Full Disclosure mailing list archives
Re: Re: Cool Web Search
From: "JacK" <jack () websecurite org>
Date: Fri, 30 Jul 2004 18:56:26 +0200
I don't know if you fully understand HiJackThis or maybe I was just unclear.
HiJackThis wasn't used by me to get rid of CWS as, for example, running Adaware gets rid of tracking cookies and some installed spyware progs. It was used by me to list various entries in registry which, when lumpedtogether like that, show off CWS quite easily. Once they are there, removingthem and the progs started by some of them is easy.
That is all you have to do. Don't expect HiJackThis to magically get rid ofit all at the flick of a button. You DO have to have a small amount ofregistry knowledge in order to ID which entries are seriously bull and whichare honest BHOs etc. I am not a registry "expert" but claim a small amount of registry knowledge so even to ME it was obvious what was what.
It 's obvious you did not get the variants I am speaking about and you are no Registry "expert" ;)
For those variants :HijackThis let you see the entry HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs (and in most case with no value) BUT when you delete it and click refresh, it comes immediately back for the trojan is still running. If you kill the associated running random name dll (for instance c:\windows\system32\logb.dll) it comes back at next reboot and adds the value AppInit_DLLs again in the registry.
To get rid of it, you have to rename the key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows in Windows2 , then delete the entry AppInit_DLLs which seems not having any value. When done, rename the key with its regular name and AppInit_DLLs will not appear anymore when refreshing ; only when it's done you will be able to kill and delete the random name.dll for good which is the Backdoor.Agent.ba used to install this tricky variant of CoolWebSearch.
That's why I said HijackThis has its limits : suppressing the entries its log gives directly from the registry does not help.
That's just an exemple, the are other variants which add in the registry the entry AppInit_Dlls somewhere else with the same result and the same way to get rid of it.
Hoping it's clearer now, so sorry for my poor English. Regards, -- http://www.optimix.be.tf /MVP WindowsXP/ http://websecurite.orghttp://www.msmvps.com/XPditif/ http://experts.microsoft.fr/longhorn4u/
*Helping you void your warranty since 2000* @(*0*)@ JacK _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Cool Web Search, (continued)
- Re: Re: Cool Web Search Jon (Jul 30)
- Re: Cool Web Search Denis McMahon (Jul 30)
- Re: Re: Cool Web Search Brendan Dolan-Gavitt (Jul 30)
- Re: Cool Web Search Valdis . Kletnieks (Jul 30)
- Re: Re: Cool Web Search Aaron Horst (Jul 30)
- RE: Re: Cool Web Search KUIJPERS Jimmy (Jul 30)
- RE: Re: Cool Web Search Dean Porter (Jul 30)
- RE: Re: Cool Web Search Goudie, Derek (Jul 30)
- RE: Re: Cool Web Search kquest (Jul 30)
- Re: Cool Web Search JacK (Jul 30)
- Re: Re: Cool Web Search JacK (Jul 30)
- RE: Re: Cool Web Search Todd Towles (Jul 30)
- RE: Re: Cool Web Search Ron DuFresne (Jul 30)
- RE: Re: Cool Web Search Todd Towles (Jul 30)
- RE: Cool Web Search Schmidt, Michael R. (Jul 30)
- FW: Cool Web Search Simmons, Thomas (Jul 30)
- RE: Cool Web Search Dean Porter (Jul 30)
- Re: Cool Web Search Denis McMahon (Jul 31)