20 replies to this topic

[Muriel]

Hey everyone,

Is anyone here familiar with CWS.GoogleMS.3? I'm entertaining it here at my place and PestPatrol's list of Pests has no information available on it. If you'd like to have it to study, let me know how to bundle it up for you and it's yours (it's a rude guest, really)

Any thoughts?
Muriel

[Tuxedo Jack]

Find the files, zip them (preferably Winzip), then mail the archive to Shadowwar or metallica. They're the resident analysts around here. Of course, if it's already listed in Merijn's list, just get rid of it.

http://www.spywarein...chronicles.html

[Muriel]

Yup,
It's listed there. Interesting, it's the first CWS variant that not only fiddles with files on your system, but the regenerating is linked to Windows Media Player, so the player has to be replaced, too. <_<

Now I just need to track down all those WMplayer bits that Microsoft arranged in such an organized manner.

[Tuxedo Jack]

Actually, Merijn and OldVersion have the WMP files.

Merijn has the executable; OldVersion has the installer.

http://www.oldversion.com

http://www.spywarein...n/winfiles.html

Edited by Tuxedo Jack, 17 May 2004 - 04:32 AM.

[Muriel]

Alright,
I've deleted all the loose traces of Media Player except for the last folder C:\Program Files\Windows Media Player.
It tells me "Cannot delete, Access denied, The source file may be in use."
This should be the last step to eliminate this CWS.GoogleMS.3, according to the details Merijn gave on the variant list. Could someone please give me a tip to override and delete this.
Afterwords, would it be appropriate to reenable the system restore and reboot, or should I check something else first.
I need to learn how to do this correctly.

Thanks in advance,

And Thanks Tuxedo Jack for the above links, I've added them to my own list of useful tools!

[Tuxedo Jack]

Put the file on a USB keychain/CD and reboot into Safe Mode. Copy over it.

[Muriel]

Yet another specific phrase. Could you clarify please?:

"Put the file on a USB keychain/CD "

Exactly what are the steps to do this and afterwards, you said copy over it in Safe Mode. Will there be a problem trying to copy the new WMPlayer9 exe over the other---it's a folder with the corrupt version of WMplayer and the import responsible, not just a file.

Will this make a difference?
Laugh at me all you like, I know I have a lot to learn here.

Thanks,
Muriel

[Tuxedo Jack]

You won't have a problem copying over it at all.

If you have a USB keychain drive, download the WMPlayer.exe executable from Merijn straight to it, then copy it to C:\wmplayer.exe. Reboot to Safe Mode, and overwrite the hacked one with the real one.

Or you can burn it to a CD, though I don't know if ME's Safe Mode can read CDs. I know 2K and XP can, but I'm not sure on ME. The steps are the same - reboot to Safe Mode, then copy the new one over the old.

[Muriel]

I'm not sure if this is correct, but I'm going to download and extract another copy of the new mediaplayer exe to this drive:

C:\Windows\Options\Cabs

Then I'll reboot into Safe Mode and try to load it over the Windows Media Player.

Wish me luck! (or good riddance)

[Tuxedo Jack]

C:\windows\options\cabs is great. I wouldn't put it there, though - it's got the legit mplayer2.exe inside a CAB in there, and that's a sacrosanct WinDIR for reinstallation of components.

[luci2a]

Muriel - not sure if this is your situation, but if your CWSGoogle.MS3 is only being picked up by PestPatrol, and not by any other progs such as Spybot S&D, it could be one of PP's many false positives. PP reads the entry in the restricted sites list of Spyware Blaster, and flags that as a pest. I have contacted PP, asking them for comment - needless to say had no reply as yet!

There are lots of people in many forums discussing this problem right now. Aplogies if it is not relevant to your situation though.
Maybe one of the experts here will comment.

Luci2a

[raven26]

I also have my supicision about Pest Patrol. I had them scan my system and supposedly found three things that SB & AD6 didn't find and immediately started telling that Pest Patrol recognized them. Kinda sounds like a sales pitch. Could not find any of the stuff they found on my computer.

[blueegyptian]

Cool web search also found on my machine today by pp and not by spybot or adaware. Also same from cws shredder so wondering if this is same false positive. Have deleted the file from the registry without any problem. I had the same problem with media player and am using me but reinstalled from an installation I had saved previously.

[Swami]

Bummer about the old board ... :o

I had a cool web search variant last week that the latest CW Shredder, Spybot, or Ad Aware didnt even detect ... luckily i have layered protection and Spysweeper found it and deleted it.

Now i have a version of V4 spyware that nothing detects or can get rid of ... I had to do it manually.

