hello fellows,

I have a little problem , 1 of my customers has infected himself with a cws variant that i could not find any reference to anywhere....

It behaves like a hijack , yet there are some worm characteristics that i have found peculiar, it will replicate a random exe name in the windows or windows/system 32 folder....

this is usually done when IE is run , it has a homepage hijack to cws and in the address bar it loads the following dll "fiamm.dll" this file name never changes. If unloaded and deleted will return once i run IE again say after a reboot, i suspect it is recopied when 1 of the random exe's are run

Pest patrol detected it as cws.feads but i suspect that that is the source for this variant and will not remove the hijack.......

I think that a legitimate service or process has been hooked or replaced but cannot find any clear information on this CWS anywhere .....

I would run the log tool for you but i cant as the infection is at my customers....

he has norton AV and it found a trojan and removed. cws shredder found nothing

any help would be greatly appreciated

anything to avoid the lamness of a re-install

Aussie Kramer :thumb:

Try Updating CWShredder to version 1.59.1 just out today. Scan and see if it removes it. It has a new update for the sp.html about:blank version.

Another version which is possibly the feads version you are describing I submitted to Trojan Remover and they have added detection for that one. If you Go to Start > Run and type services.msc look for a service running called *Network Security Services*. If so, that is the variant they have.

Trojan Remover has a fully function 30 free trial. You could try that

http://www.simplysup.com/tremover/download.html