CWS Strikes again.
May. 25th, 2004 02:55 pm![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
coyoteden.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryOur little friend CoolWebSearch is leaving computers stuck in a bluescreen loop due to Winlogon.exe terminating.
That's right, spyware now trojans the Windows Logon Process. That's scary.
That's right, spyware now trojans the Windows Logon Process. That's scary.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2004-05-25 12:36 pm (UTC)Must...find...script...kiddy...to...pummel...
no subject
Date: 2004-05-25 10:04 pm (UTC)no subject
Date: 2004-05-25 07:44 pm (UTC)That's why my family computer wouldn't turn on.
And 3 kids called my house asking me to fix their computers that were stuck in the loop. "They just keep rebooting!"
Any known fix or solution?
Yeah.
Date: 2004-05-25 10:24 pm (UTC)If you keep removing CWS with CWShredder and it's coming back, you have winlogon trojaned. The bad thing about this infection is that you can not get rid of it once windows boots. Not even in safe mode. Nothing can touch winlogon.exe, not even antivirus. CWS has a similar way of trojaning Win9x, but if you kill explorer you can remove it.
If your computer is rebooting and you think you have CWS, boot into safe mode, go to system CP, advanced, Startup and Recovery settings, and uncheck system failure - auto restart. This will let you read the BSOD. Reboot and if the BSOD reads something like "STOP... Windows Logon Process terminated with code 0x00000005" you got the CWS Winlogon trojan.
Boot into safe mode again. Log in as administrator, or if you don't know the administrator password, as another privileged account. Remove the administrator password, you're going to be using the XP recovery console and it tends to not let you log on if there is a password, even one you know.
Open regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Look for any keys under here starting with "Guardian". If you find one, delete it, then hit F5 to refresh. If it came right back, you KNOW you have CWS.
Go into the key and find the DllName value. It will be something very similar to a windows system file (I've seen acd.dll, idfrared.dll, 6xo4svc.dll, etc..).
With hidden files shown you should be able to locate the file in \Windows\system32\ but you won't be able to delete it. You can unhide and unreadonly it tho. You may find several hidden .dlls named this way, they are previous versions of CWS. Delete all of them you can, but you won't be able to kill the real trojan yet.
Once you know the .dll name, shut down the computer and boot from the XP CD. Go into the recovery console, log on, and type the following. Substitute the name of the dll for cws.dll where appropriate.
cd \windows\system32
attrib -r cws.dll
del cws.dll
type "exit" to reboot and it should come up OK. Use regedit to delete the "Guardian" key from the place noted above. Immediately run CWShredder to get the rest of CWS off the machine.
no subject
Date: 2004-05-26 08:01 am (UTC)no subject
Date: 2004-05-26 08:57 pm (UTC)Korvo or something like that.
Right, Korgo
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.c.html
at least that's what one of the virus specialists at work are talking about.
Doesn't seem related.
Date: 2004-05-26 09:16 pm (UTC)This deep-system CWS infestation is like nothing I've seen since Funlove came around.
Re: Doesn't seem related.
Date: 2004-05-27 03:37 pm (UTC)I even left an urgent(hard-copy, no less) note on my Boss's desk to let him know about this.
When I leave him hard-copy notes, he knows it's important =/