Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92780 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Cws Re-infection Executables

  • Please log in to reply
2 replies to this topic

#1 zxladie


    New Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 01:03 PM

I'm not sure if this is the right place to post this, but I have what might sound like a stupid question that I'm wondering about and I haven't been able to find any documentation. I am repairing a system that had quite a bit of spyware on it, and when I was checking something in the owner\Documents & Settings folder\Application data\ I happened to see a folder named 'iefeatsl' which I know is a CoolWebSearch variant. The folder contained the files: msiesh.new and submit2.exe. I looked in the msiesh.new with my viewer and it's the {FD9BC004} .dll that I'm assuming is not yet executed.

When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.


Register to Remove

#2 Micah_6:8


    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 22 June 2004 - 02:27 PM

Greeting and welcome to TomCoyote.com!

May your day be blessed by those you love and those you love be blessed by HIM - Coyote

Although many infections do generate random file names, this one looks pretty stable:

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 zxladie


    New Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 09:58 PM

Thanks. I'll check it out. This is might be a stupid question, but I'm wondering if anyone has seen or heard that there could be uninstalled CWS hidden files ready to stealth execute that can be triggered by an active variant if it is removed. The reason is because there are folders in several places on this kid's machine that contain [filename]2.exe and a [filename].new. And if you look inside the .new file, it looks to be the inf for a CWS BHO. And right out the gate I took 4 trojan droppers out of this thing. I've worked 5 hijacked machines this week all from the same family, I'm probably getting paranoid, but was just wondering. Thanks.

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users