Report New Spyware Here

Added it as CWS.Winres to CWShredder 1.50.

I'm emailing it to phoenix22 of Computercops.biz for his mirror. If anyone else wants to mirror it, send me your email addy and I'll notify you when a new ver is out.

You still have my addy, don't you?

Pieter

Nope. I think I lost the list a while ago.

Nope. I think I lost the list a while ago.

I copied CWShredder in the meantime. Please mail future updates to pieterATwilderssecurity.org (AT= @)

I could use some help on the new drxcount infection, if you have some time to spare or any ideas where to look, I'm running out of them.

Pieter

I'm pleased to announce FreeAtLast has stepped in and is doing a great job analysing that particular hijack



Cheers,

I wrote it down Pieter. The current CWShredder is 1.51 - latest addition: CWS.Control.4 (random random random) plus a routine that kills the random autoruns based on user input ('is this file random? [yes/no]' etc).

O1 - Hosts: 213.159.117.235 auto.search.msn.com

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://209.8.161.56/buka.chm::/hz.exe

As seen here: http://www.spywareinfo.com/forums/index.php?showtopic=32936

Added in version 1.52.0

And another one, as spotted by TonyKlein :

O4 - HKLM\..\Run: [setupuser] regedit.exe /s C:\WINDOWS\setupuser.log

Log Example

Contents of the reg hack showed :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.terra.es/personal7/crabby-search"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://www.terra.es/personal7/crabby-search"

Cheers,

I just wanted to let you know that the old version of CWShredder affected my Windows 98SE with the false about:blank reading.  It was not only XP/2000 systems.  I do not know if it affected any other versions.  I am glad it is now fixed.

[drxcount.biz / real-yellow-page.com UPDATE]

drxcount.biz / real-yellow-page.com UPDATE

After much analyzing, headaches and sleepless nights I am glad to say that the experts who worked on this did a tremendous job and we are getting near a manual removal sollution. Please follow instructions on Merijn's page :

NOTE* : because Merijn's site still is up and down these days, i'll copy his post in this thread :

**Taken from Merijn's site! :

If your browser has been hijacked to drxcount.biz, real-yellow-page.com or list2004.com:
We are working on a fix for this one and drawing near to a solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it automatically.

So far, the following manual fix should work:
First download FAR explorer from here:

http://www.rarlab.com/far/Far1705.exe

Install it, then start FAR.
Hit Alt-F1 and drive list should come up, go to '0 process list'.

Scroll to Iexplore.exe in the left panel, highlight it and hit F5.
Now go to the right pane of FAR and double click 'iexplore.exe.txt', it should open in notepad.

Look for a file with this size and beginning to it. The filename will always be different:
61C00000 F000 c:\windows\system32\wingn.dll

This part indicates the bad file:
61C00000 F000
It will always start with that header.
Write down the filename behind it.

Now download KillBox:
http://download.broadbandmedic.com/
Unzip and run it.
Paste the filename you wrote down into the white kill line, then hit the bottom green arrow button to move the file to the bottom of killbox. Hit the 'remove on reboot' button and reboot. Once it reboots, make sure the file is gone.

If this doesn't work, search for more help on one of these following forums, the experts will assist you further :

-> this forum of course
WildersSecurity
SpywareInfo
ComputerCops
TechSupportGuy

It will take some time before the shredder will be updated including this fix.

Thnx all and very good job !

Another CWS variant has been spotted by Pieter (Metallica) :

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe

Redirecting browser to your-search.info, style sheets present

Usually accompanied with startup 'sytem32.exe' , spelled like that!

Log examples :

HERE

HERE

Cheers,

Merijn did an excellent job again, a new version of CWShredder is out, dealing with the latest plague, your-search.info

*Added removal for new CWS.Systeminit variant -
(hijacks to your-search.info)
*Added a lot of files to CWS.Control whitelist.
*Blacklist keeps growing, now at 1290 domains.

CWShredder 1.54.0

CWSdomains

Thnx Merijn

Cheers,

Thank you, Merijn.  Your CWShredder program has helped keep me 98SE system with Office XP Pro. and IE 6 sp1 secure.  Also, have found HOSTS program by MVP of 98 microsoft newsgroup useful.  Also, use spysweeper, adaware, spywareblaster, Hijack This, Zone Alarm, Hardware firewall, AntiVir virus program, Spybot -- Search and Destroy, PestPatrol, etc. to help protect my system.  This discussion board is a great source of news and information for me as a consumer and business user.  

A new variant spotted By TonyKlein :

O4 - HKCU\..\RunOnce: [sounddrv] C:\WINDOWS\system32\sndbdrv3104.exe

redirecting browser to :

http://defaultsearching.com

As seen HERE

Added as CWS.Sounddrv to CWShredder 1.55.

Cheers,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kfiokk.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {54DDBEA0-AAE2-43A1-9076-3F064D0DEA55} - C:\WINDOWS\System32\kfiokk.dll

Using different filenames (also have seen edpf.dll )
Got some samples from flrmn1 of TSG

Example log

Yep that seems to be a brand new one

Each time a different dll, corresponding with a BHO

Every infection = new dll man the shredder will have a tough time dealing with this

Cheers,