News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 23, 2013, 12:57:32
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Report New Spyware Here
linktree Topic: New CoolWebSearch variants
Pages: 1 [2] 3 4 ... 7   Go Down
« previous next »
  Print  
Topic: New CoolWebSearch variants  (Read 78047 times)
0 Members and 1 Guest are viewing this topic.
« Reply #15 on: November 22, 2003, 08:40:37 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
FreeAtLast made a regfile to get rid of most of the "notepad" hijack.

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{79369D5C-2903-4b7a-ADE2-D5E0DEE14D24}]

[-HKEY_CLASSES_ROOT\Interface\{84F2D0D3-79DE-42CD-B8BB-F7DBAEBDDD4E}]

[-HKEY_CLASSES_ROOT\SearchWord.SearchHelp]
 
[-HKEY_CLASSES_ROOT\SearchWord.SearchHelp.1]
 
[-HKEY_CLASSES_ROOT\TypeLib\{355F8396-C845-4966-A103-8A05D0004248}]  

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
"chk"=-

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
"chkcln"=-

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
"chkrpl"=-

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
"chksrc"=-

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
"chktbl"=-

[HKEY_CURRENT_USER\Software\Microsoft\IEAK]
 "user"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"iedll"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"loader"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svc"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page_bak"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AddClass"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON32.EXE"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Internat Conf"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Msoffice"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"mssys"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe"=-
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sysPnP"=-
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Tapicfg.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nvstart"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Search Page_bak"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{79369D5C-2903-4b7a-ADE2-D5E0DEE14D24}]

Additionally you need to replace the fake notepad.exe with a copy of the real one.
The fake is about 139 kb in size and has Microsft (R) Mediaload under the filename the icon is a HD.
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #16 on: November 22, 2003, 08:47:16 »
Unzy
Guest
thanks Pieter Thumbs Up

Good job fal!  :-*

Cheers,
Logged
« Reply #17 on: November 22, 2003, 14:58:52 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Very likely a new CWS variant.

Entries in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?oaoca (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?oaoca about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?oaoca (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?oaoca about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?oaoca (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?oaoca (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?oaoca (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?oaoca (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?oaoca (obfuscated)
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Example

Waiting for a sample to be completely sure.

Regards,

Pieter
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #18 on: November 23, 2003, 04:03:34 »
Unzy
Guest
Good job Pieter, that is indeed a new variant Thumbs Up

One user with the soundmx.exe variant was constantly redirected to luckysearch or globefinder. Log also showed the exact same stylesheet hacks.

as shown HERE

Cheers,
Logged
« Reply #19 on: November 23, 2003, 04:38:04 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Confirmed. I received the file in the meantime and forwarded it to the developers of anti-spyware software.
This is a rather harmless variant. Thatīs nice for a change. Wink

Pieter
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #20 on: November 24, 2003, 03:57:31 »
Merijn Offline
Newbie

 *

Karma: 0
Posts: 44
Whoa, it's been a while since I posted here Smile

WinLink.dll
Added as CWS.Aff.Winshow.3.

O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv /c /set -- by windows setup --

Added as CWS.Loadbat.

R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\astctl32.ocx
Pretty old, it's been in CWShredder as CWS.Dnsrelay.2 for awhile now. Smile

O4 - HKCU\..\Run: [ld] C:\WINDOWS\ld.exe
Part of CWS.Aff.Tooncomics.2.

Quote

On some systems removing the DReplace BHO with CWShredder has caused the systems to become unbootable.
For now we assume the built-in unregister of the .dll has been corrupted.


Yup, I took out the routine of unregging a dll before deleting it because of dreplace.dll and dnse.dll doing this.

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddClass.exe

Added as CWS.Addclass.

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\MSEJDB.DLL

Haven't quiet figured this out, it does practically nothing on my test system. The BHO gets deleted in the cleanup sub though.

O2 - BHO: Microsoft SearchWord - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\Documents and Settings\Corey\Application Data\SearchWord.dll

Added as CWS.Googlems.2.

O2 - BHO: Microsoft SearchWord - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} - C:\DOCUME~1\Danny\APPLIC~1\MICROS~1\Office\Word10.dll

Added as CWS.Googlems.3

The Notepad hijack:
Part of CWS.Googlems.3, CWShredder checks fileproperties of file in Win2k/XP and deletes it if it's not the real Notepad.exe. WinXP seems to have a copy of Notepad.exe in both %windir% and %winsysdir%. IEAK regvalues are deleted as well as part of this one.

O4 - HKLM\..\Run: [Soundmx] \soundmx.exe

Added as CWS.Tapicfg.2 along with the in.webcounter.cc hijacks, tips.ini and hh.htt stylesheets.
Logged
« Reply #21 on: November 24, 2003, 04:09:54 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Looks like you are up to date Merijn. Good job. Smile

Time to find some new ones.

What's with the fntldr.exe? Part of CWS.Tapicfg.2?

Pieter
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #22 on: November 24, 2003, 04:16:02 »
Unzy
Guest
Thanks Merijn !! :-* Smile

good job indeed Thumbs Up

Take care,

Cheers,
Logged
« Reply #23 on: November 24, 2003, 06:00:22 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
OK. You wanted new ones? Wink

Found by Tony here

O4 - HKLM\..\Run: [MsFind] C:\WINDOWS\msfind.exe
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #24 on: November 24, 2003, 11:26:46 »
Merijn Offline
Newbie

 *

Karma: 0
Posts: 44
Quote from: Metallica
Looks like you are up to date Merijn. Good job. Smile

Time to find some new ones.

What's with the fntldr.exe? Part of CWS.Tapicfg.2?

Pieter


Yup. It's more like CWS.Tapicfg(.1) t hen you think, fntldr.exe and soundmx.exe are (almost) the same file. It wasn't added when I ran a copy of soundmx.exe though.
Logged
« Reply #25 on: November 24, 2003, 11:29:52 »
Merijn Offline
Newbie

 *

Karma: 0
Posts: 44
Quote from: Metallica
OK. You wanted new ones? Wink

Found by Tony here

O4 - HKLM\..\Run: [MsFind] C:\WINDOWS\msfind.exe


Found the thread, downloaded a copy, film at 11. Smile
Logged
« Reply #26 on: November 28, 2003, 00:41:37 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
And more:
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
As seen here: http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?act=ST&f=32&t=7675&st=

Found and examined by TonyKlein.
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #27 on: November 28, 2003, 01:31:21 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Oh fun, oh joy.  Evil or Very Mad

O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe

As seen here:
http://www.wilderssecurity.com/index.php?board=17;action=display;threadid=16938
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #28 on: November 29, 2003, 12:41:06 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Keep them coming:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\QUICKEN.EXE
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe

As found here http://www.computercops.biz/postt8456.html
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #29 on: December 01, 2003, 12:13:45 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
New, yet familiar:

O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - C:\DOCUME~1\Fisto\APPLIC~1\MICROS~1\Office\Excel10.dll

As seen here: http://forums.spywareinfo.com/index.php?showtopic=19526
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
 
Pages: 1 [2] 3 4 ... 7   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.423 seconds with 20 queries.