August 17th, 2004, 09:47 PM
cws.smartsearch and microsoft -ds
A friend rang me after getting adsl at his home. Whenever he connected he got masses of pop up and his laptop went crazy. I managed to remove over 15 trojans and mostly w32.spybot and bobax.c viri. After I thought i had cleaned everything down we reconnected to the internet and a few seconds later three windows poped up showing porn and they were titled "pwnage clan and hack". I later identified this to be CWS.smartsearch using cws.shreader. While trying to remove CWS.smartsearch, shreader said that the hijack was trying to block its process and its name would change to a random name? should this have happened? I have used everything to clear cws.smartsearch, but nothing seems to work, any suggestions? I even took the laptop home with me a found that when you connect to the internet ports 4226 to 4428 are listening and then there are over 200 syn_sent to microsoft -ds. Is this a DOS attack? is there something that i cant find? I have used the following tools.
1 Spybot S&D
2 Adaware 6.0
3 Pest patrol
5 NAV corporate
All have been updated
Hope you can help
August 17th, 2004, 10:34 PM
Did you disable System Restore (if present) before you made the scans?
August 17th, 2004, 10:36 PM
First, you need to run all these tools in safe mode at this point.
Secondly, before you run them open task manager and stop every process that you don't recognize as valid. Google them if you don't know what they are. When you are done the only thing you should have left is Microsoft products. Then run your tools. Then restart the computer. Then rerun the tools in normal mode. If anything has returned then you still have a dropper process running. Identifying it is a little hard in a post. The final "solution" is to stop every process that isn't essential for the basic function of the machine and then run the tools.
It isn't easy to get rid of some of this stuff.... It's often try and try again.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 17th, 2004, 10:40 PM
Groov had a post in the Spyware/Adware forum about removing a new version of CWS, one of his warnings was that using CWShredder incorrectly will lead to the CWS executables changing their names
Check out his thread Here
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr