Chick
Cartwheel RIGHT
Finally! Someone has figured out how toremove this particularly 3vil piece of spyware. The only way i ahve found in the past is to reformat my hard drive.
For the imaptient: The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html
For the bored: read on !
>>>>>> From ntBugTraq <<<<<<
CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris ([email protected]) and I have collaborated to develop a simple procedure to remove it from an NT4-W2K-WXP box.
CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS comes in a variety of flavors. This post will only consider the most insidious, which involves two components: a shield-DLL and a BHO (Browser Helper Object).
Shield-DLL
----------
The shield-DLL installs itself to the following registry value in NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.
Here's what the CWS shield-DLL manages to do:
1. It prevents almost all registry editors from displaying it as an
AppInit_Dlls value. This list includes, but is not limited to:
Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
HijackThis, and, my favorite (because I wrote it), the "Silent
Runners.vbs" script. The _only_ program known to display it, for
unknown reasons, is the freeware Registrar Lite 2.0, available
here: http://www.resplendence.com/reglite/
2. It prevents all GUI and command line tools from listing it or
deleting it. This list includes, but is not limited to: Windows
Explorer, DIR, ATTRIB, CACLS, and DEL.
3. The .DLL file has eccentric security permissions (SYNCHRONIZE
and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
from memory, an Admin must reset security to delete the file.
4. It has a unique name on every system it infects.
5. It ensures that a BHO starts up with IE at every boot.
6. If the BHO is deleted, it restores the BHO under a new name at
the next boot.
This combination of features makes it a formidable adversary.
BHO
---
This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
The BHO is responsible for the ad-ware symptoms: change of home page, profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be deleted. The BHO will simply be reloaded under a new name at the next boot.
To eliminate CWS, we have developed a relatively simple procedure (compared to everything else that's out there) that involves using Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script to remove it from AppInit_Dlls, the "Silent Runners" script to identify the BHO, and, after reboot, a second VBS script to delete the shield-DLL and BHO files. The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html
MS please take note:
AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed ASAP from NT4/W2K/WXP.
regards, Andrew Aronoff & Rossano Ferraris
For the imaptient: The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html
For the bored: read on !
>>>>>> From ntBugTraq <<<<<<
CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris ([email protected]) and I have collaborated to develop a simple procedure to remove it from an NT4-W2K-WXP box.
CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS comes in a variety of flavors. This post will only consider the most insidious, which involves two components: a shield-DLL and a BHO (Browser Helper Object).
Shield-DLL
----------
The shield-DLL installs itself to the following registry value in NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.
Here's what the CWS shield-DLL manages to do:
1. It prevents almost all registry editors from displaying it as an
AppInit_Dlls value. This list includes, but is not limited to:
Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
HijackThis, and, my favorite (because I wrote it), the "Silent
Runners.vbs" script. The _only_ program known to display it, for
unknown reasons, is the freeware Registrar Lite 2.0, available
here: http://www.resplendence.com/reglite/
2. It prevents all GUI and command line tools from listing it or
deleting it. This list includes, but is not limited to: Windows
Explorer, DIR, ATTRIB, CACLS, and DEL.
3. The .DLL file has eccentric security permissions (SYNCHRONIZE
and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
from memory, an Admin must reset security to delete the file.
4. It has a unique name on every system it infects.
5. It ensures that a BHO starts up with IE at every boot.
6. If the BHO is deleted, it restores the BHO under a new name at
the next boot.
This combination of features makes it a formidable adversary.
BHO
---
This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
The BHO is responsible for the ad-ware symptoms: change of home page, profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be deleted. The BHO will simply be reloaded under a new name at the next boot.
To eliminate CWS, we have developed a relatively simple procedure (compared to everything else that's out there) that involves using Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script to remove it from AppInit_Dlls, the "Silent Runners" script to identify the BHO, and, after reboot, a second VBS script to delete the shield-DLL and BHO files. The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html
MS please take note:
AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed ASAP from NT4/W2K/WXP.
regards, Andrew Aronoff & Rossano Ferraris
Last edited:
I'll find this very usefull for those computers at the university that we don't want to trash (mainly the staff ones).