News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 20, 2013, 12:29:03
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Report New Spyware Here
linktree Topic: New CoolWebSearch variants
Pages: 1 2 [3] 4 5 ... 7   Go Down
« previous next »
  Print  
Topic: New CoolWebSearch variants  (Read 77979 times)
0 Members and 1 Guest are viewing this topic.
« Reply #30 on: December 05, 2003, 06:35:02 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
How far will they go?   Pedantic

O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE

On Win9x systems this will replace the original control.exe that opens the Control Panel.
On WinNT systems the original will be in the System32 folder.
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #31 on: December 06, 2003, 04:23:31 »
Unzy
Guest
Thanks Pietz Thumbs Up

And this one as well :

F1 - win.ini: run=c:\windows\fonts\{F6783180-AB16-11D5-866D-F1833B88AD64}\Quicker.exe

as seen HERE

Cheers,
Logged
« Reply #32 on: December 08, 2003, 01:30:51 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
And another:

O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINDOWS\NavExt.dll

As spotted here: http://www.wilderssecurity.com/index.php?board=17;action=display;threadid=17402

Already included in CWShredder 1.39.1
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #33 on: December 09, 2003, 02:23:42 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-click.com/search.html?p=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-click.com/?p=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-click.com/?p=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-click.com/search.html?p=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search-click.com/?p=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-click.com/search.html?p=0
R3 - URLSearchHook: SearchHookObject Class - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\DESKTOP\XTRASH\IEFEATSL\IEFEATSL\MSIESH.DLL
O2 - BHO: iefeatsl module - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\DESKTOP\XTRASH\IEFEATSL\IEFEATSL\2NDIEFEATS\IEFEATSL.DLL
O4 - HKCU\..\RunOnce: [iefeatslUpdate] rundll32 C:\WINDOWS\DESKTOP\XTRASH\IEFEATSL\IEFEATSL\2NDIEF~1\iefeatsl.new,UpdateDll

As found by FreeAtLast here: http://forums.spywareinfo.com/index.php?showtopic=20634

Added in CWShredder 1.39.2
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #34 on: December 10, 2003, 05:55:50 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
As found here:
http://forums.spywareinfo.com/index.php?showtopic=20942

O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update911.js
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #35 on: December 10, 2003, 05:57:50 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
As spotted by Unzy here: http://forums.spywareinfo.com/index.php?showtopic=20759

O4 - HKLM\..\RunServices: [SVC Socks] C:\WINDOWS\SYSTEM\mstaskm.exe
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #36 on: December 10, 2003, 09:51:16 »
Merijn Offline
Newbie

 *

Karma: 0
Posts: 44
Quote from: Metallica
As spotted by Unzy here: http://forums.spywareinfo.com/index.php?showtopic=20759

O4 - HKLM\..\RunServices: [SVC Socks] C:\WINDOWS\SYSTEM\mstaskm.exe


Worse yet.

F1 - win.ini: run=C:\WINDOWS\SYSTEM\mstaskm.exe

Also, it's resident.

Added to CWShredder 1.39.3 as unknown.
Logged
« Reply #37 on: December 10, 2003, 13:02:27 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
I stand corrected. Thanks Merijn.

And another (spotted by Tony):
O4- HKLM\..\Run: [Updates] C:\WINNT\system32\msupdate.exe

As seen here: http://forums.tomcoyote.org/index.php?showtopic=1417

Added in version 1.39.4
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #38 on: December 16, 2003, 01:58:53 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\mswsc20.dll

Found by Tony here: http://forums.spywareinfo.com/index.php?act=ST&f=4&t=22424&st=0#entry126849
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #39 on: December 16, 2003, 03:47:37 »
Unzy
Guest
wow 5 days since a new variant was discovered, they can't keep up?

=DD:DD=DD   Cool

Good job Tony Thumbs Up  and thnx for the update Pietz

Cheers,
Logged
« Reply #40 on: January 05, 2004, 05:19:25 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
I'm afraid I'm the one that is way behind Unzy.  Embarassed

O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
as spotted here http://computercops.biz/postt11398.html

O4 - HKLM\..\Run: [IEsar] C:\Program Files\Internet Explorer\Iesar.exe
as spotted here: http://forums.spywareinfo.com/index.php?act=ST&f=11&t=25570&st=0#entry141617

O4 - HKLM\..\Run: [UPSUtl] C:\WINDOWS\web.exe
as spotted here: http://board.protecus.de/showtopic.php?threadid=7473

O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Documents and Settings\james\Application Data\iefeatsl\submit.exe
as spotted here: http://forums.spywareinfo.com/index.php?showtopic=25205&st=0%EF%BF%BDentry139913

O4 - HKLM\..\Run: [nvidia32] C:\WINDOWS\System32\nvidia32.exe
as spotted here: http://forums.spywareinfo.com/index.php?showtopic=25458

Sorry to disappoint you, but they have not given up (yet)

Regards,

Pieter
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #41 on: January 08, 2004, 04:18:52 »
Unzy
Guest
Thanks Pieter Thumbs Up

Another one spotted by Pieter :

SystemEmergency = directx.exe

(waiting for a link that shows it in a log)

And another SystemEmergency variant : explore.exe :

O4 - HKCU\..\Run: [SystemEmergency] C:\Windows\explore.exe

as seen HERE

Cheers,
Logged
« Reply #42 on: January 08, 2004, 14:16:09 »
Metallica Offline
Global Moderator WWW
Karma: 4
Posts: 4840
Hi Unzy,

There will be more with that [SystemEmergency]

Already seen internet.exe as the executable as well.

This is the one where I found directx.exe: http://www.computercops.biz/postt11847.html
Logged
Remove and prevent spyware
MVP Windows Security 2003-2008
« Reply #43 on: January 08, 2004, 14:20:16 »
Unzy
Guest
Ouch, looks like the holliday breaks are over Wink

Well , so far all SystemEmergency variants are redirected to smartsearch

lazy bastards :p

Cheers,
Logged
« Reply #44 on: January 13, 2004, 12:57:46 »
Unzy
Guest
And another one, spotted by I think TonyKlein :

rundll32.exe %path%\ctrlpan.dll

O4 - HKLM\..\Run: [Control] rundll32.exe C:\WINDOWS\SYSTEM\ctrlpan.dll,Restore ControlPanel

As seen HERE

Already built into the latest version of CWShredder Thumbs Up

Cheers,
Logged
 
Pages: 1 2 [3] 4 5 ... 7   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.402 seconds with 20 queries.