Posted 17 November 2004 - 08:24 PM
I first got interested in coolwebsearch (CWS) when it took over my PC, I guess, about 6 months ago. Unfortunately, I did not know of this forum though I did utilize spywareguideinfo and spywarrior. It appeared at the time that no piece of spyware removal tool could help: CWS 1.59, Spybot S &D 1.3r, Spysweeper and Adware version 6. All I knew was that when ever a device on my machine connected to internet (IE6, Firefox 0.90, Spysweeper, Black Ice firewall plus MS core services) a connection was made to an IP address that fell within the range of a www.coolwebsearch.com site. Only for a few seconds and a 3-5 instances each time and it appeared to leave a port listening. No unusual processes were directly associated with each connection (I used MS's Port Reporter to obtain IP addresses, port numbers, protocal, processes and a time stamp). The actual file that I think was corrupted was ntoskrnl.exe. This was always present when a connection was made and, I believe, should only run during the boot process. In between this there was a month of solid hell as I chased stacks and threads like a drunken spider. Apart from the IP addresses one constant (and an undoubted weakness) was that it had to use the TCP protocal and on every other communication it had to use port number 31595. This enabled me to shut down access in or out to that port and of course the full IP range was blocked. This stopped it communicating but not trying; and did it try!! As to removal it took several reformats and reinstalls (temporarily lost the use of all my Adobe and MS reader e-books as I had used up my entitilment) to I discovered which group of software products may have contained the spyware.
Ever since I have been reading all I can, including programming forums where they openly share the code and how to achieve stealth hijacking of MS core files. user32, kernel32 seem to be the prefered favourites, the later being the best because it has global access. Step by step guides of what pit falls to avoid when setting Windows Hooks with the CreateRemoteThread & LoadLibrary Technique. Instead of writing a separate DLL, copy your code to the remote process directly - via WriteProcessMemory - and start its execution with CreateRemoteThread. These methods mean there are no easily obtainable suspiscious processes or slow downs.
The previous call for assistance interests me. Namely, how it was identified and how it will be removed. I suppose most of us have read the post and have our list of favourite/suspicious processes. I guess this is not a Window's DLL 'corruption' or only one but a few others as well. Spyware seems to be like bills: they come in bunches (not so daft if you use the port is like a letter box analogy).
Has anyone else any thoughts on CWS or spyware in general. 'Manual' methods of prevention, detection and good practices or strange quircks with a CWS infection. Will the valiant few win against the thousands of dollars being poored into spyware development? Anick Jesdanun of Associated Press in a recent article for the Boston Globe (I think; sorry kept the text and author but lost the web address) is not sure.
Are Intrusion Detection Systems and Process Guards the answer? From what I have seen of most they help the user make an informed choice - for some cases this will work well but for others some will be allowed on the system.
Just some thoughts and great respect to you all for how you handled the CWS incident. Though I would enjoy knowing the outcome and process(s) involved.