CWS.hiddendll blockes drivers

Trends CWShredder finds CWS.hiddendll and can remove it in safe mode boot.

I have searched the web for info. There are a lot of writing about it, and a
lot of people have posted Hijackthis-logs... but I have not found any
serious description of the virus (malware?).

Does it come from mail, websites, other?


Morgan O.

On Fri, 16 Mar 2007 14:18:28 GMT, n
<3fecrcppizwy.1we3s91c1wssp$.dlg@40tude.net> Morgan Ohlson
<morgan.ohlson@comhem.se> wrote:

>Trends CWShredder finds CWS.hiddendll and can remove it in safe mode boot.
>
>I have searched the web for info. There are a lot of writing about it, and a
>lot of people have posted Hijackthis-logs... but I have not found any
>serious description of the virus (malware?).

More specifically, adware/spyware. This CWS variant replaces the
machine's about:Blank then changes the Internet Explorer startup page
(and others) to about:Blank. Additionally, a file is set to run when
the computer is booted up that reinstalls it each time. It appears
there's also a BHO, and a file that keeps checking to be sure all the
other files are there wouldn't surprise me. If it keeps coming back,
then chances are very high that it isn't being completely removed, as
opposed to reinfection.

If you're looking for a description of other files and reg entries
installed, normally this can be gleaned from what is removed in the
answers on the web forums. This seems to be fairly complete, at least
for Windows 98SE:
http://www.thetechguide.com/forum/i...showtopic=17006
If you're having further problems as indicated in your subject, it
could be CWShredder missed something, or deleted something you need to
replace with a fresh file copy. There are other fix instructions in
those replies, like using LSPFix and AboutBuster and other fix
programs. If you have Windows XP, another post might be better, but
they are usually equally complete. Just do a Google search for
"CWS.hiddendll XP" (without the quotation marks).

>Does it come from mail, websites, other?

Yes. :-)

Like other spyware, CWS has been shown to be loaded by websites, free
programs, P2P downloads pretending to be something else, and even
other spyware. Email attachments don't seem to be a large vector, but
of course spamvertised websites might contain anything, and often
spyware of all kinds. It all depends on the choices of the person
trying to spread the spyware.

If the computer user basically practices safe hex [no P2P executables,
free programs, or spamvertised websites], eliminating most of those
possibilities, then these can be assumed to have sneaked in from a web
page via Internet Explorer, either simply because javascript is
enabled, or because an unpatched exploit was used to load the file on
the site visitor. Occasionally the user will have purposely opened a
hole, like enabling executables to run in an I-frame, something that
is sometimes needed for web games, but can be very dangerous for
general surfing.

Carol

On Fri, 16 Mar 2007 22:13:05 GMT, Carol wrote:

> On Fri, 16 Mar 2007 14:18:28 GMT, n
> <3fecrcppizwy.1we3s91c1wssp$.dlg@40tude.net> Morgan Ohlson
> <morgan.ohlson@comhem.se> wrote:
>
>>Trends CWShredder finds CWS.hiddendll and can remove it in safe mode boot.
>>
>>I have searched the web for info. There are a lot of writing about it, and a
>>lot of people have posted Hijackthis-logs... but I have not found any
>>serious description of the virus (malware?).
>
> More specifically, adware/spyware. This CWS variant replaces the
> machine's about:Blank then changes the Internet Explorer startup page
> (and others) to about:Blank. Additionally, a file is set to run when
> the computer is booted up that reinstalls it each time. It appears
> there's also a BHO, and a file that keeps checking to be sure all the
> other files are there wouldn't surprise me. If it keeps coming back,
> then chances are very high that it isn't being completely removed, as
> opposed to reinfection.

For me the CWS.hiddendll has occured at simultaneously (I think) first with
a blocked audio-card. That I solved with a complete reinstall (formate all
hdd's). (no sounds via sound card)

The second time it occured in combination with a netcard block. (no
connection to the ethernet card)

In both cases everything seemed okey, drivers, installation etc... but it
wasn't. It may have been some kind of redirected adresses.

