Jump to content


CWS Re-infection executables

  • Please log in to reply
No replies to this topic

#1 zxladie



  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 01:15 PM

I'm not sure if this is the right place to post this, but I have what might sound like a stupid question that I'm wondering about and I haven't been able to find any documentation. I am repairing a system that had quite a bit of spyware on it, and when I was checking something in the owner\Documents & Settings folder\Application data\ I happened to see a folder named 'iefeatsl' which I know is CWS. The folder contained the files: msiesh.new and submit2.exe. I looked in the msiesh.new with my viewer and it's the {FD9BC004} .dll that I'm assuming is not yet executed.

When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.

Member of UNITE
Support SpywareInfo Forum - click the button