# Curing CWS, dreplace.dll Hijacks



## dvk01 (Dec 14, 2002)

we are all quite good at recognising & curing a CWS hijack, by advising cwshreder which works, what we keep forgetting to do is advise the infected party to update windows and download the patches to prevent re-infection.

Please point out that CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation.

The only full cure is as advised by Merijn 
http://www.spywareinfo.com/~merijn/cwschronicles.html
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection


----------



## e-liam (Jun 19, 2003)

Good point Derek,

And as I've linked two threads to CWS in the last half hour, without your recommendations, I know I'm as guilty as anyone.. 

I've changed my C&P for future times.. :up:

Cheers

Liam


----------



## dvk01 (Dec 14, 2002)

Also it is a good idea to advise people to run CWshredder in safe mode when dealing with dreplace.dll version of CWS otherwise cwshredder hangs and cannot remove dreplace


----------



## dvk01 (Dec 14, 2002)

if you have the dreplace.dll form of cws then 
Here is the fix to use, thanks to freeatlast:

First do this please.
Download this: http://TomCoyote.org/downloads/DreplaceFix.reg
Double-click DreplaceFix.reg and answer Yes.

Then close all IE windows and delete the file C:\WINDOWS\SYSTEM\DREPLACE.DLL

Failure to do this first can have very bad results on Win ME or Win98 systems!

then run CWshredder to clear the rest of the infection.


----------



## Flrman1 (Jul 26, 2002)

I just posted this same info last night here:

http://forums.techguy.org/showthread.php?s=&postid=1241642#post1241642

Maybe these two sticky threads should be combined.


----------



## dvk01 (Dec 14, 2002)

For info a current list of all known CWS hijacks and affiliates is maintained by Tony Klein here 
http://www.wilderssecurity.com/index.php?board=20;action=display;threadid=14086


----------



## e-liam (Jun 19, 2003)

Cheers for that Derek,

My own list was about 2 months old and obviously out of date.

EDIT: I've just had a quick look at the list, and rightfinder isn't on it. Do you know if this an official affiliate yet, as it seems to popup everytime this...

*O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
*

...appears. Of course the *013* is the giveaway, but do you think it may be prudent to suggest the scan when rightfinder shows up even without those entries being present?

Liam


----------



## Byteman (Jan 24, 2002)

Hi, If anyone does go to the Winnetmag help sites to use that method to remove MS Java VM and replace it with SUN program, the command line that you must type into the Run box is somewhat obscured by a Flash ad, at least in my IE 6.0 browser window it is.....they have a "Printer Friendly" link at top of page however, that shows all the proper text and no ads, so you can get all the command line otherwise the command won't of course work.
Comapare the command text that shows in these two pages to see what I mean:

This first is with the ad showing:: http://www.winnetmag.com/Article/ArticleID/38206/38206.html

And the printer friendly page::

http://www.winnetmag.com/Articles/Print.cfm?ArticleID=38206

EDIT::::
Those ads are weird....sometimes, they display narrow so the text for the command line shows in full, some ads are square and cover the text....even on the printer friendly page! Hopefully you folks with good/better popup controls will skip them....


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by e-liam:_
> *Cheers for that Derek,
> 
> My own list was about 2 months old and obviously out of date.
> ...


According to TK
they know about rightfinder and the loader which is the addclass entries and it should be in the next cwshreddder update


----------



## Stephen47 (Oct 4, 2002)

where do I get cws?


----------



## Flrman1 (Jul 26, 2002)

At the link in post #1


----------



## Stephen47 (Oct 4, 2002)

I found a file in the windows system folder named icwscript.exe does this have any thing to do with cws?


----------



## $teve (Oct 9, 2001)

No....thats windows dialup scripting tool.


----------



## $teve (Oct 9, 2001)

These are the MS sites for the relevent security patches.
1. http://www.microsoft.com/security/s...ns/ms03-011.asp

2.http://www.microsoft.com/technet/tr...in/MS00-075.asp


----------



## $teve (Oct 9, 2001)

Edit: Its seems MS have changed the links once again

here are the latest links for the MS patches.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp


----------



## bassetman (Jun 7, 2001)

I just did the MSIE "critical update" a bit ago, and lost my internet conection! 
I had to do a scanreg /restore to get connection back, anyone know why this happened?


----------



## ~Candy~ (Jan 27, 2001)

One reason not to do critical updates 

Which one did you do?


----------



## bassetman (Jun 7, 2001)

To the MSIE6 (I think) it was to correct the Vjava (?) security problem.
I rarely do those updates, but I had a moment of bad judgement!


----------



## ~Candy~ (Jan 27, 2001)

I usually give them a week or two IF I even bother


----------



## bassetman (Jun 7, 2001)

Thanks, I take that as advice! 
Gotta go have a good one!


----------



## iaavagent (Jan 11, 2004)

Are you two saying "don't bother to do updates?" This thread has been saying to be sure and do so. What gives?


----------



## ~Candy~ (Jan 27, 2001)

I, personally, never allow my computers to 'auto' update, meaning allow MS updater to decide what I need installed on my computers. And even if it's critical, I give it time to be sure that something else didn't get broken in the process, as sometimes has happened. And I NEVER allow MS updater to do hardware updates. I've been messed up more than a time or two with hardware updates to fix something that is obviously already working.

Your mileage may vary, please don't take this as a recommendation not to do updates (that's my fine print  ).


----------



## iaavagent (Jan 11, 2004)

Gotcha, now I understand! Thanks


----------



## Flrman1 (Jul 26, 2002)

Hi guys. These sticky threads are getting a bit cluttered so I think it's time we un-stick this one. Don't you think?


----------



## winchester73 (Aug 18, 2003)

I agree ...


----------



## ~Candy~ (Jan 27, 2001)

Yep, unstick 'em all, let God sort them out


----------



## Flrman1 (Jul 26, 2002)

*smack*

Gotcha!


----------



## bassetman (Jun 7, 2001)

When I grow up can I be a Moderator too!  LOL


----------

