CWS.hiddendll blockes drivers

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Trends CWShredder finds CWS.hiddendll and can remove it in safe mode boot.

I have searched the web for info. There are a lot of writing about it, and a
lot of people have posted Hijackthis-logs... but I have not found any
serious description of the virus (malware?).

Does it come from mail, websites, other?


Morgan O.

Re: CWS.hiddendll blockes drivers

On Fri, 16 Mar 2007 14:18:28 GMT, n

Quoted text here. Click to load it

More specifically, adware/spyware.  This CWS variant replaces the
machine's About:Blank then changes the Internet Explorer startup page
(and others) to About:Blank.  Additionally, a file is set to run when
the computer is booted up that reinstalls it each time.  It appears
there's also a BHO, and a file that keeps checking to be sure all the
other files are there wouldn't surprise me.  If it keeps coming back,
then chances are very high that it isn't being completely removed, as
opposed to reinfection.

If you're looking for a description of other files and reg entries
installed, normally this can be gleaned from what is removed in the
answers on the web forums.  This seems to be fairly complete, at least
for Windows 98SE:
http://www.thetechguide.com/forum/index.php?showtopic=17006
If you're having further problems as indicated in your subject, it
could be CWShredder missed something, or deleted something you need to
replace with a fresh file copy.  There are other fix instructions in
those replies, like using LSPFix and AboutBuster and other fix
programs.  If you have Windows XP, another post might be better, but
they are usually equally complete.  Just do a Google search for
"CWS.hiddendll XP" (without the quotation marks).

Quoted text here. Click to load it

Yes.  :-)  

Like other spyware, CWS has been shown to be loaded by websites, free
programs, P2P downloads pretending to be something else, and even
other spyware.  Email attachments don't seem to be a large vector, but
of course spamvertised websites might contain anything, and often
spyware of all kinds.  It all depends on the choices of the person
trying to spread the spyware.

If the computer user basically practices safe hex [no P2P executables,
free programs, or spamvertised websites], eliminating most of those
possibilities, then these can be assumed to have sneaked in from a web
page via Internet Explorer, either simply because javascript is
enabled, or because an unpatched exploit was used to load the file on
the site visitor.  Occasionally the user will have purposely opened a
hole, like enabling executables to run in an I-frame, something that
is sometimes needed for web games, but can be very dangerous for
general surfing.  

Carol


Re: CWS.hiddendll blockes drivers

On Fri, 16 Mar 2007 22:13:05 GMT, Carol wrote:

Quoted text here. Click to load it

For me the CWS.hiddendll has occured at simultaneously (I think) first with
a blocked audio-card. That I solved with a complete reinstall (formate all
hdd's). (no sounds via sound card)

The second time it occured in combination with a netcard block. (no
connection to the ethernet card)

In both cases everything seemed okey, drivers, installation etc... but it
wasn't. It may have been some kind of redirected adresses.

First, I'm no pro on this and there could have been some other malware that
infected at the same time, or almost at the same time... Secondly I only
removed the CWS.h..dll and that solved it.

Quoted text here. Click to load it

I have read some postings and the files names that have been mentioned seem
to be different every time... could that be so?

Quoted text here. Click to load it

:(


Quoted text here. Click to load it

Very versatile then.

Quoted text here. Click to load it

No free programs !!!   ???    You must be joking...   ;o)


Quoted text here. Click to load it

Can HTML exploits be a problem being in quarantenes?

Reasently an active virus shield (hermeneutic rules) alarmed a file in
another well known antivirus pak while downloading. Unfortunately I
downloaded a couple of updated applications that day so I could mix them
up... so I better not point anyone out.

It was a .asf file that was identified as an HTML-exploit and the softwares
have worked very well also with that file removed.


Quoted text here. Click to load it

The CWS.hiddendll was infected while using
# hardware nat.firewall
# software firwall
# active application shield
# 2 real time antivirus guards
# autostart, BHO and change watch
# mail bayez filter


Morgan O.

