Jump to content


Photo

Search42.com Popup


  • Please log in to reply
21 replies to this topic

#1 mark_y

mark_y

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 26 April 2005 - 02:19 PM

Hi guys,

A couple days ago, I noticed that when my wife turns the ad blocker off, sometimes we get popups for Search42.com when she runs searches on Google. I noticed today a mysterious EXE files (1.exe) in my root directory, with a creation date that somewhat jibes with the Search42.com referral. Ad-Aware found no spyware, Hijackthis showed me nothing suspicious. I deleted 1.exe and it hasn't come back. Before deleting it, I ran Housecall on it and it came up clean.

A Google search for Search42.com turned up very little -- one mention on a random forum of a similar redirect problem, but nothing else. The site seems to be registered to TUCOWS (according to Internic), which I guess argues in favor of fairly benign spyware if that's what it is.

The symptoms are so mild that I'm hesitant to do anything extraordinary, but I hate the thought of crap on my system. Advice?

#2 macdan88

macdan88

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 April 2005 - 01:57 PM

Hi Mark_y,

I have been experiencing this search42 popup for several days. After reading your post, I browsed to my root directory and just as I saw that I also had 1.exe listed, Symantec realtime protection popped up and quarantined it. It was identified as "download.trojan". My virus definition file is version 2005/04/27 rev 8. Here is a link to the writup on download.trojan: download.trojan

Personal Opinion: Symantec's download.trojan is a VERY general and unspecific virus definition that is very vague about its' properties. For this reason, I think that Symantec may not recognize Search42 yet and by its heuristics is putting it into the category "download.trojan". Information will emerge in the days to come that will be far more specific. The only question is: Is it a virus or spyware?

For the moment, you can choose to follow Symantecs' instructions, or simply delete 1.exe as you have done. Has it showed up again Mark?

#3 jnevius

jnevius

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 April 2005 - 06:57 AM

I am having the same problem. (It not only launches the Search42 window when I do a Google Search, but if I search for terms such as "anti virus" it launches a separate window with an ad.)

Panda Antivirus and Ad-Aware find nothing on the system, and when I checked I couldn't find 1.exe on my root directory. BUT, I am a bit of a newbie when it comes to these things, so maybe I'm not looking for 1.exe the right way.

Any thoughts would be kindly appreciated.

-James

#4 singularity

singularity

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 April 2005 - 01:22 PM

I had this problem too. I'm running XPSP2, Zone Alarm, and AVG. For a few days, AVG didn't recognize this as a virus. I deleted the 1.exe file, and I still had the search42.com site coming up. AVG began recognizing the virus and reporting that it cleaned/healed the problem files, but the search42 crap continued to pop up. Trend Micro's online virus scan wasn't fixing anything. Updated definitions from Spybot and Microsoft Antispyware wasn't catching it either. I turned off system restore, rescanned (nothing found), and uninstalled/reinstalled the Google toolbar program, and finally my system seems to be fixed. :D

#5 jami

jami

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 April 2005 - 01:36 PM

Hey! I had (past tense!) search42 popups, slowing up the works. It showed up in hijackthis as c:\windows\config\wfcps.dll, and there were various tmp and ini files in the same directory. Symantec found it, called trojan.vundo.b, but couldn't delete it.

The general things recommended here (Spybot, AdAware and virus software) didn't work to get rid of it. Don't waste a day like I did.

Norton's got it figured out here:
http://www.symantec....an.vundo.b.html

I wouldn't waste your time on the virus scanning. Just disable system backup and do regedit. Now, I can't emphasize enough NOT to edit your registry (regedit) if you are in any way stupid. If you have any trouble with directions, just shut off your computer and wait until all the virus software can do this for you. But if you're smart and need your computer more than water, this regedit works like a charm.

#6 jnevius

jnevius

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 April 2005 - 06:24 PM

[quote name='jami' date='Apr 29 2005, 02:36 PM']

Norton's got it figured out here:
http://www.symantec....an.vundo.b.html


Jami -

I went to Norton's site and was prepared to to the RegEdit deletions, but was stymied at step 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]

When I follow the tree out to that branch, I see nothing in the "Notify" folder that has anything to do with Trojan.Vundo.B.

Any thoughts as to what I might be missing?

-James

#7 DrSpottyFish

DrSpottyFish

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 April 2005 - 08:25 PM

I've had the same problem with Search42 popups!

I went to the Norton URL, but when I clicked on the link to download the fix, it told me the page I was looking for didn't exist.....any other ideas? I'm anxious to get rid of this thing!!

