Justin.Rosssignalsolutionsinc.com
Date: Fri Jul 16 2004 - 13:14:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My experience was that the fix (CWShredder) would not "take", until the
machine was restarted after applying it. Applying fix, and then opening
the browser just lead to reinfection. possibly because of a cached
registry value/hive/key.

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CCSI
Senior Network Security Engineer
Signal Solutions Inc. - http://www.signalcorp.com
101 Wilcox Dr.
Sierra Vista, AZ 85635
Phone: (520) 459-1354 x3095
Cell: (520) 234-4080
Fax: (520) 459-1428
Email: Justin.Rosssignalsolutionsinc.com

Try this out, I had one that was doing that and used the technique
described by LoPhatPhuud in the web-forum topic linked below to remove it.
 The only difference was that my .dll and .cpy.dll files had a different
base name. But it's easy enough to find as it's mentioned in the Guardian
branch and should be the only .cpy.dll file in the system32 directory. It
is set to hidden, system, and read-only, so you'll need to tell Windows to
show it to you.

http://forums.net-integration.net/index.php?showtopic=13744

>Interesting bug going around, coolwebsearch, has anyone been successful
in
>removing this virus from a system? It looks like it recreates the DLL
under
>c:\windows\system32 and renames it after a few reboots. It's pretty
annoying
>and I haven't been able to fully contain it.
>
>Thoughts? Suggestions? I've used highjackthis, cwshredder and a few
spyware
>detectors, but nothing is really fixing the problem.
>
>Thanks,
>
>-Wes

--

Steven Bairstow
Computer and Network Services - Abington College - Penn State University
http://www.personal.psu.edu/~sab139 PGP Key ID = 0x0C81E13C

"No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]