UGN Security
Posted By: §intå× Cool Web Search(CWS) - 08/19/04 09:50 PM
Anyone have this nasty peices of malware/trojan? I can't kill it. I ran Lavasoft's ad-aware, spy bot search and destroy. And CWS shredder(an app made to kill it).

Someone with sucess in killing this evil evil evil program please advise me.

This thing has completely taken control of IE6.0. I can change the homepage but it just changes right back. The URL?

res://some_random_string.htm

Now I have located the web page on my system. It is burried in these DLL's this progy creates. I have opened them in notepad and wiped them clean. Only to have the progy download an update and make that a worthless effort.

I have found some of the registry entries but no doubt there are more. I have found 8 in various hives and places.

I have read I will need to boot into DOS and find the deeply hidden files to wipe them out.

This freaking thing downloads it's own updates without my knowing. It is indepth.
Posted By: Gremelin Re: Cool Web Search(CWS) - 08/20/04 06:32 AM
for the homepage thing, use my homepage locking script in windows; just set it to what you want, hit ok then lock it.

most likely the homepage thing is re-installing it, also nuke registry entries after you udpate and any processes associated.
Posted By: Rican Havock Re: Cool Web Search(CWS) - 08/20/04 06:47 AM
i had the same issue u are having now, until i Switched to Opera....(IE6 sucks in so many ways)
but what u can do is run Hijack This, Ad aware, and Spybot.. if those fail u can do it manually by searching the registy, but becareful
Posted By: §intå× Re: Cool Web Search(CWS) - 08/20/04 09:09 AM
Quote:
Originally posted by Rican Havock:
i had the same issue u are having now, until i Switched to Opera....(IE6 sucks in so many ways)
but what u can do is run Hijack This, Ad aware, and Spybot.. if those fail u can do it manually by searching the registy, but becareful
I ran Ad aware, Spybot, never heard of hijack this.. I have the new ad aware too. Ad aware SE.

You still have the problem Rican Havock!!! This is no regular ad-ware scum. It is actually classified as a trojan. Updates for it are made weekly. It is thought to belong to some ad company in Russia. Do a search in google groups and you can see the power this thing has.

Giz I did lock the home page. It was unlocked and re-set. How is that for evil.
Posted By: dashocker Re: Cool Web Search(CWS) - 08/20/04 02:40 PM
Spanky, I had the same one man. It's the biggest pain in the [censored] ever. Your version appears to be slightly different, tho. The site you need is: http://www.spywareinfo.com/~merijn/
It appears Murphy's law is in full effect...the site is down at the moment. If it's not up by the time you see this, message me. I'll try and help as much as I can.

EDIT: There are tons of different versions of CWS. HijackThis is a program that lists all the registry/system/etc. settings that spyware normally affects. CWShredder is the one you really need. If your version has been identified, this baby will wipe it out. I also have the tool for removing the so-called "deeply hidden files," although you really need the tutorial to use it. You probably won't even need it.
Posted By: Shinobi Re: Cool Web Search(CWS) - 08/20/04 07:26 PM
Spanky for real dude. I got so tired of the adware and browser hijackers for IE. I switched to mozilla firefox. It works much much better, and I don't have half the problems I had with IE. Of couse you still wanna get rid of what you already have, but Firefox man...Its something to think about, or check out atleast! smile
Posted By: §intå× Re: Cool Web Search(CWS) - 08/20/04 07:55 PM
I have been using Fox fire since it was call phoenix fire bird.

I have Opera, Fox Fire, Netscape, Mozilla, Lynx, IE, and a few more less known browsers. I need IE For work related sites designed for it. I need IE because the idea of a trojan dancing around in a browser so inner woven into my OS creeps me out.
Posted By: Gremelin Re: Cool Web Search(CWS) - 08/21/04 04:41 AM
I hate firefox, but I love mozilla... I still hvae issues with firefox (firebird, phoenix, etc).
Posted By: dashocker Re: Cool Web Search(CWS) - 08/21/04 05:41 AM
Spanky, did my post help? Did you get rid of it?
Posted By: §intå× Re: Cool Web Search(CWS) - 08/21/04 07:02 PM
Quote:
Originally posted by dashocker:
Spanky, I had the same one man. It's the biggest pain in the [censored] ever. Your version appears to be slightly different, tho. The site you need is: http://www.spywareinfo.com/~merijn/
It appears Murphy's law is in full effect...the site is down at the moment. If it's not up by the time you see this, message me. I'll try and help as much as I can.

EDIT: There are tons of different versions of CWS. HijackThis is a program that lists all the registry/system/etc. settings that spyware normally affects. CWShredder is the one you really need. If your version has been identified, this baby will wipe it out. I also have the tool for removing the so-called "deeply hidden files," although you really need the tutorial to use it. You probably won't even need it.
http://www.spywareinfo.com
will be ready soon!

I ran CWS shredder. Nothing! What ever [censored] child/version I have, it didn't wipe it out. It is kinda smart really.

It Auto-updates right, It also attacks the CWS shredder site. So it has the ability to stay 1 step ahead of the game. The file names are random numbers and letters. They change where they are placed from week to week. This thing is just wild.

I see the developer for CWS shredder has stoped making new versions. He says the depth CWS has now reached he can not keep up with it.


Check out this article on the register
http://www.theregister.co.uk/2004/06/29/cws_shredder/
Posted By: Erik Re: Cool Web Search(CWS) - 11/10/04 11:06 PM
I have ran into this nice little program many times, the best piece of software I have found that deletes most of it is NOD32 it has CWShredder packaged with it. It is updated often and is very helpful for other virus/trojan removal.
http://www.nod32.com
© UGN Security Forum