Re: spyware removal in win 2000
From: mojohotmail (mojo7676_at_hotmail.com)
Date: Tue, 05 Oct 2004 21:58:41 GMT
Andrew & Rossano
thanks for the detailed and very informative post. will check out the links
and take note of your advice.
"Kevin D. Quitt" <KQuittUNMUNG@IEEIncUNMUNG.com> wrote in message
> From the NTBugTraq mailing list:
> Fri, 1 Oct 2004 10:26:28 -0400
> Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
> (LISTSERV-TCP/IP release 1.8e) with spool id 4553548 for
> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; Fri, 1 Oct 2004 10:26:22 -0400
> Message-ID: <firstname.lastname@example.org>
> Date: Thu, 30 Sep 2004 16:35:36 +0200
> Subject: CWS = Crummy Windows Security
> CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
> Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I have
> collaborated to develop a simple procedure to remove it from an
> NT4-W2K-WXP box.
> CWS is widely discussed on the web, but it's poorly understood and
> procedures to remove it are often lengthy, cumbersome and ineffective.
> Users are sometimes forced to reformat the hard disk to remove it. CWS
> comes in a variety of flavors. This post will only consider the most
> insidious, which involves two components: a shield-DLL and a BHO
> (Browser Helper Object).
> The shield-DLL installs itself to the following registry value in
> NT4-type systems:
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
> Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
> application running within the current logon session." IOW, any
> ad-ware found here runs concurrently with _every_ program launched. It
> is truly astonishing that such a registry location exists.
> Here's what the CWS shield-DLL manages to do:
> 1. It prevents almost all registry editors from displaying it as an
> AppInit_Dlls value. This list includes, but is not limited to:
> Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
> HijackThis, and, my favorite (because I wrote it), the "Silent
> Runners.vbs" script. The _only_ program known to display it, for
> unknown reasons, is the freeware Registrar Lite 2.0, available
> here: http://www.resplendence.com/reglite/
> 2. It prevents all GUI and command line tools from listing it or
> deleting it. This list includes, but is not limited to: Windows
> Explorer, DIR, ATTRIB, CACLS, and DEL.
> 3. The .DLL file has eccentric security permissions (SYNCHRONIZE
> and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
> from memory, an Admin must reset security to delete the file.
> 4. It has a unique name on every system it infects.
> 5. It ensures that a BHO starts up with IE at every boot.
> 6. If the BHO is deleted, it restores the BHO under a new name at
> the next boot.
> This combination of features makes it a formidable adversary.
> This is a .DLL that installs itself as a subkey of the following key:
> HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
> The BHO is responsible for the ad-ware symptoms: change of home page,
> profusion of popups, and anything else that foments the users' wrath.
> The BHO registry key and the file are not protected; both can be
> deleted. The BHO will simply be reloaded under a new name at the next
> To eliminate CWS, we have developed a relatively simple procedure
> (compared to everything else that's out there) that involves using
> Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script
> to remove it from AppInit_Dlls, the "Silent Runners" script to
> identify the BHO, and, after reboot, a second VBS script to delete the
> shield-DLL and BHO files. The procedure and scripts can be found here:
> MS please take note:
> AppInit_Dlls is a gaping security hole. Unfettered access to this
> value should be removed ASAP from NT4/W2K/WXP.
> regards, Andrew Aronoff & Rossano Ferraris
> Want to know every program (well, almost every program -- CWS being
> the exception) that starts up with Windows?
> Download "Silent Runners.vbs":
> #include <standard.disclaimer>
> Kevin D Quitt USA 91387-4454 96.37% of all statistics are made up
> Per the FCA, this address may not be added to any commercial mail list