Jump to content


Photo

IE hijacked to s1di.d8t.biz (Cool Search)


  • Please log in to reply
7 replies to this topic

#1 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 28 June 2004 - 12:09 PM

For the past few days I have been trying to free my IE from this site that has taken over. My default page and search page keeps on changing to http://s1di.d8t.biz/...x.php?aid=20038 (the number is different every time). I have read the FAQ and the entire CoolWebSearch Chronicles, I have run AdAware and several antivirus programs (macafee and ravantivirus) and everytime I think that it's over, it comes back. I have cleaned everything several times rebooted, scanned again and everything is completely clean according to adaware and everything, but then after a random amount of time it all comes back. The site address that I am being forwarded to is not on the list of known addresses for Cool Search and since CWShredder also says that my system is completely clean, I am starting to think that this may be a new strain!? After having cleaned my system several times, now all the programs say that it is clean, but when I try to search from the address bar I end up at the same annoying site. I have scanned the registry and the URL does not appear anywhere but in the restrict zone of internet explorer (zone 4) where I put it to block it from running java scripts and who knows what else.
There are no updates at windows update that I haven't installed and I have double checked with all the antivirus/anti-spyware that they are up-to-date.

I have scanned my system with HijackThis and here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 18:35:31, on 2004-06-28
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\CloneCD4\CloneCDTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Seti3\SETI@home.exe
C:\Program Files\TrueTime\WinSync\WinSync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\eudora\Eudora.exe
T:\Install Files\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {92086BFD-6646-40CB-BD11-57B13A0B47D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD4\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\CloneCD4\CloneCDTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SETI@home.exe.lnk = C:\Seti3\SETI@home.exe
O4 - Startup: WinSync.exe.lnk = C:\Program Files\TrueTime\WinSync\WinSync.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.dagenstv.com
O15 - Trusted Zone: daisy.dsv.su.se
O15 - Trusted Zone: dis.dsv.su.se
O15 - Trusted Zone: www.eurovision.tv
O15 - Trusted Zone: http://*.imdb.com
O15 - Trusted Zone: www.lovesearch-sverige.com
O15 - Trusted Zone: *.megastar.co.uk
O15 - Trusted Zone: *.nikosdimitrakas.com
O15 - Trusted Zone: http://*.webhallen.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://ravantivirus....n/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...370/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE0C1F7-3601-42FF-922E-C92021691D35}: NameServer = 130.237.161.5,212.112.166.18


Some thing in this log that are suspicious to me are the following (they may of course be harmless system stuff):
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

I appreciate any help and any ideas of how to take back my computer. If there is any other information that is usefull to understanding ad hopefully solving the problem, just ask!

Regards
/nikos

#2 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 01:20 AM

OK, so I left my computer in the state described previously and went to bed, only to find it totally hijacked in the morning. I didn't even log off or anything and according to adaware and the rest, there was nothing active. When I sae that it had been taken over again, I run adaware again which identified 8 reg keys and a couple of files to belong to CooWebSearch. I asked it to remove them and it said it did all but one dll which would be removed on next start up. I rebooted and adaware run its scan again only to find the 8 reg keys back in the registry. Removed them again and rebooted again. Now adaware says once again that the system is clean, but my browser has a different opinion. The Cool Search site is still in control.CWShredder can find nothing so do the anti virus progs. I even run this panda active scan that someone recomended in another thread, but it also says I'm clean.

I don't think anything essential has changed but here is a new log from HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 08:18:00, on 2004-06-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\CloneCD4\CloneCDTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Seti3\SETI@home.exe
C:\Program Files\TrueTime\WinSync\WinSync.exe
C:\WINNT\System32\cidaemon.exe
T:\Install Files\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {92086BFD-6646-40CB-BD11-57B13A0B47D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD4\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\CloneCD4\CloneCDTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SETI@home.exe.lnk = C:\Seti3\SETI@home.exe
O4 - Startup: WinSync.exe.lnk = C:\Program Files\TrueTime\WinSync\WinSync.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.dagenstv.com
O15 - Trusted Zone: daisy.dsv.su.se
O15 - Trusted Zone: dis.dsv.su.se
O15 - Trusted Zone: www.eurovision.tv
O15 - Trusted Zone: http://*.imdb.com
O15 - Trusted Zone: www.lovesearch-sverige.com
O15 - Trusted Zone: *.megastar.co.uk
O15 - Trusted Zone: *.nikosdimitrakas.com
O15 - Trusted Zone: http://*.webhallen.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://ravantivirus....n/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...370/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FE0C1F7-3601-42FF-922E-C92021691D35}: NameServer = 130.237.161.5,212.112.166.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = com,org,se,nu,net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = com,org,se,nu,net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = com,org,se,nu,net

#3 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 05:47 AM

Once again it is back, but this time I decided to not run adaware first and run CWShredder first. This gave my some extra feedback that may be usefull. CWShredder identified and removed (temporarily anyway) the version called CWS.Searchx After remving it I rebooted immediatelly and then ran CWShredder again, only to find that the CWS.Searchx was back. So this seems to me like there is a new variant that disguises itself as the CWS.Searchx.

/nikos

#4 Harshaw

Harshaw

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 04:36 AM

i had the same problem, and after about 5 days finally itīs solved. it looks like the about:blank thing. take a look at this http://www.spywarein...topic=10746&hl=
thereīs a solution for windows 98.

some tips that i think may be usefull to you:

in win 2k we canīt use msdos, but you can boot in safe mode with network and rename the file from another computer.
i found this dll throu the network because it has the same date as notepad.tmp, and itīs invisible in the infected machine even with windows explorer configured to show hiden and system files.
if you can use another machine to rename it, try using knoppix or some linux live-cd with captive-ntfs support to write ntfs.
after the name change youīll be able to see it in windows explorer and use somehing like moveonboot ( http://www.gibinsoft...bin/moveonb.exe ) to move it.

i will be happy to help you if you need, but i will be out until monday, and as you can see i donīt write english very well, hehehe.

good luck.

#5 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 July 2004 - 05:02 AM

I read through the instructions in the above topic, but I cannot identify the dll in the system information. Actually a dll is detected by adaware, and it is removed (the same happens with the CWShredder), but the thing comes back. There are no dlls that are recent enough. There is one from the beginning of May and the rest are from April. The one from May is is from winrar which I installed so it can't be that one. Plus that the problem showed up first in June around the 25th.

If you have some other suggestion, please help!

#6 rschoenrank

rschoenrank

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 09:58 PM

You have a new version of CWS that installs a new services in the control panel that starts running when you start the computer. From the list of running processes, I believe the process that is causing you problems is:

C:\WINNT\system32\nvsvc32.exe

This is the file that is executed by service in the control panel. On my control panel it was called

Network Security Services

It ran automatically. It places a virus in the runonce section of the registry. This ensures that Ad-Aware can't get rid of it.

#7 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 July 2004 - 10:05 PM

According to what I can see this is just part of the NVidia driver for my graphics adaptor.

#8 nikosdimitrakas

nikosdimitrakas

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 July 2004 - 06:58 PM

The good people of LavaSoft (AD-Aware) have now helped me out and I believe that the problem is solved. If you have the same problem and want to see how we managed it, take a look at my topic on Lavasoft's forum: http://www.lavasofts...showtopic=34772

It's still only been a few hours, but I am quite convinced that I'm clean from that nasty CWS!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button