Full Disclosure mailing list archives
Re: Cool Web Search
From: "Gregh" <chows () ozemail com au>
Date: Fri, 30 Jul 2004 23:36:49 +1000
----- Original Message ----- From: "Andrew Clover" <and-bugtraq () doxdesk com> To: <full-disclosure () lists netsys com> Sent: Friday, July 30, 2004 9:44 PM Subject: Re: [Full-disclosure] Cool Web Search
Gregh <chows () ozemail com au> wrote:It was used by me to list various entries in registry which, when lumped together like that, show off CWS quite easily. Once they are there,
removing
them and the progs started by some of them is easy.This is not the case for all variants of CWS. The newer, sneakier variants can rebuild themselves if they detect a program like HijackThis removing their registry entries.
Sorry but totally and utterly incorrect. You just do NOT understand what I have typed. I said that I used HiJackThis to list the entries in a group then ticked them manually and then removed them. Along with that, it allowed you to identify the exe files that went with it. If you dont understand that then I can understand that you dont know how to get rid of it but the truth is that this way DOES get rid of it. There are at LEAST 5 variants of CWS. I have met them all and beat them all.
This is part of a strong trend in unsolicited commercial software, copying survival techniques learned from virus authors. The use of constantly-loaded multiple DLLs and/or processes and/or services that all restart and repair each other if tampering is detected, is becoming widespread (see also CommonName, ClearSearch, TVMedia etc.).
All easily beaten by using HiJackThis in the way I described. If I can do it, anyone with just a small amount of registry knowledge also can.
Where there are not short-cut workarounds this means removing the software manually is simply impossible. Currently a trip into Safe Mode
Absolute and utter rot! I understand YOU may not be able to do it but it CAN be done. It is simple logic if you want to look at it another way - whatever can be DONE can be UNdone. The way I described works perfectly every time an d takes 10 minutes or less to get rid of it though admittedly the first time you use HiJackThis it can take longer.
can do the trick, by stopping any of the software running, but I'm sure that'll be worked around too eventually. (Rootkit-like spyware?)
No, you are utterly wrong there, too. I have run Spybot and Adaware in safe mode. Spybot sees and removes CWS but it comes back on next boot anyway. You have to use HiJackThis to list the registry entries which stand out like a sore thumb at that point. If you cant identify incorrect registry entries, though, naturally it will elude you! Greg. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cool Web Search Gregh (Jul 29)
- <Possible follow-ups>
- RE: Cool Web Search Richard Golodner (Jul 29)
- Re: Cool Web Search Gregh (Jul 29)
- RE: Cool Web Search Todd Towles (Jul 29)
- Re: Cool Web Search KF (lists) (Jul 29)
- Re: Cool Web Search JacK (Jul 29)
- Re: Cool Web Search Gregh (Jul 29)
- Re: Cool Web Search Andrew Clover (Jul 30)
- Re: Cool Web Search Dave Horsfall (Jul 30)
- Re: Cool Web Search Andrew Clover (Jul 30)
- Re: Cool Web Search Gregh (Jul 30)
- Re: Cool Web Search Valdis . Kletnieks (Jul 30)
- Re: Cool Web Search Andrew Clover (Jul 30)
- Re: Cool Web Search Gregh (Jul 30)
- RE: Cool Web Search Todd Towles (Jul 30)
- Re: Cool Web Search Gregh (Jul 29)
- Re: Cool Web Search Raj Varada (Jul 30)
- Re: Cool Web Search John Kinsella (Jul 30)
- Re: [OT] Hard drive recovery (WAS CoolWebSearch) Andrew Farmer (Jul 30)
- RE: Cool Web Search Steven Yu (Jul 30)
- Security Web Site Hosting n30 (Jul 30)
- Re: Security Web Site Hosting Simon Richter (Jul 30)