spyware removal in win 2000

  • Thread starter Thread starter mojo
  • Start date Start date
M

mojo

Apologies for x posting.

Any advice on the following situation greatly appreciated. runing win
2000. Somehow got some nasty spyware/pop up crap (from zestyfind and
some other crap made by nictech). Adaware can see the files and
deletes them on a reboot. However, the files replicate themselves
(with another name) upon startup. file names change but they're all
..dlls - agfiveds.dll, aactres.dll, awlui.dll, afledit.dll and whatever
else are some that i've got ride of so far. The root problem still
persists. I've tried getting rid manually (through cmd/dos emulation)
by changing the file attributes to read, not hidden and not system but
still won't let me delete because 'some other process is using the
file' (or words to that effect). tried to close down everything in the
task manager and was left with critical files only but still not
allowing me to delete. tried the same in safe mode but again, can't
delete. did try to find some way of booting into the hard drive with a
win98 startup disk but nothing happening there either (i think it
don't see/recognise) the ntfs or whatever the file system is on the
win2k hard drive.

Any ideas greatly appreciated.

tia

mojo
 
There is some nasty stuff out there. Make sure you are using the latest
definitions when you scan with AdAware. Also try to use safe mode to run
AdAware. If that does not help try to go into IE tools/internet
options/advanced and uncheck user third party browser extensions. This will
disable BHO's, even good ones you may be using but they can be reinstalled.
After unchecking that reboot, run AdAware again, then boot right into safe
mode and run AdAware again. That worked on one of my computers but can't
guarantee it will help yours. After that you will have to use something like
BHODemon to clean up BHO's and then renable them if you want to use any
legitimate ones. See the link below on how to deal with parasites and
recommended IE minimum security settings that can help prevent future
problems. It also contains advice on how to deal with hard to get rid of
parasites which may include the use of advanced tools like HiJack This. ---
Steve

http://mvps.org/winhelp2002/unwanted.htm
http://www.snapfiles.com/freeware/security/fwantispy.html -- other tools.
http://www.snapfiles.com/freeware/security/fwcookie.html -- some tools
here target specific kinds og hijacks. You have nothing to loose to try
some.
 
Hi Steve

I think i managed to sort the problem using some of your advice as well as
that of others in conjunction with software such as vxfinder, adaware and
hijackthis.

once again, thanks for taking the time out to advise.

mojo
 
From the NTBugTraq mailing list:

Fri, 1 Oct 2004 10:26:28 -0400
Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
(LISTSERV-TCP/IP release 1.8e) with spool id 4553548 for
(e-mail address removed); Fri, 1 Oct 2004 10:26:22 -0400
Message-ID: <[email protected]>
Date: Thu, 30 Sep 2004 16:35:36 +0200
Subject: CWS = Crummy Windows Security

Hello,

CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris ([email protected]) and I have
collaborated to develop a simple procedure to remove it from an
NT4-W2K-WXP box.

CWS is widely discussed on the web, but it's poorly understood and
procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS
comes in a variety of flavors. This post will only consider the most
insidious, which involves two components: a shield-DLL and a BHO
(Browser Helper Object).

Shield-DLL
----------

The shield-DLL installs itself to the following registry value in
NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
application running within the current logon session." IOW, any
ad-ware found here runs concurrently with _every_ program launched. It
is truly astonishing that such a registry location exists.

Here's what the CWS shield-DLL manages to do:

1. It prevents almost all registry editors from displaying it as an
AppInit_Dlls value. This list includes, but is not limited to:
Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
HijackThis, and, my favorite (because I wrote it), the "Silent
Runners.vbs" script. The _only_ program known to display it, for
unknown reasons, is the freeware Registrar Lite 2.0, available
here: http://www.resplendence.com/reglite/

2. It prevents all GUI and command line tools from listing it or
deleting it. This list includes, but is not limited to: Windows
Explorer, DIR, ATTRIB, CACLS, and DEL.

3. The .DLL file has eccentric security permissions (SYNCHRONIZE
and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
from memory, an Admin must reset security to delete the file.

4. It has a unique name on every system it infects.

5. It ensures that a BHO starts up with IE at every boot.

6. If the BHO is deleted, it restores the BHO under a new name at
the next boot.

This combination of features makes it a formidable adversary.

BHO
---

This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\

The BHO is responsible for the ad-ware symptoms: change of home page,
profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be
deleted. The BHO will simply be reloaded under a new name at the next
boot.

To eliminate CWS, we have developed a relatively simple procedure
(compared to everything else that's out there) that involves using
Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script
to remove it from AppInit_Dlls, the "Silent Runners" script to
identify the BHO, and, after reboot, a second VBS script to delete the
shield-DLL and BHO files. The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html

MS please take note:

AppInit_Dlls is a gaping security hole. Unfettered access to this
value should be removed ASAP from NT4/W2K/WXP.

regards, Andrew Aronoff & Rossano Ferraris

*****
Want to know every program (well, almost every program -- CWS being
the exception) that starts up with Windows?
Download "Silent Runners.vbs":
http://www.silentrunners.org/
*****
 
Kevin,

Thank you for this wonderful advice. But can you state any
sure fire method to prevent this particular adware CWS
from infecting in the first place? I mean something aimed
at this particualr one?

Thanks

Andy
 
Andrew & Rossano

thanks for the detailed and very informative post. will check out the links
and take note of your advice.

mojo
 
Thank you for this wonderful advice. But can you state any
sure fire method to prevent this particular adware CWS
from infecting in the first place? I mean something aimed
at this particualr one?
Click to expand...

I don't think you can defend just against this particular one. Further
discussions are on the NTBUGTRAQ mailing list, which probably everybody
hear should be subscribed to in any case. LISTSERV.NTBUGTRAQ.COM
 
Back
Top