bugtraq)
    • Re: spyware removal in win 2000
      ... sure fire method to prevent this particular adware CWS ... >is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ... >identify the BHO, and, after reboot, a second VBS script ...
      (microsoft.public.win2000.security)
    • Re: spyware removal in win 2000
      ... Andrew & Rossano ... > CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... > is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ...
      (microsoft.public.win2000.security)
    • Re: coolwebsearch/res://bsahd.dll/index.html#12802
      ... tricky little mutha for about 10 hours now, ... have located some of the offending entries (regerences to ... >CWS is probably the nastiest piece of spyware out there ... >Microsoft MVP - Windows Security ...
      (microsoft.public.security.virus)
    • Re: coolwebsearch
      ... CWS is probably the nastiest piece of spyware out there these days. ... Microsoft MVP - Windows Security ... Ad Aware and Spybot do not remove it. ... > manually deleting registery entries, ...
      (microsoft.public.security.virus)