Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


New Browser Hijacker

Started by Guest_Guest_* , Dec 03 2003 08:40 AM

  • This topic is locked This topic is locked
29 replies to this topic

#1 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 03 December 2003 - 08:40 AM

There is a new broser hijacker directing browser to http://www.search2004.net/ and www.windowws.cc. Does anybody know how to fix it. These domains belong to following people:


http://www.search2004.net/
Registrant:
Robert Stark
Wiesliacher 14
Zürich, CH-8053
Switzerland

Registered through: Vadim Fedorov
Domain Name: SEARCH2004.NET
Created on: 12-Nov-03
Expires on: 12-Nov-04
Last Updated on: 13-Nov-03

Administrative Contact:
Stark, Robert greg1@mail333.com
Wiesliacher 14
Zürich, CH-8053
Switzerland
+41 1 632 44 78 Fax --
Technical Contact:
Stark, Robert greg1@mail333.com
Wiesliacher 14
Zürich, CH-8053
Switzerland
+41 1 632 44 78 Fax --

Domain servers in listed order:
PL0.GREG-SEARCH.COM
PL1.GREG-SEARCH.COM


Domain Name:
windowws.cc
Registrant:
Stas Bekman (greg1@mail333.com)

Aba Silver 12/29
Haifa, NONE 32694
IL
972-(0)4-828-2274
Administrative, Technical, Billing Contact:
Stas Bekman (greg1@mail333.com)

Aba Silver 12/29
Haifa, NONE 32694
IL
972-(0)4-828-2274
Record expires on:
Record created on:
Nov 14 2004
Nov 14 2003
Domain Name Servers:
ns1-hosts.srsplus.com
ns2-hosts.srsplus.com

    Advertisements

Register to Remove

#2 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 03 December 2003 - 01:02 PM

Unless we get to see more of configuration it will be very hard to offer any kind of meaningful advice.

Please go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
Tony Posted Image CLSID List - A Collection of Autostart Locations

#3 Guest_John_*

Guest_John_*
  • Guests

Posted 04 December 2003 - 02:39 PM

Tony,
Thanks for the feedback. HT log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 12:35:42 PM, on 12/4/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\WINDOWS\SEIKO\SLPCAP.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\TEMP DOWNLOADS\WINZIP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: j2Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7874.8817592593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 4.2.2.2

#4 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 04 December 2003 - 02:46 PM

This item looks very dubious:

O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE

Unless you KNOW what it is, would you mind sending a copy of that Control.exe file to this e-mail addy for analysis, please?


Much appreciated! :)

We may just be dealing with another new CoolWebSearch parasite variant
Tony Posted Image CLSID List - A Collection of Autostart Locations

#5 Trpm

Trpm

    Expert

  • Authentic Member
  • PipPip
  • 82 posts

Posted 04 December 2003 - 03:03 PM

Tony, There is a Control.exe file in the Win98SE C:\windows folder, when executed it brings up the Control Panel. I have never seen it in a HijackThis log before Though. Have a nice day. :) Trpm

#6 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 04 December 2003 - 03:24 PM

Absolutely right on both counts. I seem to have forgotten all about Windows 98. Control.exe is in the System32 folder in WinXP... HOWEVER, as you rightly say, it's highly unusual in startup, and I'd still like to see a copy of that file. Does Control Panel actually open when doubleclicking that Control.exe file? I wonder...
Tony Posted Image CLSID List - A Collection of Autostart Locations

#7 mjc

mjc

    -

  • New Member
  • PipPip
  • 145 posts

Posted 04 December 2003 - 05:57 PM

Yes, it does. I imagine that since it is in a Run key it would open the Control Panel at bootup...(give me ten minutes and I'll find out.... ;))
I hope it wan't my turn to refill te coffe pot...

Posted Image

#8 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 04 December 2003 - 06:05 PM

Of course it will, providing it's the legitimate Control.exe. What I'm wondering, is whetrher that's indeed the case.
Tony Posted Image CLSID List - A Collection of Autostart Locations

#9 Galadriel

Galadriel

    CEO - Chief Elvish Officer

  • Visiting Fellow
  • PipPipPipPip
  • 528 posts

Posted 04 December 2003 - 06:19 PM

I doubt it Tony.... If I could find the thread where I saw it was indeed a problem....... I saw this and already asked for the file to be submitted, don't know if it ever came in or not....
This is the thread where I asked for a copy....
http://forums.tomcoy...findpost&p=5962

And I found it....
http://forums.spywar...ndpost&p=118379
There is where it appears to have fixed someone's problem.
I amar prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel

'The world is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

#10 mjc

mjc

    -

  • New Member
  • PipPip
  • 145 posts

Posted 04 December 2003 - 06:21 PM

And yes, tested and it does exactly as advertised, if it is the legit control.exe.
I hope it wan't my turn to refill te coffe pot...

Posted Image

    Advertisements

Register to Remove

#11 Trpm

Trpm

    Expert

  • Authentic Member
  • PipPip
  • 82 posts

Posted 04 December 2003 - 07:38 PM

Have them do a properties check, the correct file size should be 2.06kb or 2,112 bytes Trpm :)

#12 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 05 December 2003 - 02:43 AM

Well, my suspicion is right: It's a new CoolWebSearch variant, hijacking to http://super-spider.com

The file is 30 times bigger than the legitimate Control.exe.

I guess you'll need to extract a fresh copy of Control.exe from your Windows setup cabs, and get rid of this one!
Tony Posted Image CLSID List - A Collection of Autostart Locations

#13 Trpm

Trpm

    Expert

  • Authentic Member
  • PipPip
  • 82 posts

Posted 05 December 2003 - 04:24 AM

Tony, Do you happen to know if he still had access to the control panel? Trpm

#14 TonyKlein

TonyKlein

    Forum God

  • Malware Expert
  • 188 posts

Posted 05 December 2003 - 04:47 AM

It would surprise me, but I haven't actually installed the file myself. Seems unlikely though. It may have been a goofup by the programmer; maybe they forgot to make a distinction between Win 9x and Win NT based systems.

Edited by TonyKlein, 05 December 2003 - 04:47 AM.

Tony Posted Image CLSID List - A Collection of Autostart Locations

#15 mjc

mjc

    -

  • New Member
  • PipPip
  • 145 posts

Posted 05 December 2003 - 11:58 AM

Well, that wouldn't be a first from those guys...of course we all know what their beta testing program is..
I hope it wan't my turn to refill te coffe pot...

Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·