First, I'm no pro on this and there could have been some other malware that
infected at the same time, or almost at the same time... Secondly I only
removed the CWS.h..dll and that solved it.

>
> If you're looking for a description of other files and reg entries
> installed, normally this can be gleaned from what is removed in the
> answers on the web forums. This seems to be fairly complete, at least
> for Windows 98SE:
> http://www.thetechguide.com/forum/i...showtopic=17006
> If you're having further problems as indicated in your subject, it
> could be CWShredder missed something, or deleted something you need to
> replace with a fresh file copy. There are other fix instructions in
> those replies, like using LSPFix and AboutBuster and other fix
> programs. If you have Windows XP, another post might be better, but
> they are usually equally complete. Just do a Google search for
> "CWS.hiddendll XP" (without the quotation marks).

I have read some postings and the files names that have been mentioned seem
to be different every time... could that be so?

>
>>Does it come from mail, websites, other?
>
> Yes. :-)




> Like other spyware, CWS has been shown to be loaded by websites, free
> programs, P2P downloads pretending to be something else, and even
> other spyware.

Very versatile then.

> Email attachments don't seem to be a large vector, but
> of course spamvertised websites might contain anything, and often
> spyware of all kinds. It all depends on the choices of the person
> trying to spread the spyware.
>
> If the computer user basically practices safe hex [no P2P executables,
> free programs,

No free programs !!! ??? You must be joking... ;o)


> or spamvertised websites], eliminating most of those
> possibilities, then these can be assumed to have sneaked in from a web
> page via Internet Explorer, either simply because javascript is
> enabled, or because an unpatched exploit was used to load the file on
> the site visitor.

Can HTML exploits be a problem being in quarantenes?

Reasently an active virus shield (hermeneutic rules) alarmed a file in
another well known antivirus pak while downloading. Unfortunately I
downloaded a couple of updated applications that day so I could mix them
up... so I better not point anyone out.

It was a .asf file that was identified as an HTML-exploit and the softwares
have worked very well also with that file removed.


> Occasionally the user will have purposely opened a
> hole, like enabling executables to run in an I-frame, something that
> is sometimes needed for web games, but can be very dangerous for
> general surfing.

The CWS.hiddendll was infected while using
# hardware nat.firewall
# software firwall
# active application shield
# 2 real time antivirus guards
# autostart, BHO and change watch
# mail bayez filter


Morgan O.

On this special day, Morgan Ohlson wrote :

> No free programs !!! ??? You must be joking... ;o)

The real free programs are discussed in alt.comp.freewarer, and if
someone spams for a "free" program with adware thrown in, you'll be
sure that someone will give a warning, nearly in real time. I think acf
is a good resource of information on this topic.

Seeing your description, I am afraid that your specimen came in via an
IE exploit, although I can't say which, as officially there are none
known ones to this day.

Still I would recommend that you change to another browser, which might
not be a much safer one, yet a less frequently attacked target. Most
hackers concentrate on the IE, as they will reach about 90 percent of
their intended "audience", which is enough for them, while the other
ten percent would require more coding, and of course learning the
intricacies of special firefox or Opera commands firsthand.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de





--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

On this special day, Gabriele Neukam wrote :

> The real free programs are discussed in alt.comp.freewarer,

uh, sory, make that "alt.comp.freeware"


Gabriele "can't keep my fingers still" Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
the difference is in the eye of the beholder... even history is not an
impartial judge, as it is written by the victors...
-
Kurt Wismer in alt.comp-anti-virus

Gabriele Neukam wrote:
> On this special day, Gabriele Neukam wrote :
>
>> The real free programs are discussed in alt.comp.freewarer,
>
> uh, sory, make that "alt.comp.freeware"

<G>

They are really on the ball. Also energetic, knowledgeable, and curious
about what programs are around. Good crowd.

On Sat, 17 Mar 2007 20:31:12 -0800, Offbreed wrote:

> Gabriele Neukam wrote:
>> On this special day, Gabriele Neukam wrote :
>>
>>> The real free programs are discussed in alt.comp.freewarer,
>>
>> uh, sory, make that "alt.comp.freeware"
>
> <G>
>
> They are really on the ball. Also energetic, knowledgeable, and curious
> about what programs are around. Good crowd.


Yes, and Q was realy if freeware in general rais security issues?

It was not a debate on freeware as a general topic.


Morgan O.

On Sat, 17 Mar 2007 07:47:17 GMT, Morgan Ohlson
<morgan.ohlson@comhem.se> wrote:

>I have read some postings and the files names that have been mentioned seem
>to be different every time... could that be so?

Yes. With CWS, these are changed by the writer according to the
current buyer. The last I was aware, they are not random with CWS,
but could be.

>>>Does it come from mail, websites, other?
>>
>> Yes. :-)
>
>
>
>
>> Like other spyware, CWS has been shown to be loaded by websites, free
>> programs, P2P downloads pretending to be something else, and even
>> other spyware.
>
>Very versatile then.

It's common now. They're going spread their crap any way they can.

>> Email attachments don't seem to be a large vector, but
>> of course spamvertised websites might contain anything, and often
>> spyware of all kinds. It all depends on the choices of the person
>> trying to spread the spyware.
>>
>> If the computer user basically practices safe hex [no P2P executables,
>> free programs,
>
>No free programs !!! ??? You must be joking... ;o)

Oh, some of the best are free for personal use, but this would be in
terms of the average computer user who may have a hard time
determining what's trusted. Free screensavers and wallpaper and
anything else with an "aw, isn't that pretty" factor and an installer
are a particular problem, along with the P2P programs themselves, not
just the downloads.

>> or spamvertised websites], eliminating most of those
>> possibilities, then these can be assumed to have sneaked in from a web
>> page via Internet Explorer, either simply because javascript is
>> enabled, or because an unpatched exploit was used to load the file on
>> the site visitor.
>
>Can HTML exploits be a problem being in quarantenes?

I've never heard of anything escaping quarantine. However, when it
comes to HTML, it's possible for your browser to run it before the AV
can quarantine it, even if your AV is scanning in real time --
*particularly* if you have more than one trying to scan it at the same
time.

>Reasently an active virus shield (hermeneutic rules) alarmed a file in
>another well known antivirus pak while downloading. Unfortunately I
>downloaded a couple of updated applications that day so I could mix them
>up... so I better not point anyone out.
>
>It was a .asf file that was identified as an HTML-exploit and the softwares
>have worked very well also with that file removed.

Normally this sort of thing is a false positive, I suspect because the
definition is hitting on some string the writer ass-u-med was unique
to the malware. Your ASF file was probably MS "Advanced Streaming
Format" so not necessary to the operation of the program; part of the
Help system maybe? In any case it would have to contact the outside
to "stream" anything.

>The CWS.hiddendll was infected while using
># hardware nat.firewall
># software firwall

No consumer-grade firewall is going to help you with a HTML exploit
because the files are requested by the browser, and your browser has
to be enabled to contact the outside.

># active application shield
># 2 real time antivirus guards

This can set up a situation where none of the programs detect certain
incoming malware, and don't produce any errors when that's happening.
You can normally get away with AV + anti-spyware, for instance, but if
you really have two AV, pick one and uninstall the other.

># autostart, BHO and change watch
># mail bayez filter

Carol

Morgan Ohlson wrote:
> On Sat, 17 Mar 2007 20:31:12 -0800, Offbreed wrote:
>
>> Gabriele Neukam wrote:

>>> uh, sory, make that "alt.comp.freeware"
>> <G>
>>
>> They are really on the ball. Also energetic, knowledgeable, and curious
>> about what programs are around. Good crowd.
>
>
> Yes, and Q was realy if freeware in general rais security issues?

Depends on where you get it. People have been putting bad stuff in
freeware for years, and the acf crowd has become very adept at finding it.

This is a website they have where they list the recommended programs:

<http://www.pricelesswarehome.org/>

Some other sites also have good, clean programs, but use acf and
Pricelessware as starting points.