Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Re: Cool Web Search
From: "Todd Towles" <toddtowles () brookshires com>
Date: Fri, 30 Jul 2004 14:13:02 -0500

Jack, the new variants are not so obvious to detect. They contain hidden
processes or rootkits. Sooner or later they will start to use ADS (alternate
data stream) points to hide. 

Anyone can track down anything with a registry snapshot. Do a registry
snapshot and then install your "spyware" and then you will see every key.
But what good is that if you have to clean more than one computer. 

We are all computer people - fixing one computer is easy but could take 4
hours - not very helpful on a mass scale. We pay for point and click, why
shouldn't we get it?  ;)

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of JacK
Sent: Friday, July 30, 2004 11:56 AM
To: full-disclosure () lists netsys com
Subject: Re: Re: [Full-disclosure] Cool Web Search

I don't know if you fully understand HiJackThis or maybe I was just 

HiJackThis wasn't used by me to get rid of CWS as, for example, running
Adaware gets rid of tracking cookies and some installed spyware progs. It
was used by me to list various entries in registry which, when lumped
together like that, show off CWS quite easily. Once they are there, 
them and the progs started by some of them is easy.

That is all you have to do. Don't expect HiJackThis to magically get rid 
it all at the flick of a button. You DO have to have a small amount of
registry knowledge in order to ID which entries are seriously bull and 
are honest BHOs etc. I am not a registry "expert" but claim a small amount
of registry knowledge so even to ME it was obvious what was what.

It 's obvious you did not get the variants I am speaking about and you are 
no Registry "expert" ;)

For those variants :

HijackThis let you see the entry 
(and in most case with no value)  BUT when you delete it and click refresh, 
it comes immediately back for the trojan is still running.
If you kill the associated running random name dll (for instance 
c:\windows\system32\logb.dll) it comes back  at next reboot and adds the 
value AppInit_DLLs again in the registry.

To get rid of it, you have to rename the key 
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows in Windows2   , 
then delete the entry AppInit_DLLs which seems not having any value.  When 
done, rename the key with its regular name and AppInit_DLLs will not appear 
anymore when refreshing ; only when it's done you will be able to kill and 
delete the random name.dll for good which is the  Backdoor.Agent.ba used to 
install this tricky variant of CoolWebSearch.

That's why I said HijackThis has its limits : suppressing the entries its 
log gives directly from the registry does not help.

That's just an exemple, the are other variants which add in the registry the

entry AppInit_Dlls somewhere else with the same result and the same way to 
get rid of it.

Hoping it's clearer now, so sorry for my poor English.

http://www.optimix.be.tf   /MVP WindowsXP/   http://websecurite.org
                         *Helping you void your warranty since 2000*

@(*0*)@      JacK

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]