CWShredder not infallible?

[sam]

I've had (still got?) a CoolWebSearch Hijacker. I'm using
Win XP Pro, IE 6, & ZoneLabs5.5 (free edition). Certain
pages on certain websites (including a government site)
displayed porn links above and below the main content
below the toolbars (or in the case of a pdf page the link
apears twice above the Acrobat Reader window). The links
didn't figure in the source code for the 'infected' page.
It didn't happen if I used IE within my AOL software, or
on another computer, or if I used Firefox. I also
experienced my IE homepage being changed from 'about
blank' to a search engine site (websearchnetwork.com).

An initial scan with SpyBot Search & Destroy and AdAware
uncovered Crackspider, a Trojan horse downloader
(85ABSTEV\exploit[1].exe), something called Alexa and
some tracking cookies, all of which I eliminated. But the
problem recurred. I scanned again with AVG7 and also
Microsoft's AntiSpyware program and CWShredder. All
reported 0 problems. However, HijackThis did reveal some
dodgy entries.

The next day I was about to submit a log to a forum so I
did another set of scans. This revealed that Crackspider
etc had returned. I deleted them again. Then AntiSpyware
reported the CoolWebSearch infection (citing a .dll file
in my windows folder). I immediately ran CWShredder
again - and it reported no infection. I quarantined the
CWS hijacker in AntiSpyware and it cured the porn links
and homepage hijack problems. But I'm left with some
questions:

1 - Why did the offending links only appear on certain
web pages and never on others?

2 - Why didn't ZoneAlarm block the CWS infection?

3 - Why didn't AntiSpyware pick up the CWS infection
first time around, and why didn't CWShredder detect it at
all?

I eventually managed to view the source code of the
offending porn links and identified 2 files in the
Windows folder which AntiSpyware did not report - a .js
file and an .xml file. The .xml file contains web links
to the sorce of the .js file and 2 .reg files. I did a
Google search for the 2 websites hosting these files: one
is associated with CWS; the other returned no result
(ambush-script.com).

4 - As AntiSpyware didn't deal with the 2 files in my
Windows folder should I delete them manually or will
there be registry changes that need to be addressed?

Any thoughts gratefully received.

 

[Alan]

Sounds like there might be some of these programs might
have surreptitiously placed some files in your prefetch
folder, located at c:\windows\prefetch. I don't think
that most antispyware programs detect these files. If
you find that this is the culprit, you can go to the
following site and download these programs:

http://andymanchesta.com/Downloads/prefetch.bat

http://andymanchesta.com/Downloads/del_temp.bat

Andy Manchesta posted these as a reply to a reply that I
made to another person how kept getting reinfected.

The reason that some pages might have appeard on certain
pages and not on others is that most of these types of
spyware insert links based upon keywords, such as
education, stocks, etc..

Make certain that Zone Alarm is properly configured. Pay
close attention to make absolutely certain that you keep
the bottom 3 check boxes in the "Mobile Code" tab found
under "Options" for each site you visit checked, unless
you need to download something from them; in which case,
uncheck those boxes.

As for why it wasn't detected by MSAS, make certain that
real-time protection is turned on. If it's not turned
on, then you will get infected and not even know about
it. As for the problem with CWShredder, this might have
been due to the fact that only a .dll file was left on
the system by Spybot. Since the program file was no
longer there, there really was "no" infection.

Also, if you haven't figured out how to change your IE
settings back to the way they were before infection, do
the following:

1. Select the 'Tools' drop-down menu, select 'Advanced
Tools', and finally select 'Browser Hijack Settings
Restore.'

2. Click the 'Change restore setting to a new URL...'
link and type in the correct URL. And Click on
the 'Restore this setting now' link.

3. Make certain to look at all the settings. I'm
willing to bet that you might have been infected with a
variant of ABetterInternet, which usually changes more
than just your start page. One thing to do is look
closely at a page, if it is full of oddly placed
hyperlinks, then you might still be infected. Pay close
attention to the 'Search Page' and 'Search Assistant'
settings, as these are likely to have been modified.

I have to commend Microsoft for not changing the
functionality that Giant Company, the company Microsoft
bought to acquire Giant AntiSpyware, put into these easy
to use steps to restore one's web browser to what they
were before infection. I'd like to ask Microsoft not to
change the functionality, but a redesign on the GUI for
this feature would make it much easier to use (i.e. the
links to change the setting and restore the setting are
out in nevernever land if the program is enlarged to fill
the screen).

On a parting note I'd like to see a big change to MSAS.
I feel it would be a big improvement to both the program
and to our privacy and security if MSAS delects and
deletes files that a spyware/malware program has created
and stored in the prefetch folder. There's nothing worse
than deleting the offending program only to have it rear
its ugly head when the file in the prefetch folder is
accessed by your web browser or some other program.

Hope this helps

Alan

 

[Andre Da Costa]

From Chuck:
CoolWebSearch is a constantly mutating major nuisance. The best tool to
diagnose it is HijackThis, and expert advice. HijackThis shows all possible
traces of software, anything that MIGHT be malware, and lets an expert
identify the bad stuff manually.

HijackThis http://www.tomcoyote.com/hjt/

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save
the HJT Log.

http://forums.spywareinfo.com/index.php?showtopic=227

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts,
here):

Aumha: http://forum.aumha.org/index.php

Net-Integration: http://forums.net-integration.net/

Spyware Info: http://forums.spywareinfo.com/

Spyware Warrior: http://spywarewarrior.com/index.php

Tom Coyote: http://forums.tomcoyote.org/
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I've had (still got?) a CoolWebSearch Hijacker. I'm using
Win XP Pro, IE 6, & ZoneLabs5.5 (free edition). Certain
pages on certain websites (including a government site)
displayed porn links above and below the main content
below the toolbars (or in the case of a pdf page the link
apears twice above the Acrobat Reader window). The links
didn't figure in the source code for the 'infected' page.
It didn't happen if I used IE within my AOL software, or
on another computer, or if I used Firefox. I also
experienced my IE homepage being changed from 'about
blank' to a search engine site (websearchnetwork.com).

An initial scan with SpyBot Search & Destroy and AdAware
uncovered Crackspider, a Trojan horse downloader
(85ABSTEV\exploit[1].exe), something called Alexa and
some tracking cookies, all of which I eliminated. But the
problem recurred. I scanned again with AVG7 and also
Microsoft's AntiSpyware program and CWShredder. All
reported 0 problems. However, HijackThis did reveal some
dodgy entries.

The next day I was about to submit a log to a forum so I
did another set of scans. This revealed that Crackspider
etc had returned. I deleted them again. Then AntiSpyware
reported the CoolWebSearch infection (citing a .dll file
in my windows folder). I immediately ran CWShredder
again - and it reported no infection. I quarantined the
CWS hijacker in AntiSpyware and it cured the porn links
and homepage hijack problems. But I'm left with some
questions:

1 - Why did the offending links only appear on certain
web pages and never on others?

2 - Why didn't ZoneAlarm block the CWS infection?

3 - Why didn't AntiSpyware pick up the CWS infection
first time around, and why didn't CWShredder detect it at
all?

I eventually managed to view the source code of the
offending porn links and identified 2 files in the
Windows folder which AntiSpyware did not report - a .js
file and an .xml file. The .xml file contains web links
to the sorce of the .js file and 2 .reg files. I did a
Google search for the 2 websites hosting these files: one
is associated with CWS; the other returned no result
(ambush-script.com).

4 - As AntiSpyware didn't deal with the 2 files in my
Windows folder should I delete them manually or will
there be registry changes that need to be addressed?

Any thoughts gratefully received.