:scratchhead:

#8 mark_y

mark_y

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 April 2005 - 11:19 AM

I wound up just running the Symantec removal software. I also sent an irate and threatening email to InnovativeMarketing, the company that runs Search42.com, asking them to explain why I should believe they weren't behind the trojan and warning that I intend to contact US authorities. Maybe the Elliott Spitzer business has put the fear of God into them. Hopefully my @law.harvard.edu can borrow a bit of that thunder.

I still wonder how I got infected.

#9 swexan

swexan

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 April 2005 - 06:07 PM

I tried to run the trojan.vundo.b removal tool also. It ran but said there was one file it could not remove until reboot. Thsi file is msvcun.dll and is located in winnt\inf. After rebott it was still unable to remove it because it is "in use by another program". I am pulling my hair out - whats left of it - trying to get rid of this dll file. Any suggestions would really be appreciated.

#10 DrSpottyFish

DrSpottyFish

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 April 2005 - 06:11 PM

I was finally able to download the correct file at the Symantec website. I ran it, but it said I didn't have the virus on my computer?

#11 macdan88

macdan88

    Member

  • New Member
  • Pip
  • 2 posts

Posted 02 May 2005 - 01:52 PM

Hi all,

For you "Vundo" people, XP + ME users must disable system restore, then go into safe mode, then run the removal tool. Reboot and run it again (still safe mode!) until it finds no file. Then you are clean. Instructions on how to do all of this can be found by following the Symantec link posted by Jami.

QUESTION FOR ALL: Does everyone experiencing the Search42 popup have the google toolbar installed? Singularity might be on to something here. I don't think search42 and Vundo are related.

macdan

#12 swexan

swexan

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 May 2005 - 10:26 PM

I have run the removal tool in safe mode to no avail. The offending file identified by norton - msvcun.dll - gets loaded too early in the boot process to be cleaned out in safe mode. It is associated with the explorer.exe process and is possibly threaded somewhere else. I have tried all the file removal tools mentioned here for removing locked files. They also try to remove it on boot-up but fail every time.

I am in agreement that the searcg 42 may not be associated with this vundo trojan I am trying to get rid of. I am also still hoping for an answer before giving up and wiping the machine. :techsupport:

Thanks for the input so far - any more ideas will be appreciated.

G

#13 Dizzee

Dizzee

    Member

  • New Member
  • Pip
  • 1 posts

Posted 04 May 2005 - 07:05 AM

would like to know more about this spy/ad-ware-virus thingy..
anyway try here
http://www.help2go.com/forum5.html
also feel free to post their admin/sales whatever addi's to me and I'll 'contribute' them to every junk-mail, spam, hoax mailer I can.

#14 racooper

racooper

    Master of my own Domain

  • Retired Staff
  • PipPipPipPipPip
  • 1,420 posts

Posted 05 May 2005 - 06:56 AM

For those of you who have Vundo and can't get rid of it, please post a HijackThis log in the Malware Removal forum. SWI Helpers have a routine that can clean this problem manually, but we need to see a log file first to find the right files/registry entries to remove.

Please download 'Hijack This!' from http://www.spywarein.../HijackThis.exe.
Save it in a convenient permanent folder such as C:\HJT\, and double click HijackThis.exe.
Next, click the button "Do a system scan and save a logfile".
Press "Save" in the file dialog that comes up, save the log, Ctrl-A to Select All, and copy its contents to a new post in Malware Removal. Most of what it lists will be harmless or even essential, don't fix anything yet.

#15 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 05 May 2005 - 09:06 AM

Follow racooper's advice, and each post your own topic.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#16 nor3aga

nor3aga

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 May 2005 - 08:32 PM

Follow racooper's advice, and each post your own topic.

View Post

I JUST fixed this. I did a search on hijackthis, and I normally only have two BHOs (Google's toolbar, and spybot) but I saw a new one, and deleted it. I think it had the name inform or notify or something in it, but the popup IS caused by a BHO which IS picked up by Hijackthis.

#17 nor3aga

nor3aga

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 May 2005 - 10:41 AM

Another thing: 'MSE event' as a BHO in Hijackthis is an ad program.

#18 coolsmurf

coolsmurf

    Member

  • New Member
  • Pip
  • 1 posts

Posted 10 May 2005 - 07:10 PM

i uninstalled google toolbar and then proceeded to use the removal tool from symantec, the following are the results

Symantec Trojan.Vundo.B Removal Tool 1.0.0
process: winlogon.exe, thread: 0000031C (terminated)
process: winlogon.exe, thread: 000003F8 (terminated)
process: winlogon.exe, thread: 000003FC (terminated)
process: explorer.exe, thread: 00000408 (terminated)
process: explorer.exe, thread: 00000424 (terminated)
process: explorer.exe, thread: 00000428 (terminated)
process: explorer.exe, thread: 0000042C (terminated)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\odbcdos (key deleted)


registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} (key deleted)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents (key deleted)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 (key deleted)

C:\WINDOWS\sodcbdo.ini: (deleted)
C:\WINDOWS\odbcdos.dll: (will be deleted on next reboot)
The Trojan.Vundo.B removal was successful.
The system will delete 1 Trojan.Vundo.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 85175
The number of deleted threat files: 1
The number of threat processes terminated: 0
The number of registry entries fixed: 4

The tool initiated a system reboot.

what the spyware does is that it opens several instances of explorer when u open up my computer and explorer...how i got this spyware i dont know, might it be related to google toolbar?

