When a good idea goes very wrong.
Jul. 6th, 2005 10:21 pm![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
coyoteden.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryOK, so this evening I was helping out my former employer with a couple of tricky jobs. One of which was cleaning up his own computer. We're all careful about security, but it got hijacked by CoolWebSearch. Don't ask.
Now, this was one of the nastier variants that loads from HKLM/.../Run like most stuff, but then hides itself from the process list, spawns copies, hides the files on disk, puts all the copies in startup, and deletes the original file. If you remove any of the registry keys, it puts them right back. You can't kill it with the usual tools because you just can't see the fnords. The files change every time you reboot, and if you don't get EVERY file from safe mode, it will come right back.
Well, I thought I killed it. I KNOW I killed it. The files had been deleted and the system had been scanned from safe mode.... but the registry keys just kept coming back. Uh-oh. I loaded up Regmon and took a look at what was writing that key in the registry.
"Ad-watch.exe"
Fucking Ad-Aware. Goat-fucking Ad-Aware Pro to be precise. The real-time protection was restoring the damn CoolWebSearch keys (including the browser hijacks!) every time I removed them! And giving no warning. At all.
Now, this was one of the nastier variants that loads from HKLM/.../Run like most stuff, but then hides itself from the process list, spawns copies, hides the files on disk, puts all the copies in startup, and deletes the original file. If you remove any of the registry keys, it puts them right back. You can't kill it with the usual tools because you just can't see the fnords. The files change every time you reboot, and if you don't get EVERY file from safe mode, it will come right back.
Well, I thought I killed it. I KNOW I killed it. The files had been deleted and the system had been scanned from safe mode.... but the registry keys just kept coming back. Uh-oh. I loaded up Regmon and took a look at what was writing that key in the registry.
"Ad-watch.exe"
Fucking Ad-Aware. Goat-fucking Ad-Aware Pro to be precise. The real-time protection was restoring the damn CoolWebSearch keys (including the browser hijacks!) every time I removed them! And giving no warning. At all.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2005-07-07 12:05 pm (UTC)