Security Incidents mailing list archives
RE: IE default Page
From: "Micro Kluge" <microkluge () hotmail com>
Date: Fri, 16 Jul 2004 19:28:44 +0000
Early versions of CoolwebSearch were trivial to defeat (ie adaware). The later versions are becoming increasingly annoying. The latest versions of CoolWeb laugh at most of the spy-ware removal tools. Use About Buster (google) and HiJackThis. About Buster will do most of your heavy lifting, then use HJT to scrap the rest of the leftover debris. The usual "safe mode" and "restore point" steps apply.
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com> To: wnorth <wnorth () verizon net>, incidents () securityfocus com Subject: RE: IE default Page Date: Fri, 16 Jul 2004 09:21:54 -0600 I use "HijackThis" and have had success beating it. For most of my intensive Adware removal, I copy HiJackThis and CWShredder to the hard disk and then reboot the machine in safe mode. Then I manually kill all of the processes that it will allow me to kill... then run Hijackthis and cwshredder and take note of where the files are. I then go in and manually delete those files. CoolWebSearch hasn't been nearly as much problem forus as "TVMedia" and "WinTools" or a few of the other ones that have multiplethreads and/or system services that watch the system processes and restart each other when one of them is killed. WinTools is an amazingly resilient program that uses this method with 2 processes PLUS a system service all watching each other. Interestingly enough, aren't they one of the companies who sued Symantec when they tried to add CWS as a "virus" to their definitions. After all, it's an "advertising engine" not a "virus" and they (like GMT and Gator) have been aggressive in pressing legal action against anyone who tries to "automatically" remove their "program". Eric -----Original Message----- From: wnorth [mailto:wnorth () verizon net] Sent: Thursday, July 15, 2004 6:46 PM To: incidents () securityfocus com Subject: IE default Page Interesting bug going around, coolwebsearch, has anyone been successful in removing this virus from a system? It looks like it recreates the DLL underc:\windows\system32 and renames it after a few reboots. It's pretty annoyingand I haven't been able to fully contain it. Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware detectors, but nothing is really fixing the problem. Thanks, -Wes
_________________________________________________________________MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
Current thread:
- IE default Page wnorth (Jul 16)
- Re: IE default Page Jeff Garrett (Jul 16)
- Re: IE default Page Steven Bairstow (Jul 16)
- Re: IE default Page Justin . Ross (Jul 16)
- RE: IE default Page wnorth (Jul 16)
- <Possible follow-ups>
- RE: IE default Page Hagen, Eric (Jul 16)
- RE: IE default Page Ed Wittmann (Jul 16)
- RE: IE default Page Micro Kluge (Jul 16)