Re: spyware removal in win 2000

From: andy_frahmster (anonymous_at_discussions.microsoft.com)
Date: 10/05/04


Date: Mon, 4 Oct 2004 22:35:04 -0700

Kevin,

Thank you for this wonderful advice. But can you state any
sure fire method to prevent this particular adware CWS
from infecting in the first place? I mean something aimed
at this particualr one?

Thanks

Andy
>-----Original Message-----
>>From the NTBugTraq mailing list:
>
>Fri, 1 Oct 2004 10:26:28 -0400
>Received: from LISTSERV.NTBUGTRAQ.COM by
LISTSERV.NTBUGTRAQ.COM
> (LISTSERV-TCP/IP release 1.8e) with spool id
4553548 for
> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; Fri, 1 Oct
2004 10:26:22 -0400
>Message-ID: <555451230.20040930163536@aya.yale.edu>
>Date: Thu, 30 Sep 2004 16:35:36 +0200
>Subject: CWS = Crummy Windows Security
>
>Hello,
>
>CWS, CoolWebSearch, is a particularly nasty incarnation
of ad-ware.
>Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I
have
>collaborated to develop a simple procedure to remove it
from an
>NT4-W2K-WXP box.
>
>CWS is widely discussed on the web, but it's poorly
understood and
>procedures to remove it are often lengthy, cumbersome and
ineffective.
>Users are sometimes forced to reformat the hard disk to
remove it. CWS
>comes in a variety of flavors. This post will only
consider the most
>insidious, which involves two components: a shield-DLL
and a BHO
>(Browser Helper Object).
>
>Shield-DLL
>----------
>
>The shield-DLL installs itself to the following registry
value in
>NT4-type systems:
>HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_Dlls
>
>Per MSKB 197571, a .DLL listed there is "loaded by each
Windows-based
>application running within the current logon session."
IOW, any
>ad-ware found here runs concurrently with _every_ program
launched. It
>is truly astonishing that such a registry location exists.
>
>Here's what the CWS shield-DLL manages to do:
>
>1. It prevents almost all registry editors from
displaying it as an
> AppInit_Dlls value. This list includes, but is not
limited to:
> Regedit.exe (even if renamed), Regedt32.exe, Reg.exe,
Autoruns,
> HijackThis, and, my favorite (because I wrote it),
the "Silent
> Runners.vbs" script. The _only_ program known to
display it, for
> unknown reasons, is the freeware Registrar Lite 2.0,
available
> here: http://www.resplendence.com/reglite/
>
>2. It prevents all GUI and command line tools from
listing it or
> deleting it. This list includes, but is not limited
to: Windows
> Explorer, DIR, ATTRIB, CACLS, and DEL.
>
>3. The .DLL file has eccentric security permissions
(SYNCHRONIZE
> and FILE_EXECUTE) and is READ-ONLY. Once the shield-
DLL is removed
> from memory, an Admin must reset security to delete
the file.
>
>4. It has a unique name on every system it infects.
>
>5. It ensures that a BHO starts up with IE at every boot.
>
>6. If the BHO is deleted, it restores the BHO under a new
name at
> the next boot.
>
>This combination of features makes it a formidable
adversary.
>
>BHO
>---
>
>This is a .DLL that installs itself as a subkey of the
following key:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Br
owser Helper
>Objects\
>
>The BHO is responsible for the ad-ware symptoms: change
of home page,
>profusion of popups, and anything else that foments the
users' wrath.
>The BHO registry key and the file are not protected; both
can be
>deleted. The BHO will simply be reloaded under a new name
at the next
>boot.
>
>To eliminate CWS, we have developed a relatively simple
procedure
>(compared to everything else that's out there) that
involves using
>Registrar Lite 2.0 to record the name of the shield-DLL,
a VBS script
>to remove it from AppInit_Dlls, the "Silent Runners"
script to
>identify the BHO, and, after reboot, a second VBS script
to delete the
>shield-DLL and BHO files. The procedure and scripts can
be found here:
>http://www.silentrunners.org/sr_cwsremoval.html
>
>MS please take note:
>
>AppInit_Dlls is a gaping security hole. Unfettered access
to this
>value should be removed ASAP from NT4/W2K/WXP.
>
>regards, Andrew Aronoff & Rossano Ferraris
>
> *****
> Want to know every program (well, almost every program --
 CWS being
> the exception) that starts up with Windows?
> Download "Silent Runners.vbs":
> http://www.silentrunners.org/
> *****
>
>--
>#include <standard.disclaimer>
> _
>Kevin D Quitt USA 91387-4454 96.37% of all
statistics are made up
> Per the FCA, this address may not be added to any
commercial mail list
>.
>



Relevant Pages

  • CWS = Crummy Windows Security
    ... CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... a shield-DLL and a BHO ... is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ...
    (NT-Bugtraq)
  • Re: spyware removal in win 2000
    ... CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... is truly astonishing that such a registry location exists. ... The .DLL file has eccentric security permissions (SYNCHRONIZE ... It ensures that a BHO starts up with IE at every boot. ...
    (microsoft.public.win2000.security)
  • Re: spyware removal in win 2000
    ... Andrew & Rossano ... > CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... > is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ...
    (microsoft.public.win2000.security)
  • Re: Question on profiles in Windows XP and running Spyware, Virus, Registry checking programs?
    ... Now I need to solve this one problem with a BHO trying to change the ... registry insertion programs I know of. ... >> I worked on a PC today that needed Norton Installed and Spybot and ... > user account also has personalized settings. ...
    (microsoft.public.windowsxp.general)
  • Re: Very "hard to kill web search varmint"
    ... > YES,I did think of that but the bho or whatever its ... > called rewrote my registry so i couldnt use the version ...
    (microsoft.public.windows.inetexplorer.ie6.browser)