From: Thane Sherrington <[EMAIL PROTECTED]> Reply-To: The Hardware List <hardware@hardwaregroup.com> To: The Hardware List <hardware@hardwaregroup.com> Subject: Re: [H] Spyware Woes Date: Tue, 10 May 2005 13:00:25 -0300
At 12:50 PM 10/05/2005, Hayes Elkins wrote:I've never met a system infected that could not be fixed. CWS slaying has been my specialty. Eliminating it has gone from over 4 hours (my own first infection) to a matter of minutes.
Care to give us a rundown of you method of attack on a CWS infection?
- You can use adaware to remove most of the dynamically created startup garbage.
- Then use Spybot S&D to identify the DSO exploit locations in the registry (1004's). You have to manually change (or delete) the keys.
- Regarding the appinitdlls in the Windows NT section of the registry, the malicious (and mf'ing dynamically named) .dll is a hidden value. Even when deleting the value with reglite or whatever, it automatically comes back. You need to rename the parent folder, say to "wind0ws" instead of windows to fool the .dll. Then go ahead and change/delete the key. Be sure to rename the folder back to windows
- You can use a program called DSOstop2 http://www.nsclean.com/dsostop.html to prevent future infection.
- Spyware Blaster is only useful because its a great way to know if the CWS crap is off. The exploit, when active, will PREVENT the program from running - it will have some stupid "corrupt file, virus infection" error when trying to run. If you run this program, and it loads, good, it served its purpose, unistall it.
- Hijackthis should be used to make sure all is well after the fact. There is also a program called "About:Buster" specifically made to scan for "about:blank" home page hijackings from a particular CWS variant.
- CWShredder is utterly worthless.
Reformatting is always a cop out.there are times when there is no other option - at least, when one operates under time constraints.
That I'll agree with.
