Re: spyware removal in win 2000
From: andy_frahmster (anonymous_at_discussions.microsoft.com)
Date: Mon, 4 Oct 2004 22:35:04 -0700
Thank you for this wonderful advice. But can you state any
sure fire method to prevent this particular adware CWS
from infecting in the first place? I mean something aimed
at this particualr one?
>>From the NTBugTraq mailing list:
>Fri, 1 Oct 2004 10:26:28 -0400
>Received: from LISTSERV.NTBUGTRAQ.COM by
> (LISTSERV-TCP/IP release 1.8e) with spool id
> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; Fri, 1 Oct
2004 10:26:22 -0400
>Date: Thu, 30 Sep 2004 16:35:36 +0200
>Subject: CWS = Crummy Windows Security
>CWS, CoolWebSearch, is a particularly nasty incarnation
>Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I
>collaborated to develop a simple procedure to remove it
>CWS is widely discussed on the web, but it's poorly
>procedures to remove it are often lengthy, cumbersome and
>Users are sometimes forced to reformat the hard disk to
remove it. CWS
>comes in a variety of flavors. This post will only
consider the most
>insidious, which involves two components: a shield-DLL
and a BHO
>(Browser Helper Object).
>The shield-DLL installs itself to the following registry
>Per MSKB 197571, a .DLL listed there is "loaded by each
>application running within the current logon session."
>ad-ware found here runs concurrently with _every_ program
>is truly astonishing that such a registry location exists.
>Here's what the CWS shield-DLL manages to do:
>1. It prevents almost all registry editors from
displaying it as an
> AppInit_Dlls value. This list includes, but is not
> Regedit.exe (even if renamed), Regedt32.exe, Reg.exe,
> HijackThis, and, my favorite (because I wrote it),
> Runners.vbs" script. The _only_ program known to
display it, for
> unknown reasons, is the freeware Registrar Lite 2.0,
> here: http://www.resplendence.com/reglite/
>2. It prevents all GUI and command line tools from
listing it or
> deleting it. This list includes, but is not limited
> Explorer, DIR, ATTRIB, CACLS, and DEL.
>3. The .DLL file has eccentric security permissions
> and FILE_EXECUTE) and is READ-ONLY. Once the shield-
DLL is removed
> from memory, an Admin must reset security to delete
>4. It has a unique name on every system it infects.
>5. It ensures that a BHO starts up with IE at every boot.
>6. If the BHO is deleted, it restores the BHO under a new
> the next boot.
>This combination of features makes it a formidable
>This is a .DLL that installs itself as a subkey of the
>The BHO is responsible for the ad-ware symptoms: change
of home page,
>profusion of popups, and anything else that foments the
>The BHO registry key and the file are not protected; both
>deleted. The BHO will simply be reloaded under a new name
at the next
>To eliminate CWS, we have developed a relatively simple
>(compared to everything else that's out there) that
>Registrar Lite 2.0 to record the name of the shield-DLL,
a VBS script
>to remove it from AppInit_Dlls, the "Silent Runners"
>identify the BHO, and, after reboot, a second VBS script
to delete the
>shield-DLL and BHO files. The procedure and scripts can
be found here:
>MS please take note:
>AppInit_Dlls is a gaping security hole. Unfettered access
>value should be removed ASAP from NT4/W2K/WXP.
>regards, Andrew Aronoff & Rossano Ferraris
> Want to know every program (well, almost every program --
> the exception) that starts up with Windows?
> Download "Silent Runners.vbs":
>Kevin D Quitt USA 91387-4454 96.37% of all
statistics are made up
> Per the FCA, this address may not be added to any
commercial mail list