PDA

View Full Version : OT: CWS hijacker,canīt get rid of it



CB_3D
08-24-2004, 05:25 PM
Spysweeper and Window washer donīt seem to be able to clear it from my XP Pro system. They simply re-appear after seemingly successfull elimination.

If anyone has a solution please let me know.

Thx

MikeMD
08-24-2004, 05:49 PM
http://www1.spywareinfo.com/

They seem to have some trouble and are switching servers ( or something like that ), but do a search on a program called
CWShredder.exe

It's specifically designed to remove different variants of CWS.
Hopefully you don't have a version they can't cure.

Big Jay
08-24-2004, 07:45 PM
www.download.com

look for adaware and
spybot search and destroy

both are free and remove quite a few spy and ad programs

CB_3D
08-24-2004, 09:19 PM
THANK YOU THANK YOU THANK YOU

The shredder tool did its job!! Spyware, yukkkk, really annoying!
You canīt imagine the trouble i had just to get to a download page of it because of constant hijacking, LOL.

thx again!!

mjanson
08-25-2004, 02:22 AM
It might come back... The Shredder does the job for the moment but in my case the nasty little program had a backup that masked itself as a 16-bit legacy file... the file is invisible to windows (I mean really invisible... doesn't friggin' exist) and it requires hacking into the registry to make it visible... once it visible, the only task left is too delete it and that wasn't easy...
It's a real nasty piece of software but I admire their ingenuity... I would have them killed though if I could just find out where they live...

If you search the web I'm sure you'll find info that is a little more precise that my drunken ramblings...

MiniFireDragon
08-25-2004, 07:47 AM
I am often called out of my office (I do alot of Computer service work) to fix spyware infestations (often appear to be virus activity) and have found the following three programs used together help elminate 99% of the mess.

www.lavasoftusa.com --- Adware Personal SE (new version)

http://www.safer-networking.org/en/download/ --- Spybot search and destroy

http://www.spychecker.com/program/hijackthis.html --- HijackThis!


Hijack This is very useful (and can be very harmful) to check out what is tying into your browser and startup.

The only thing I have seen that Adaware or Spybot hasn't been able to fully kill is wintools. To kill this boot into safemode. Goto Program Files>Common Files>WinTools and rename all the exe and dll files in the folder. Then create FOLDERS with the names of the old files.

For example, if you have a file called WinToolsB.exe make a folder called WinToolsB.exe. This is a nice trick to help keep the file from coming back. I haven't yet seen one overwrite the folder back into a file. Plus, it lets you know when something tried to get into your system as at start up, it will open the folder.


Oohh, and for the best clean, boot into safemode and run your cleaning tools.

art
08-25-2004, 10:58 AM
There is one more useful piece of software which was actually recommended from within spybot:

http://www.javacoolsoftware.com/spywareblaster.html

It blocks all recognized bad activex based components from running. It does not run in the background so no resources are wasted. There is also program called spywareguard, from the same people/website. I do not use it personally. It runs in the background and checks in real time for possible hijacks. I usually intall it for people (some of my friends, etc) who do not know how to behave on the net and usually end up with spyware.

Big Jay
08-26-2004, 03:31 PM
never thought of the folder naming trick. I just copied notepad.exe into those locations and just renamed it into the name of the adware. Would of saved me some time closing notepad windows.

art
08-26-2004, 04:00 PM
So, if you delete the folder it reappears after next windows reboot etc?

MiniFireDragon
08-27-2004, 07:24 AM
art: The putting folders in place of the files just lets you know that the program you had erticated from your PC has come back, or tried to come back. And also help prevent future infestations (works for most viruses also).

art
08-27-2004, 07:42 AM
I was cleaning someone's computer once and they had something very nasty installed (I don't recall the name) and although spybot and adaware were detecting it, they could not remove it because the files were i use. The during-reboot scans could not remove it either for some reason. I used the free process explorer from sysinternals.com to see what was going on. Apparently the rouge program was somehow running under winlogon process. In order to delete the rogue exe i would have to kill winlogon process, but as soon as I did that windows was going down. (btw. proces explorer allows to kill some processes that regular task manager does not allow to touch).
What I did might be useful for you guys in the future should similiar situation occur. I found the rogue exe and opened the security properties for it (I guess you need win 2000 or xp pro for that). I revoked all access for everyone including admin. Obviously, after restart the file did not execute. As admin, I was able to take the ownership again, so I did and since the exe was not running, I was able to delete it.

MiniFireDragon
08-27-2004, 08:39 AM
When that happens, Safemode usually works.

art
08-27-2004, 09:44 AM
Yeah, Im aware of the safe mode which I always use to scan for viruses. For spyware I usually search in normal mode, but in the case I described, I certainly tried safemode before looking for different solutions.

btw. that person had well over 1000 objects detected by adaware, majority of which were not cookies. I'm still waiting to see a machine that beats that record. :)