When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Cws Re-infection Executables
Started by
zxladie
, Jun 22 2004 01:03 PM
2 replies to this topic
#1
zxladie
-
- New Member
-
- 2 posts
New Member
Posted 22 June 2004 - 01:03 PM
When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.
Register to Remove
#2
Micah_6:8
-
- Authentic Member
-
- 10,060 posts
Evilware Emancipator
- Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!
Posted 22 June 2004 - 02:27 PM
Greeting and welcome to TomCoyote.com!
Although many infections do generate random file names, this one looks pretty stable:
http://www.trendmicr...FEATS.A&VSect=T
May your day be blessed by those you love and those you love be blessed by HIM - Coyote
Although many infections do generate random file names, this one looks pretty stable:
http://www.trendmicr...FEATS.A&VSect=T
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#3
zxladie
-
- New Member
-
- 2 posts
New Member
Posted 22 June 2004 - 09:58 PM
Thanks. I'll check it out. This is might be a stupid question, but I'm wondering if anyone has seen or heard that there could be uninstalled CWS hidden files ready to stealth execute that can be triggered by an active variant if it is removed. The reason is because there are folders in several places on this kid's machine that contain [filename]2.exe and a [filename].new. And if you look inside the .new file, it looks to be the inf for a CWS BHO. And right out the gate I took 4 trojan droppers out of this thing. I've worked 5 hijacked machines this week all from the same family, I'm probably getting paranoid, but was just wondering. Thanks.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
