RE: IE default Page

["Micro Kluge" <microkluge () hotmail com>]

Early versions of CoolwebSearch were trivial to defeat (ie adaware).  The 
later versions are becoming increasingly annoying.  The latest versions of 
CoolWeb laugh at most of the spy-ware removal tools.  Use About Buster 
(google) and HiJackThis.  About Buster will do most of your heavy lifting, 
then use HJT to scrap the rest of the leftover debris.  The usual "safe 
mode" and "restore point" steps apply.


> From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
> To: wnorth <wnorth () verizon net>, incidents () securityfocus com
> Subject: RE: IE default Page
> Date: Fri, 16 Jul 2004 09:21:54 -0600
>
> I use "HijackThis" and have had success beating it.  For most of my
> intensive Adware removal, I copy HiJackThis and CWShredder to the hard disk
> and then reboot the machine in safe mode.  Then I manually kill all of the
> processes that it will allow me to kill...  then run Hijackthis and
> cwshredder and take note of where the files are.  I then go in and manually
> delete those files.   CoolWebSearch hasn't been nearly as much problem for
> us as "TVMedia" and "WinTools" or a few of the other ones that have 
> multiple
> threads and/or system services that watch the system processes and restart
> each other when one of them is killed.  WinTools is an amazingly resilient
> program that uses this method with 2 processes PLUS a system service all
> watching each other.
>
> Interestingly enough, aren't they one of the companies who sued Symantec
> when they tried to add CWS as a "virus" to their definitions. After all,
> it's an "advertising engine" not a "virus" and they (like GMT and Gator)
> have been aggressive in pressing legal action against anyone who tries to
> "automatically" remove their "program".
>
> Eric
>
> -----Original Message-----
> From: wnorth [mailto:wnorth () verizon net]
> Sent: Thursday, July 15, 2004 6:46 PM
> To: incidents () securityfocus com
> Subject: IE default Page
>
> Interesting bug going around, coolwebsearch, has anyone been successful in
> removing this virus from a system? It looks like it recreates the DLL under
> c:\windows\system32 and renames it after a few reboots. It's pretty 
> annoying
> and I haven't been able to fully contain it.
>
> Thoughts? Suggestions? I've used highjackthis, cwshredder and a few spyware
> detectors, but nothing is really fixing the problem.
>
> Thanks,
>
> -Wes

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE 
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/