|
Posted by Morgan Ohlson on March 17, 2007, 3:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On Fri, 16 Mar 2007 14:18:28 GMT, n
>
>>Trends CWShredder finds CWS.hiddendll and can remove it in safe mode boot.
>>
>>I have searched the web for info. There are a lot of writing about it, and a
>>lot of people have posted Hijackthis-logs... but I have not found any
>>serious description of the virus (malware?).
>
> More specifically, adware/spyware. This CWS variant replaces the
> machine's About:Blank then changes the Internet Explorer startup page
> (and others) to About:Blank. Additionally, a file is set to run when
> the computer is booted up that reinstalls it each time. It appears
> there's also a BHO, and a file that keeps checking to be sure all the
> other files are there wouldn't surprise me. If it keeps coming back,
> then chances are very high that it isn't being completely removed, as
> opposed to reinfection.
For me the CWS.hiddendll has occured at simultaneously (I think) first with
a blocked audio-card. That I solved with a complete reinstall (formate all
hdd's). (no sounds via sound card)
The second time it occured in combination with a netcard block. (no
connection to the ethernet card)
In both cases everything seemed okey, drivers, installation etc... but it
wasn't. It may have been some kind of redirected adresses.
First, I'm no pro on this and there could have been some other malware that
infected at the same time, or almost at the same time... Secondly I only
removed the CWS.h..dll and that solved it.
>
> If you're looking for a description of other files and reg entries
> installed, normally this can be gleaned from what is removed in the
> answers on the web forums. This seems to be fairly complete, at least
> for Windows 98SE:
> http://www.thetechguide.com/forum/index.php?showtopic=17006
> If you're having further problems as indicated in your subject, it
> could be CWShredder missed something, or deleted something you need to
> replace with a fresh file copy. There are other fix instructions in
> those replies, like using LSPFix and AboutBuster and other fix
> programs. If you have Windows XP, another post might be better, but
> they are usually equally complete. Just do a Google search for
> "CWS.hiddendll XP" (without the quotation marks).
I have read some postings and the files names that have been mentioned seem
to be different every time... could that be so?
>
>>Does it come from mail, websites, other?
>
> Yes. :-)
:(
> Like other spyware, CWS has been shown to be loaded by websites, free
> programs, P2P downloads pretending to be something else, and even
> other spyware.
Very versatile then.
> Email attachments don't seem to be a large vector, but
> of course spamvertised websites might contain anything, and often
> spyware of all kinds. It all depends on the choices of the person
> trying to spread the spyware.
>
> If the computer user basically practices safe hex [no P2P executables,
> free programs,
No free programs !!! ??? You must be joking... ;o)
> or spamvertised websites], eliminating most of those
> possibilities, then these can be assumed to have sneaked in from a web
> page via Internet Explorer, either simply because javascript is
> enabled, or because an unpatched exploit was used to load the file on
> the site visitor.
Can HTML exploits be a problem being in quarantenes?
Reasently an active virus shield (hermeneutic rules) alarmed a file in
another well known antivirus pak while downloading. Unfortunately I
downloaded a couple of updated applications that day so I could mix them
up... so I better not point anyone out.
It was a .asf file that was identified as an HTML-exploit and the softwares
have worked very well also with that file removed.
> Occasionally the user will have purposely opened a
> hole, like enabling executables to run in an I-frame, something that
> is sometimes needed for web games, but can be very dangerous for
> general surfing.
The CWS.hiddendll was infected while using
# hardware nat.firewall
# software firwall
# active application shield
# 2 real time antivirus guards
# autostart, BHO and change watch
# mail bayez filter
Morgan O.
| 
XML site map