#19 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 11 May 2005 - 02:07 PM

It wouldn't be related to the very useful Google toolbar. The only possible objection to Google toolbar is that if the Advanced features are enabled, your surfing will be tracked.

You were evidently inflicted with the MSevents BHO pest.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#20 skeddan

skeddan

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 May 2005 - 04:57 PM

Just removed this adware generator - a very pernicious pop-up generator that isn't recognised by Spybot, Spyware Doctor, Pest Patrol or the Microsoft Anti-Spyware tool. Annoyed the hell out of me for a few days.

Symptoms : Redirections of Web Sites and missing ad-related HTML content.

Similar symptoms to the older "Virtumonde" variants, but Symantec's Virtumonde removal tool won't find any infection.

Websites will be automatically redirected, based on URL and on content. Some typical ones :

MSN Search (www.msnsearch.com) is popped up with Search42.com
Symantec (www.symantec.com) is popped up with www.winantivirus.com
Travel sites such as Expedia are popped up with one.vipfares.com

This is pretty annoying & I've heard of people who've been fooled into buying the winantivirus product instead of Symantec's, since the pop-up window takes focus.

The spyware seems to modify the system's HOSTS file to add entries for common po-up providers in a similar way to Spybot. For example, the MSN home page may be missing adverts & displaying a "page not found" message instead.

PINGing view.atdmt.com (Microsoft Ad Server) reported the IP address as 127.0.0.1 - the loopback address of the local PC

Diagnostics : In Internet Explorer, click on the Tools menu, Manage Add-ons

This particular variant seems to generate an Add-on called MSEvents (or similar) pointing to a DLL file in C:\WINDOWS\CONFIG - my instance was pointing at CATBIN.DLL, but naming may be dynamic.

The Add-on can't be deleted by the Explorer tool in Microsoft Anti-Spyware & registry entries will be regenerated at boot time.

The DLL can't be removed when Windows is started & even in Safe Mode, Command Prompt, the DLL is active.

I removed it by :

1) Booting from the Windows XP CD, selecting recovery console & logging on to my instance of XP

2) CD C:\WINDOWS\CONFIG

3) Checking what's in here - there may be a load of TMP, INF, INF1 and INF2 files along with a .DLL file with the name listed with the MSEvents object.

4) Changing the DLL file's attributes so that the DEL command could find it :

ATTRIB catbin.dll -H

(replace the catbin.dll line with whatever DLL is being referred to by the MSEvents object)

DEL CATBIN.DLL

Then deleting all the TMP, INF, INF1, INF2 files individually (the recovery console's DEL command doesn't accept wildcards).

5) Restarting the system & using REGEDIT to remove any registry classes/entries referring to the rogue DLL. I used Microsoft Anti-Spyware's Explorer tool to remove the Browser Helper Object for the rogue MSEvents object.

6) Removed the rogue entries in C:\Windows\System32\drivers\etc\hosts which pointed to 127.0.0.1

Please be careful if you're going to follow the procedure above - I don't recommend you try it unless you know what you're doing.

#21 Claudius

Claudius

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 May 2005 - 09:54 PM

Hey guys!....just new to this forum!....cuz u helped me fix my prob. :thumbsup:

I was having cpu usage spikes every 10 sec. It was slowing my web surfing and make me lag for about half a sec every 10 sec. while i was playing Counter-strike.
and else..... :blush:

AVG anti-virus, AD-AWARE_SE, Microsoft anti-spyware, Spybot search and destroy......found notin'!!!!!!!!!.....only HIJACK-THIS showed them, but i didnt know yet they were harmfull. :evilgrin:

I got here cuz i made a Google search about ''search42'' popups i was having!
and i recognize some stuff that ''coolsmurf'' had with Vondu.B that i saw in HIJACK THIS. :gasp:

So i ran that Noton utility about Vundo.B and it fixed my problem. :thumbsup:

This one is very bad for ur comp speed. U might have it and u dont know!
Get the Norton utility and scan ur comp, it worth the try! :cool:

Thx to all! :wub:

#22 princead

princead

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2005 - 11:26 PM

I had this problem - the fix on the help2go site worked for me. Took quite a while though.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!