Home > Hijacked By > Hijacked By Cool Web Search & Rightfinder

Hijacked By Cool Web Search & Rightfinder

The primary difference is that the HOSTS was scanned, removing all but two of the CWS HOSTS entries. Users started reporting that when they went to Google, Yahoo or Altavista to search for something, popups appeared that (most of the time) advertised bogus 'enhanced results'. CWS.Xplugin Variant 18: CWS.Xplugin - 'Helping' you search the web Approx date first sighted: November 11, 2003 Log reference: Not visible in HijackThis log! I am not sure if the ffinder problem is related to the REGSVR32 problem, but they both started on Monday. navigate here

That makes at least three top anti-spyware programs that can be run from BartPE and clean both the remote registry and file system, with no possibility of the bad guys loading Cleverness: 1/10 Manual removal difficulty: Involves a little Registry editing Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html R0 - Their exact purpose is unknown. Your Display Name will now be the only name you have for the forum and, if you used your Username to log in, you will now need to use your Display https://forums.techguy.org/threads/hijacked-by-cool-web-search-rightfinder.180824/

Identifying lines in HijackThis log: Running processes: C:\Program Files\directx\directx.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q= R0 - By using this site, you agree to the Terms of Use and Privacy Policy. Spyware Loop.

To remove this manually, killing the autostarts and removing hp.htm , load.bat and srch.reg from the Windows folder along with resetting the IE homepage/search page is enough. The new log is listed at the end. Music Engine\ymetray.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\regmod.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ffinder.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ffinder.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://icasualties.org/oif/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon]

CWS.Dnsrelay.3: A mutation of this varianit exists which uses the filename mswsc10.dll instead, which is located in C:\Program Files\Common Files\Web Folders. It changed the dreplace.dll so fixing it with either HijackThis or CWShredder will cause your entire system to fail on Windows 98, 98SE and ME! I rebooted again and reran CWS again with the same results. http://www.pieter-arntz.info/cwschronicles.html I was reading from the email, and it did not say to reboot.

It also changes the DefaultPrefix, WWW Prefix and a non-functional 'www.' prefix which makes each URL you type without 'http://' in front of it redirect through ehttp.cc before reaching the correct This file reinstalled the hijack when ran. Luckily these two processes didn't behave like that. Fixing this variant involves resetting all the Registry values changed for IE, editing the autorun values in win.ini and the Registry, and deleting the two files.

The activity log lists mainly three different types of messages: Blocked incoming ICMP Blocked incoming UDP Blocked incoming TCP I don’t know what all this is, but it goes on constantly It also installs a BHO that reinstalls hijack on a reboot. Even though it says it is removed, it finds it again on reboot every time. Thank you!

Approx date first sighted: October 12, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=13497 Symptoms: Redirections to xwebsearch.biz and 213.159.117.233, hijack returning on reboot Cleverness: 3/10 , 10/10 on second version Manual removal difficulty: Involves http://pcialliance.org/hijacked-by/hijacked-by-www-messengersite-net.html In normal english, this means it reads most of the web pages downloaded to your browser. If you keep it minimal you can boot in 64 meg of RAM, and I've heard tell of someone who got a really stripped down version to boot in 32 meg. The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot.

Since it had two running processes, it looked like the Peper virus, that was very hard to remove. It also redirects any mistyped domains to runsearch.com. Cleverness: 7/10 Manual removal difficulty: Involves some Registry editing, and reinstalling Windows Media Player Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.idgsearch.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page his comment is here The code in the file was encrypted, and spawned a popup off-screen that did the redirecting.

Identifying lines in HijackThis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net IOW, they log everywhere you go. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.

CWS.Datanotary Variant 1: CWS.Datanotary - Introduction to Destruction Approx date first sighted: May 27, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=8661 Symptoms: Massive IE slowdown, especially when typing text into forms Cleverness: 9/10 Manual

I also downloaded Netscape Navigator to have an alternate browser. Plus, in some of my tests, the combination of HJT and runscanner resulted in slight corruptions and garbage left in the target registry. After scanning the target system Spybot found and fixed the following problems: HotSearch Bar 15 entries CoolWWWSearch 3 entries EffectiveBrandToolbar 1 entry Here is the log after rebooting back into the It works invisible, changing links from Google search results to other pages.

No, create an account now. Quelles sont les contre-mesures ? I run a anti-virus scan every Friday. weblink Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: America Online 8.0

It then lists several things to try. Variant 15: Mupdate - Turning up everywhere Approx date first sighted: October 13, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=13613 Symptoms: Homepage changing to searchv.com, redirections to runsearch when mistyping URLs, *.masspass.com in the It took a while to find out how this variant works, since it doesn't use any of the standard locations. I have a hit at a rate of 2 or 3 per minute.

CWS.Googlems.4: A mutation of this variant exists that hijacks IE to idgsearch.com, 2020search.com and possibly coundnotfind.com. What’s up? CWS.Oemsyspnp.2: A mutation of this variant exists that uses the filename keymgr3.inf, and the Registry value keymgrldr instead. O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37928.2623726852 O16

Copyright: Dr. I have 3 questions: 1. Approx date first sighted: November 1, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=16643 Symptoms: IE pages changed to http://www.idgsearch.com/, hijack reinstalled on reboot and when running Windows Media Player. Trend Micro More CWS variants, a write-up by Unzy, dvk01 and myself.

The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot. A file xplugin.dll is installed, which creates a new protocol filter for text/html. Though a file determining its actions depending on the filename is very bad programming, it surprised me somewhat because it works so well. Thank you for all your assistance.Here is the log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:07:52 AM, on 10/4/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: