Fucking spyware...
May. 24th, 2004 11:47 am![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
coyoteden.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryDo you have any idea how hard it is to get CoolWebSearch*spit* to go away for good?
Ad-aware won't do it,
Spybot won't do it,
SpywareBlaster will block it but it already got in, so forget it.
CWShredder will get rid of it but it just keeps coming back with every reboot.
Why won't you die???
FIXED: My train of thought wasn't evil enough to think on their level. A little research turned up the sordid truth: a rare variant of VX2 was hooking into explorer, which launched a NicTech/Look2Me .dll hidden behind Rundll32, which a) hijacked the homepage, b) generated the popups, and c) dropped CWS.
And this was on a customer's machine that came in for NAV not working right. I Wonder why? Ad-aware hit 1033 on the first run.
Gah. Smoke Break NOW.
Ad-aware won't do it,
Spybot won't do it,
SpywareBlaster will block it but it already got in, so forget it.
CWShredder will get rid of it but it just keeps coming back with every reboot.
Why won't you die???
FIXED: My train of thought wasn't evil enough to think on their level. A little research turned up the sordid truth: a rare variant of VX2 was hooking into explorer, which launched a NicTech/Look2Me .dll hidden behind Rundll32, which a) hijacked the homepage, b) generated the popups, and c) dropped CWS.
And this was on a customer's machine that came in for NAV not working right. I Wonder why? Ad-aware hit 1033 on the first run.
Gah. Smoke Break NOW.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2004-05-24 09:28 am (UTC)no subject
Date: 2004-05-24 09:37 am (UTC)The people I support must not be as bad as I thought.
Yup.
Date: 2004-05-24 09:44 am (UTC)This wasn't a browserjacking, BHO, running process, ActiveX, or anything that simple. This was a .dll loaded by Rundll32 at startup due to an CLSID entry created in HKLM/Software/Microsoft/Shell Extensions/Approved (approved by who exactly...) Because of this it's impossible to get rid of once explorer.exe and rundll32.exe have loaded. I needed PV to find it.
it usually shows up as msg11*.dll or a .dll that's almost the same name as a system file, e.g. idfrared.dll. The guilty file will show in properties... to be digitally signed by NicTech Networks.
no subject
Date: 2004-05-24 06:32 pm (UTC)Compared to the stuff you can get for free, that is.
Re: Yup.
Date: 2004-05-24 07:16 pm (UTC)As for keeping it from returning, I have been informed this will work. I haven't tried it yet, but from what I hear it's pretty decent.
Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html
And Spyware Guard
http://www.javacoolsoftware.com/spywareguard.html
Re: Yup.
Date: 2004-05-24 07:29 pm (UTC)I don't think it has an official site, but I found it here: http://www.zerosrealm.com/downloads.php (http://www.zerosrealm.com/downloads.php)
no subject
Date: 2004-05-25 10:31 am (UTC)no subject
Date: 2004-05-27 03:42 pm (UTC)Now we've got worms and spyware up the wahoo, but when was the last time we had a *real* V I R U S virus?
Nobody's h@x0r3d my @$$ in forever =(
no subject
Date: 2004-05-31 01:37 pm (UTC)