Report New Spyware Here

[NOTE]

Great summation by Merijn of known CWS variants so far :

CoolWebSearch Chronicles


The last couple of days CWS has been real busy, new variants have been identified, some of them still under investigation :

1. sys.reg/winshow
as seen HERE <- sys.reg

as seen HERE <- winshow.dll

2. searchv/msupdater
as seen HERE

3. dreplace.dll (BHO)
as seen HERE and HERE

NOTE : If you have the Dreplace.dll, with svcinit in running processes, there is a special registry fix, written by Mosaic (thanks Mo!) :

Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
Then go to this site http://www.mjc1.com/files/mo/ and click the svcinit link and download userinit.zip
Unzip and doubleclick that file. (Thanks Pieter)

4. searchdot.net/C:\WINDOWS\Fonts\msoffice.hta (CWS?)
as seen HERE

5. searchv/mupdate
F0 - system.ini: Shell=Explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=Explorer.exe mupdate.exe
as seen HERE

6. Luckysearch.net variant, hijack keeps returning
as seen HERE

Merijn seems to be real busy irl; hope he hurries back soon, he will have a lot of work Hope Tony and Pieter still have a lot of free time in their hands, for doing great investigational work

(Thanks to mjc and boOch for the help of this summation!)

Cheers,

Thanks Unzy!
I'm writing all this down to update CWShredder offline.

I'm offline for about a week more, since I've just moved - the phone company didn't move our line over yet. Just hopped online in our old house (which is rented out so I can't be here all the time) to give a quick update.

-----

A link to a new CWShredder beta (the last variant known to it is CWS.Svcinit, so it's about 5 variants behind) that might help some people:
http://www.spywareinfo.com/~merijn/files/beta/CWShredder.exe

Good job Merijn!

Thanks

Cheers,

One new variant to add :

WinLink.dll

It's a WinShow lookalike and they appear to popup side by side as BHO's.

Creates a WinLink folder in the applications data directory, just as there was a WinShow folder.

as seen HERE

Cheers,

Thanks Unzy,

Which reminds me, there is one more line to look out for that is CWS:

O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --

As seen here: http://forums.spywareinfo.com/index.php?showtopic=15219

Not sure what exactly it does, but fixing it in HijackThis is enough to make it go away.

Pieter

Thanx Pieter

[01A9EB7D-69BC-11D2-AB2F-204C4F4F5020]

Possible new CWS variant :

Hacks the URL SearchHook of internet explorer (mailto - type) so that any mistyped/starting without www URLs entered into the IE Address bar are redirected.  

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\astctl32.ocx

as seen HERE


After further investigation, it is definately a CWS-variant :

the CLSID is the same as the one of the DNSRelay hijack :

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\astctl32.ocx

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll

Cheers,

Another CWS variant:

O4 - HKCU\..\Run: [ld] C:\WINDOWS\ld.exe

As found here: http://forums.spywareinfo.com/index.php?showtopic=16004&st=15&

And a warning:

On some systems removing the DReplace BHO with CWShredder has caused the systems to become unbootable.
For now we assume the built-in unregister of the .dll has been corrupted.

Please use BHODemon to disable the BHO, untill we learn more about this issue.

Here is the fix for the DReplace.dll BHO (thanks freeatlast   )

First do this please.
Download this: http://TomCoyote.org/downloads/DreplaceFix.reg
Double-click DreplaceFix.reg and answer Yes.

Then close all IE windows and delete the file C:\WINDOWS\SYSTEM\DREPLACE.DLL

Failure to do this first can have very bad results on Win ME or Win98 systems!

Thanks so much for stepping in Jackb

fal! you own

:kiss:

Cheers,

Another CWS variant:

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

Hijacking to rightfinder.net

Updated version of CWSHREDDER :

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

This corrects a major problem with fixing DReplace.dll in Windows98 Gold, Windows98 SE, and Windows ME.

Cheers,

More CWS news:

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\MSEJDB.DLL
as found here: http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=32;t=6972;st=0;r=1;&
and here:
http://forums.spywareinfo.com/index.php?showtopic=16535

filename ms(+4 random letters).dll

Very similar (maybe even the same) CLSID is used by ToolbarCC, but these are normally found in a Temp folder.

Regards,

Pieter

New CWS variants:

O2 - BHO: Microsoft SearchWord - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\Documents and Settings\Corey\Application Data\SearchWord.dll

O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv /c /set -- by windows setup --

Both have been added to CWShredder in the meantime.

And another one:
O2 - BHO: Microsoft SearchWord - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\DOCUME~1\Danny\APPLIC~1\MICROS~1\Office\Word10.dll

Example: http://forums.spywareinfo.com/index.php?showtopic=17627

Removal seems to be a problem, will keep you posted.