Anyone know CWS.GoogleMS.3??
Posted 17 May 2004 - 01:00 AM
Is anyone here familiar with CWS.GoogleMS.3? I'm entertaining it here at my place and PestPatrol's list of Pests has no information available on it. If you'd like to have it to study, let me know how to bundle it up for you and it's yours (it's a rude guest, really)
Posted 17 May 2004 - 02:35 AM
Posted 17 May 2004 - 04:25 AM
It's listed there. Interesting, it's the first CWS variant that not only fiddles with files on your system, but the regenerating is linked to Windows Media Player, so the player has to be replaced, too. <_<
Now I just need to track down all those WMplayer bits that Microsoft arranged in such an organized manner.
Posted 17 May 2004 - 04:30 AM
Merijn has the executable; OldVersion has the installer.
Edited by Tuxedo Jack, 17 May 2004 - 04:32 AM.
Posted 17 May 2004 - 11:20 AM
I've deleted all the loose traces of Media Player except for the last folder C:\Program Files\Windows Media Player.
It tells me "Cannot delete, Access denied, The source file may be in use."
This should be the last step to eliminate this CWS.GoogleMS.3, according to the details Merijn gave on the variant list. Could someone please give me a tip to override and delete this.
Afterwords, would it be appropriate to reenable the system restore and reboot, or should I check something else first.
I need to learn how to do this correctly.
Thanks in advance,
And Thanks Tuxedo Jack for the above links, I've added them to my own list of useful tools!
Posted 17 May 2004 - 12:20 PM
Posted 17 May 2004 - 01:12 PM
"Put the file on a USB keychain/CD "
Exactly what are the steps to do this and afterwards, you said copy over it in Safe Mode. Will there be a problem trying to copy the new WMPlayer9 exe over the other---it's a folder with the corrupt version of WMplayer and the import responsible, not just a file.
Will this make a difference?
Laugh at me all you like, I know I have a lot to learn here.
Posted 17 May 2004 - 01:31 PM
If you have a USB keychain drive, download the WMPlayer.exe executable from Merijn straight to it, then copy it to C:\wmplayer.exe. Reboot to Safe Mode, and overwrite the hacked one with the real one.
Or you can burn it to a CD, though I don't know if ME's Safe Mode can read CDs. I know 2K and XP can, but I'm not sure on ME. The steps are the same - reboot to Safe Mode, then copy the new one over the old.
Posted 17 May 2004 - 01:46 PM
Then I'll reboot into Safe Mode and try to load it over the Windows Media Player.
Wish me luck! (or good riddance)
Posted 17 May 2004 - 02:09 PM
Posted 18 May 2004 - 12:54 PM
There are lots of people in many forums discussing this problem right now. Aplogies if it is not relevant to your situation though.
Maybe one of the experts here will comment.
Posted 19 May 2004 - 11:39 AM
Posted 19 May 2004 - 03:32 PM
Posted 20 May 2004 - 08:18 AM
I had a cool web search variant last week that the latest CW Shredder, Spybot, or Ad Aware didnt even detect ... luckily i have layered protection and Spysweeper found it and deleted it.
Now i have a version of V4 spyware that nothing detects or can get rid of ... I had to do it manually.
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
Some of the files to be on the lookout for for those who are interested:
C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile
C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile\sessions
Also there is an internet shortcut .lnk
C:\Documents and Settings\Tom\Application Data\Opera\Opera7\profile\dcache4
It looks like the spy pukes are going after Opera pretty hard here lately ... BAH!
Edited by Swami, 20 May 2004 - 08:34 AM.
Posted 20 May 2004 - 11:11 AM
As it stands at the moment, it seems I haven't eliminated CWSGoogleMS.3 after all <_< , as a rogue copy of MPLAYER.EXE keeps regenerating in random places in the C:\Windows folder. I'm also curious about a Wininit.ini file in the same folder that appeared at the top of the list, but off to the right by itself. FileAlyzer's text preview states:
Is this normal, and could it be connected with this variant in any way?
According to Merjin's list of variants, this version modifies and deletes system files. Also it can load a fake notebook icon in Windows system folder. There's one in mine called wmpscheme.xml that has mplayer scattered in Filealyzer's hexdump, but I don't know much about code. You also have to delete and replace Mplayer, which I thought I'd done, but apparently not completely. I have the zip tucked away so I can easily do it again, but need to track the connecting files down.
Does anyone have any other ideas on specific files to look for, registry fixes or anything else?
Thanks in advance!
Posted 20 May 2004 - 12:10 PM
Delete everything in the Temp folder on a daily basis.
Posted 21 May 2004 - 10:08 AM
I've emptied the temp folder and done the seek and destroy tactic with wmplayer.exe, except the rogue version is named slightly different mplayer.exe, and even has the old media player 2 name and icon in the properties.
I've used FileAlyzer to look it over and it's been disguised very well as genuine Microsoft material (not surprising, as they've simply rewritten part of it to serve their purpose).
Problem, as with most of these, is that I delete and watch it instantly reappear towards the bottom of the list in the C:\Windows folder, so I'm thinking it has to be linked to something else in my system. The question is: What?
I don't know if any of these have any thing to do with it but, they're from the notepad list I exported from FileAlyzer on the mplayer.exe. Could you tell me your thoughts on these or if there's anything specific you'd like me to look for in the list (the remainder is various code commands I'm not familiar with, but maybe one has a clue to the whereabouts to this thing's friends?):
Import table (libraries: 7)
KERNEL32.dll (imports: 69)
USER32.dll (imports: 133)
GDI32.dll (imports: 47)
COMCTL32.dll (imports: 3)
SHELL32.dll (imports: 6)
WINMM.dll (imports: 6)
ADVAPI32.dll (imports: 7)
How about any of the other files listed above or the registry fixes, Merijn's variant list states that some registry editing is needed along with replacing wmplayer?
Posted 21 May 2004 - 12:44 PM
In the C:\Windows\System folder, there's a file sfplog.txt that shows this rogue version when it was installed (back when I picked up HDefender and others earlier in the month) and it shows my many attempts to delete it, stating the following:
File C:\WINDOWS\MPLAYER.EXE has been deleted
immediately followed by:
SFP restored file C:\WINDOWS\MPLAYER.EXE to version 184.108.40.20600
There's another file similiar to this in the same folder called sfpdb.sfp (SFP file) which File Alyzer only gives a (big) hex dump for
Also, There are eight copies of this mplayer version (A0000029.CPY and similiar names) sitting in the C:\_Restore\Temp folder. I disabled system restore weeks ago, but I guess that has nothing to do with these as there are creation dates from today ).
Classes.dat was mentioned in the list, but I don't know that that's an issue here.
This is really annoying. <_<
Edited by Muriel, 21 May 2004 - 12:45 PM.
Posted 24 May 2004 - 12:44 PM
Finally was able to get rid of the rogue MPlayer.exe in Safe mode without it being able to respawn, but PestPatrol is still spotting something to do with it.
FileAlyzer's scan of PestPatrol's Masterlog shows this:
My question is this: Is this a false reading of Pest Patrol's, or is it reading something having to do with the restricted sites that SpywareBlaster &IEspyad added, or something in the Registry that needs editing?
Looking up the location above in Regedit ends in xxxtoolbar.com, there's nothing mentioned regarding CWS.GoogleMS.3
Thanks in advance!
Posted 26 May 2004 - 03:35 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users