From: Ed Wittmann (wittmannsae.org)
Date: Fri Jul 16 2004 - 11:48:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I work at a major retailer's tech bench part time - we see boatloads of
this stupid thing, usually accompanied by what is defined as a backdoor
trojan, per housecall.antivirus.com's virus scanner.

1 - 2 services (usually Network Security Service, and/or Security
Agent) followed by the viral infection noted above.

This is how I got rid of it:

boot into safe mode with networking as the user account (not the
Adminstrator account)
kill off those services (regedit and delete the references after you
stop the services)
run hijackthis and kill whatever you see that doesn't belong
run virus scanning (Trendmicro's housecall works real well for this)
delete (not clean) the affected files
run hijackthis and kill whatever you see that doesn't belong
run a good spyware checker (we've been using Spy Sweeper) and delete
everything else you see
remove the spyware-installing apps (usually wintools or p2p
networking)
done.

it's almost not worth it in terms of time to fix. re-format is a surer,
and quicker, fix.

>>> "Hagen, Eric" <ehagenDenverNewspaperAgency.com> 16-Jul-04 11:21:54
AM >>>
I use "HijackThis" and have had success beating it. For most of my
intensive Adware removal, I copy HiJackThis and CWShredder to the hard
disk
and then reboot the machine in safe mode. Then I manually kill all of
the
processes that it will allow me to kill... then run Hijackthis and
cwshredder and take note of where the files are. I then go in and
manually
delete those files. CoolWebSearch hasn't been nearly as much problem
for
us as "TVMedia" and "WinTools" or a few of the other ones that have
multiple
threads and/or system services that watch the system processes and
restart
each other when one of them is killed. WinTools is an amazingly
resilient
program that uses this method with 2 processes PLUS a system service
all
watching each other.

Interestingly enough, aren't they one of the companies who sued
Symantec
when they tried to add CWS as a "virus" to their definitions. After
all,
it's an "advertising engine" not a "virus" and they (like GMT and
Gator)
have been aggressive in pressing legal action against anyone who tries
to
"automatically" remove their "program".

Eric

-----Original Message-----
From: wnorth [mailto:wnorthverizon.net]
Sent: Thursday, July 15, 2004 6:46 PM
To: incidentssecurityfocus.com
Subject: IE default Page

Interesting bug going around, coolwebsearch, has anyone been successful
in
removing this virus from a system? It looks like it recreates the DLL
under
c:\windows\system32 and renames it after a few reboots. It's pretty
annoying
and I haven't been able to fully contain it.

Thoughts? Suggestions? I've used highjackthis, cwshredder and a few
spyware
detectors, but nothing is really fixing the problem.

Thanks,

-Wes

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]