Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Cool Web Search
From: "Gregh" <chows () ozemail com au>
Date: Fri, 30 Jul 2004 23:36:49 +1000

----- Original Message ----- 
From: "Andrew Clover" <and-bugtraq () doxdesk com>
To: <full-disclosure () lists netsys com>
Sent: Friday, July 30, 2004 9:44 PM
Subject: Re: [Full-disclosure] Cool Web Search

Gregh <chows () ozemail com au> wrote:

It was used by me to list various entries in registry which, when lumped
together like that, show off CWS quite easily. Once they are there,
them and the progs started by some of them is easy.

This is not the case for all variants of CWS. The newer, sneakier
variants can rebuild themselves if they detect a program like HijackThis
removing their registry entries.

Sorry but totally and utterly incorrect. You just do NOT understand what I
have typed. I said that I used HiJackThis to list the entries in a group
then ticked them manually and then removed them. Along with that, it allowed
you to identify the exe files that went with it.

If you dont understand that then I can understand that you dont know how to
get rid of it but the truth is that this way DOES get rid of it. There are
at LEAST 5 variants of CWS. I have met them all and beat them all.

This is part of a strong trend in unsolicited commercial software,
copying survival techniques learned from virus authors. The use of
constantly-loaded multiple DLLs and/or processes and/or services that
all restart and repair each other if tampering is detected, is becoming
widespread (see also CommonName, ClearSearch, TVMedia etc.).

All easily beaten by using HiJackThis in the way I described. If I can do
it, anyone with just a small amount of registry knowledge also can.

Where there are not short-cut workarounds this means removing the
software manually is simply impossible. Currently a trip into Safe Mode

Absolute and utter rot! I understand YOU may not be able to do it but it CAN
be done. It is simple logic if you want to look at it another way - whatever
can be DONE can be UNdone. The way I described works perfectly every time an
d takes 10 minutes or less to get rid of it though admittedly the first time
you use HiJackThis it can take longer.

can do the trick, by stopping any of the software running, but I'm sure
that'll be worked around too eventually. (Rootkit-like spyware?)

No, you are utterly wrong there, too. I have run Spybot and Adaware in safe
mode. Spybot sees and removes CWS but it comes back on next boot anyway. You
have to use HiJackThis to list the registry entries which stand out like a
sore thumb at that point. If you cant identify incorrect registry entries,
though, naturally it will elude you!


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]