RE: IE default Page

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

I use "HijackThis" and have had success beating it.  For most of my
intensive Adware removal, I copy HiJackThis and CWShredder to the hard disk
and then reboot the machine in safe mode.  Then I manually kill all of the
processes that it will allow me to kill...  then run Hijackthis and
cwshredder and take note of where the files are.  I then go in and manually
delete those files.   CoolWebSearch hasn't been nearly as much problem for
us as "TVMedia" and "WinTools" or a few of the other ones that have multiple
threads and/or system services that watch the system processes and restart
each other when one of them is killed.  WinTools is an amazingly resilient
program that uses this method with 2 processes PLUS a system service all
watching each other.

Interestingly enough, aren't they one of the companies who sued Symantec
when they tried to add CWS as a "virus" to their definitions. After all,
it's an "advertising engine" not a "virus" and they (like GMT and Gator)
have been aggressive in pressing legal action against anyone who tries to
"automatically" remove their "program".

Eric

-----Original Message-----
From: wnorth [mailto:wnorth () verizon net] 
Sent: Thursday, July 15, 2004 6:46 PM
To: incidents () securityfocus com
Subject: IE default Page

Interesting bug going around, coolwebsearch, has anyone been successful in
removing this virus from a system? It looks like it recreates the DLL under
c:\windows\system32 and renames it after a few reboots. It's pretty annoying
and I haven't been able to fully contain it. 

Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware
detectors, but nothing is really fixing the problem.

Thanks,

-Wes