Re: CWS.hiddendll blockes drivers

On this special day, Morgan Ohlson wrote :

Quoted text here. Click to load it

The real free programs are discussed in alt.comp.freewarer, and if
someone spams for a "free" program with adware thrown in, you'll be
sure that someone will give a warning, nearly in real time. I think acf
is a good resource of information on this topic.

Seeing your description, I am afraid that your specimen came in via an
IE exploit, although I can't say which, as officially there are none
known ones to this day.

Still I would recommend that you change to another browser, which might
not be a much safer one, yet a less frequently attacked target. Most
hackers concentrate on the IE, as they will reach about 90 percent of
their intended "audience", which is enough for them, while the other
ten percent would require more coding, and of course learning the
intricacies of special firefox or Opera commands firsthand.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de





--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.



Re: CWS.hiddendll blockes drivers

On this special day, Gabriele Neukam wrote :

Quoted text here. Click to load it

uh, sory, make that "alt.comp.freeware"


Gabriele "can't keep my fingers still" Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
the difference is in the eye of the beholder... even history is not an
impartial judge, as it is written by the victors...
-
Kurt Wismer in alt.comp-anti-virus



Re: CWS.hiddendll blockes drivers

Gabriele Neukam wrote:
Quoted text here. Click to load it

<G>

They are really on the ball. Also energetic, knowledgeable, and curious
about what programs are around. Good crowd.

Re: CWS.hiddendll blockes drivers

On Sat, 17 Mar 2007 20:31:12 -0800, Offbreed wrote:

Quoted text here. Click to load it


Yes, and Q was realy if freeware in general rais security issues?  

It was not a debate on freeware as a general topic.


Morgan O.

Re: CWS.hiddendll blockes drivers

Morgan Ohlson wrote:
Quoted text here. Click to load it


Depends on where you get it. People have been putting bad stuff in
freeware for years, and the acf crowd has become very adept at finding it.

This is a website they have where they list the recommended programs:

<http://www.pricelesswarehome.org/

Some other sites also have good, clean programs, but use acf and
Pricelessware as starting points.

Re: CWS.hiddendll blockes drivers

On Sat, 17 Mar 2007 07:47:17 GMT, Morgan Ohlson

Quoted text here. Click to load it

Yes.  With CWS, these are changed by the writer according to the
current buyer.  The last I was aware, they are not random with CWS,
but could be.

Quoted text here. Click to load it

It's common now.  They're going spread their crap any way they can.

Quoted text here. Click to load it

Oh, some of the best are free for personal use, but this would be in
terms of the average computer user who may have a hard time
determining what's trusted.  Free screensavers and wallpaper and
anything else with an "aw, isn't that pretty" factor and an installer
are a particular problem, along with the P2P programs themselves, not
just the downloads.

Quoted text here. Click to load it

I've never heard of anything escaping quarantine.  However, when it
comes to HTML, it's possible for your browser to run it before the AV
can quarantine it, even if your AV is scanning in real time --
*particularly* if you have more than one trying to scan it at the same
time.

Quoted text here. Click to load it

Normally this sort of thing is a false positive, I suspect because the
definition is hitting on some string the writer ass-u-med was unique
to the malware.  Your ASF file was probably MS "Advanced Streaming
Format" so not necessary to the operation of the program; part of the
Help system maybe?  In any case it would have to contact the outside
to "stream" anything.

Quoted text here. Click to load it

No consumer-grade firewall is going to help you with a HTML exploit
because the files are requested by the browser, and your browser has
to be enabled to contact the outside.

Quoted text here. Click to load it

This can set up a situation where none of the programs detect certain
incoming malware, and don't produce any errors when that's happening.
You can normally get away with AV + anti-spyware, for instance, but if
you really have two AV, pick one and uninstall the other.

Quoted text here. Click to load it

Carol


Site Timeline