Scumware - a significant threat?

[David]

I've spent a good few hours over the past week ridding 2 windows XP pc's of
a browser hijacker. Non of the available spy-ware detectors was able to
remove all traces of "coolwebsearch" and a lot of manual reg editing and
searching for default settings was involved in cleaning the machines.

Reading through the IE6 newsgroup it looks like about a quarter of the posts
are related to similar problems which equates to a lot of hours being wasted
dealing with this menace.

Over the years in which I have been using PC's both at work and at home I
have only twice had to remove a virus from machines and found it a lot
easier to deal with than this latest attack.

Both PC's are up to date with virus protection and sit behind a firewall yet
they were both infected - in both cases my children downloaded and installed
what claimed to be an MSN Messenger "Add-On" So why do I continue to pay
Symantec for "virus definition updates" when it doesn't protect my machine?

I realise that they don't fall into the strict definition of a virus - they
don't replicate and didn't spread across my network. But they do re-infect a
cleaned machine each time it boots and they re-infect a browser each time it
is launched. The content being offered was highly inappropriate and the
ability to circumvent browser security settings was very worrying.
These redirections are to commercial pages - surely as a first step these
sites should be shut down and their host isp fined heavily to discourage
anyone else from putting them up.

I consider myself to be fairly well informed in IT matters yet this was the
first time I was aware of how prevalent these "scumware" infections were.

This looks like a much more serious problem than even the "blaster" outbreak
(which caused problems on my network at work - although most of the problems
were due to some knee jerk "blaster profing" being carried out by our IT
dept.and not due to any virus activity as such) and should be being taken
more seriously than it is.

David

 

[Frank Saunders, MS-MVP IE/OE]

I've spent a good few hours over the past week ridding 2 windows XP
pc's of a browser hijacker. Non of the available spy-ware detectors
was able to remove all traces of "coolwebsearch" and a lot of manual
reg editing and searching for default settings was involved in
cleaning the machines.

Reading through the IE6 newsgroup it looks like about a quarter of
the posts are related to similar problems which equates to a lot of
hours being wasted dealing with this menace.

Over the years in which I have been using PC's both at work and at
home I have only twice had to remove a virus from machines and found
it a lot easier to deal with than this latest attack.

Both PC's are up to date with virus protection and sit behind a
firewall yet they were both infected - in both cases my children
downloaded and installed what claimed to be an MSN Messenger "Add-On"
So why do I continue to pay Symantec for "virus definition updates"
when it doesn't protect my machine?

I realise that they don't fall into the strict definition of a virus
- they don't replicate and didn't spread across my network. But they
do re-infect a cleaned machine each time it boots and they re-infect
a browser each time it is launched. The content being offered was
highly inappropriate and the ability to circumvent browser security
settings was very worrying.
These redirections are to commercial pages - surely as a first step
these sites should be shut down and their host isp fined heavily to
discourage anyone else from putting them up.

I consider myself to be fairly well informed in IT matters yet this
was the first time I was aware of how prevalent these "scumware"
infections were.

This looks like a much more serious problem than even the "blaster"
outbreak (which caused problems on my network at work - although most
of the problems were due to some knee jerk "blaster profing" being
carried out by our IT dept.and not due to any virus activity as such)
and should be being taken more seriously than it is.

David

CWS CoolWSearch
http://www.spywareinfo.com/articles/cws/
Download and unzip the below, unzip it and run it:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
See also:
http://forums.spywareinfo.com/index.php?showtopic=11139

--
Frank Saunders, MS-MVP IE/OE
http://www.fjsmjs.com
Reply to Newsgroup. I won't answer email
Protect Your PC
http://www.microsoft.com/security/protect/

 

[David]

Thanks Frank...

CWS CoolWSearch
http://www.spywareinfo.com/articles/cws/
Download and unzip the below, unzip it and run it:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
See also:
http://forums.spywareinfo.com/index.php?showtopic=11139

--

Did all that and a whole lot more - still had to get down and dirty with
the registry!!

Not my point though - I've run them off for the moment. I'm fairly PC
literate but it took me a couple of days to eradicate all traces of the
scumware - How would an ordinary punter who only wants to let his kid's do
there homework cope?
This is a significant threat to everyone's PC yet it is not being shouted
about in the press, it hasn't made national news and the people responsible
are still in business! Why? They should be a lot easier to catch than the
authors of "Blaster" ever were.
Time to shut them down. Maybe we should start a campaign?

David

 

[briansixt]

Got the same hijacked IE Browser problem: This one
defaults to a very tacky search engine when I click on IE
icon. It only goes away when I re-assign the home page I
want, and then re-boot. It comes right back again when I
turn off and do it again. This one inserts a nkvd.us site
on all my "file / open web site instructions. I searched
and installed a Guard-IE software package which also stops
pop-up ads, but does not get rid of deeply imbedded IE
home designation. Still suffering. Looking for solution.

 

[David]

Got the same hijacked IE Browser problem: This one
defaults to a very tacky search engine when I click on IE
icon. It only goes away when I re-assign the home page I
want, and then re-boot. It comes right back again when I
turn off and do it again. This one inserts a nkvd.us site
on all my "file / open web site instructions. I searched
and installed a Guard-IE software package which also stops
pop-up ads, but does not get rid of deeply imbedded IE
home designation. Still suffering. Looking for solution.

Hi Brian

Don't know whether your simptoms match or not but this is more or less what
I did.

Downloaded a new copy of IE6. searched for scumware with spybot, add-aware
and NoAdware - allfound different things. Re-boot and remove IE6 from
windows set-up. and an IE update from Add/Remove progs. re-boot and run
scumware stuff again. My browser had a toolbar which I couldn't remove
named something along the lines of "afndjrtsd" (different set of letters on
both machines) so I did a reg trawl for all occurencies of the string and
deleted each key which contained it (about 6 I think) checked win.ini etc.at
the same time.
re-boot again!
re-installed IE6 from the download and on 1 machine all was well. I must
have missed something on the other machine 'cause I had to do it all again!
Second time around the machine was clean.

Hope some of this helps!

David

 

[Mehdi KARROUCHA]

On oublie les HijackThis, CoolWebShredder : ce sont en fait 2 Dll
(mtwirl32.dll et mtwcnl32.dll) qui sont piratées et qui foutent la
merde : voici la méthode à suivre pour se débarasser de ce fameux
nkvd.us !!! Attention, les noms exacts de clés sont ceux de mon pc :
il se peut qu'elles diffèrent légèrement sur les votres mais ce n'est
pas grave, il faut quand même suivre le process dans l'ordre !!! C'est
parti :
Démarrer > Exécuter > Regedit, accède à la
HKEY_USERS\S-1-5-21-1343024091-112
3561945-839522115-500\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

Efface la clé "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

Maintenant va sur la HKEY_USERS\S-1-5-21-1343024091-112356
1945-839522115-500_Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA
23B61E40F} et supprime la clé "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

Enfin, va sur [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Clique sur la clé "SharedTaskScheduler" pour faire apparaitre son
contenu et efface la valeur "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

Redémarre ton pc, et efface mtwirl32.dll et mtwcnl32.dll
C'est clean maintenant ? Merci qui ?