Registry entry's:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/


Some of the files to be on the lookout for for those who are interested:
C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile
*cookies4.dat*
*cookies4.dat.sbsd.bak*
*global.dat*
*opera.dir*
*vlink4.dat*
*wand.dat*

C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile\sessions
*autosave.win*

Also there is an internet shortcut .lnk
C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile\dcache4
dcache4.url

It looks like the spy pukes are going after Opera pretty hard here lately ... BAH!

Edited by Swami, 20 May 2004 - 08:34 AM.

[Muriel]

Thanks for the info so far everyone.

As it stands at the moment, it seems I haven't eliminated CWSGoogleMS.3 after all <_< , as a rogue copy of MPLAYER.EXE keeps regenerating in random places in the C:\Windows folder. I'm also curious about a Wininit.ini file in the same folder that appeared at the top of the list, but off to the right by itself. FileAlyzer's text preview states:
[rename] NUL=C:\Windows\Temp\GLB1A2B.EXE
Is this normal, and could it be connected with this variant in any way?

According to Merjin's list of variants, this version modifies and deletes system files. Also it can load a fake notebook icon in Windows system folder. There's one in mine called wmpscheme.xml that has mplayer scattered in Filealyzer's hexdump, but I don't know much about code. You also have to delete and replace Mplayer, which I thought I'd done, but apparently not completely. I have the zip tucked away so I can easily do it again, but need to track the connecting files down.

Does anyone have any other ideas on specific files to look for, registry fixes or anything else?

Thanks in advance!

[Tuxedo Jack]

You can search for wmplayer.exe using the find command and kill them all, then reinstall WMP.

Delete everything in the Temp folder on a daily basis.

[Muriel]

Thanks for responding Tux,
I've emptied the temp folder and done the seek and destroy tactic with wmplayer.exe, except the rogue version is named slightly different mplayer.exe, and even has the old media player 2 name and icon in the properties.

I've used FileAlyzer to look it over and it's been disguised very well as genuine Microsoft material (not surprising, as they've simply rewritten part of it to serve their purpose).
Problem, as with most of these, is that I delete and watch it instantly reappear towards the bottom of the list in the C:\Windows folder, so I'm thinking it has to be linked to something else in my system. The question is: What?

I don't know if any of these have any thing to do with it but, they're from the notepad list I exported from FileAlyzer on the mplayer.exe. Could you tell me your thoughts on these or if there's anything specific you'd like me to look for in the list (the remainder is various code commands I'm not familiar with, but maybe one has a clue to the whereabouts to this thing's friends?):
Export table
Import table (libraries: 7)
KERNEL32.dll (imports: 69)
USER32.dll (imports: 133)
GDI32.dll (imports: 47)
COMCTL32.dll (imports: 3)
SHELL32.dll (imports: 6)
WINMM.dll (imports: 6)
ADVAPI32.dll (imports: 7)

How about any of the other files listed above or the registry fixes, Merijn's variant list states that some registry editing is needed along with replacing wmplayer?

[Muriel]

Did an advanced search looking for text having to do with this problem and ran across 48 objects, mostly legit, but some questionable.

In the C:\Windows\System folder, there's a file sfplog.txt that shows this rogue version when it was installed (back when I picked up HDefender and others earlier in the month) and it shows my many attempts to delete it, stating the following:

File C:\WINDOWS\MPLAYER.EXE has been deleted

immediately followed by:

SFP restored file C:\WINDOWS\MPLAYER.EXE to version 4.90.0.3000

There's another file similiar to this in the same folder called sfpdb.sfp (SFP file) which File Alyzer only gives a (big) hex dump for

Also, There are eight copies of this mplayer version (A0000029.CPY and similiar names) sitting in the C:\_Restore\Temp folder. I disabled system restore weeks ago, but I guess that has nothing to do with these as there are creation dates from today ).

Classes.dat was mentioned in the list, but I don't know that that's an issue here.

This is really annoying. <_<

Edited by Muriel, 21 May 2004 - 12:45 PM.

[Muriel]

Alright,
Finally was able to get rid of the rogue MPlayer.exe in Safe mode without it being able to respawn, but PestPatrol is still spotting something to do with it.

FileAlyzer's scan of PestPatrol's Masterlog shows this:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\domains\xxxtoolbar.com","CWS.GoogleMS.3"

My question is this: Is this a false reading of Pest Patrol's, or is it reading something having to do with the restricted sites that SpywareBlaster &IEspyad added, or something in the Registry that needs editing?

Looking up the location above in Regedit ends in xxxtoolbar.com, there's nothing mentioned regarding CWS.GoogleMS.3

Any thoughts?
Thanks in advance!

[Tuxedo Jack]

If it's in the Restricted Sites zone, it'll show up in CWShredder and (maybe) PP as a false positive. Don't worry about it.

[Muriel]

Very cool!

Thanks for all your help, Tux!