Re: spyware removal in win 2000

From: mojohotmail (mojo7676_at_hotmail.com)
Date: 10/05/04


Date: Tue, 05 Oct 2004 21:58:41 GMT

Andrew & Rossano

thanks for the detailed and very informative post. will check out the links
and take note of your advice.

mojo

"Kevin D. Quitt" <KQuittUNMUNG@IEEIncUNMUNG.com> wrote in message
news:vka3m0pmkgrpj1oeaeb0vdsvkn7qv0650r@4ax.com...
> From the NTBugTraq mailing list:
>
> Fri, 1 Oct 2004 10:26:28 -0400
> Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
> (LISTSERV-TCP/IP release 1.8e) with spool id 4553548 for
> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; Fri, 1 Oct 2004 10:26:22 -0400
> Message-ID: <555451230.20040930163536@aya.yale.edu>
> Date: Thu, 30 Sep 2004 16:35:36 +0200
> Subject: CWS = Crummy Windows Security
>
> Hello,
>
> CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
> Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I have
> collaborated to develop a simple procedure to remove it from an
> NT4-W2K-WXP box.
>
> CWS is widely discussed on the web, but it's poorly understood and
> procedures to remove it are often lengthy, cumbersome and ineffective.
> Users are sometimes forced to reformat the hard disk to remove it. CWS
> comes in a variety of flavors. This post will only consider the most
> insidious, which involves two components: a shield-DLL and a BHO
> (Browser Helper Object).
>
> Shield-DLL
> ----------
>
> The shield-DLL installs itself to the following registry value in
> NT4-type systems:
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
>
> Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
> application running within the current logon session." IOW, any
> ad-ware found here runs concurrently with _every_ program launched. It
> is truly astonishing that such a registry location exists.
>
> Here's what the CWS shield-DLL manages to do:
>
> 1. It prevents almost all registry editors from displaying it as an
> AppInit_Dlls value. This list includes, but is not limited to:
> Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
> HijackThis, and, my favorite (because I wrote it), the "Silent
> Runners.vbs" script. The _only_ program known to display it, for
> unknown reasons, is the freeware Registrar Lite 2.0, available
> here: http://www.resplendence.com/reglite/
>
> 2. It prevents all GUI and command line tools from listing it or
> deleting it. This list includes, but is not limited to: Windows
> Explorer, DIR, ATTRIB, CACLS, and DEL.
>
> 3. The .DLL file has eccentric security permissions (SYNCHRONIZE
> and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
> from memory, an Admin must reset security to delete the file.
>
> 4. It has a unique name on every system it infects.
>
> 5. It ensures that a BHO starts up with IE at every boot.
>
> 6. If the BHO is deleted, it restores the BHO under a new name at
> the next boot.
>
> This combination of features makes it a formidable adversary.
>
> BHO
> ---
>
> This is a .DLL that installs itself as a subkey of the following key:
> HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
> Objects\
>
> The BHO is responsible for the ad-ware symptoms: change of home page,
> profusion of popups, and anything else that foments the users' wrath.
> The BHO registry key and the file are not protected; both can be
> deleted. The BHO will simply be reloaded under a new name at the next
> boot.
>
> To eliminate CWS, we have developed a relatively simple procedure
> (compared to everything else that's out there) that involves using
> Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script
> to remove it from AppInit_Dlls, the "Silent Runners" script to
> identify the BHO, and, after reboot, a second VBS script to delete the
> shield-DLL and BHO files. The procedure and scripts can be found here:
> http://www.silentrunners.org/sr_cwsremoval.html
>
> MS please take note:
>
> AppInit_Dlls is a gaping security hole. Unfettered access to this
> value should be removed ASAP from NT4/W2K/WXP.
>
> regards, Andrew Aronoff & Rossano Ferraris
>
> *****
> Want to know every program (well, almost every program -- CWS being
> the exception) that starts up with Windows?
> Download "Silent Runners.vbs":
> http://www.silentrunners.org/
> *****
>
> --
> #include <standard.disclaimer>
> _
> Kevin D Quitt USA 91387-4454 96.37% of all statistics are made up
> Per the FCA, this address may not be added to any commercial mail list



Relevant Pages

  • CWS = Crummy Windows Security
    ... CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... a shield-DLL and a BHO ... is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ...
    (NT-Bugtraq)
  • Re: spyware removal in win 2000
    ... CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. ... is truly astonishing that such a registry location exists. ... The .DLL file has eccentric security permissions (SYNCHRONIZE ... It ensures that a BHO starts up with IE at every boot. ...
    (microsoft.public.win2000.security)
  • Re: spyware removal in win 2000
    ... sure fire method to prevent this particular adware CWS ... >is truly astonishing that such a registry location exists. ... It ensures that a BHO starts up with IE at every boot. ... >identify the BHO, and, after reboot, a second VBS script ...
    (microsoft.public.win2000.security)
  • Re: Question on profiles in Windows XP and running Spyware, Virus, Registry checking programs?
    ... Now I need to solve this one problem with a BHO trying to change the ... registry insertion programs I know of. ... >> I worked on a PC today that needed Norton Installed and Spybot and ... > user account also has personalized settings. ...
    (microsoft.public.windowsxp.general)
  • Re: Very "hard to kill web search varmint"
    ... > YES,I did think of that but the bho or whatever its ... > called rewrote my registry so i couldnt use the version ...
    (microsoft.public.windows.inetexplorer.ie6.browser)