Jump to content


Photo

CWS update (I think)


  • Please log in to reply
1 reply to this topic

#1 Evil Trigun

Evil Trigun

    Member

  • New Member
  • Pip
  • 3 posts

Posted 12 June 2004 - 09:15 PM

Ok I have been battling CoolWebSearch for a while now and have been using CWShredder the whole time. My system happens to be infected with the SearchX varient of this "virus". Currently I am using a program that not only Removes BHO's (something that CWS is connected to and I dont know how) but tells me when CWS has made changes and helps remove them. (not the actual files or keys, JUST THE CHANGES). This piece of software is called MRU Blaster (found it on the same site as SpywareGuard). Well I found something reoccurring with the CWS "virus". Some of which may be known and another I noticed this morning. The first of which was that CWS uses a dll file that has a randomly generated name and places it in the System32 directory. But the peculiar thing that I found was that it made a html file in my temp directory: IE

F:\Documents and Settings\Evil Trigun\Local Data\Temp\sp.html

I did remove this along with running CWShredder. And thought that if it did come back that it would be another randomly generated name. However it came back and has the same name. If you wish i will post the source of this html file, but I figured you wouldn't want me to seeing as it is just the coding behind the CWS page and you probably have that lying around somewhere. Just wanted to let you know. I have no idea how new the "sp.html" case is but if you didnt know then now you do. I will be checking back for your response! THANKS!

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 June 2004 - 09:44 AM

Thanks - We're familiar with the sp.html variant.
See http://www.spywarein...chronicles.html variant 38.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button