perculier kinda hijack

  • Thread starter Thread starter john smith
  • Start date Start date
J

john smith

lookout express stopped responding on 1st execution monday or tuesday, i ran
it again and it worked fine, i checked the dll's it was using in process
explorer and found a random named one in system32 created during the night,
installed as a browser helper object..

renamed it, deleted reg key.. all was fine, but the dll was back the next
day, with a new random name, appeared overnight again while pc was on and i
was sleeping

renamed it, deleted reg key.. all was fine, but the dll was back the next
day, with a new random name, appeared overnight again while pc was on and i
was sleeping

repeat until today :-) ran filemon , monitering writes, for around 6hrs, and
caught the culprit! ypager.exe (yahoo messenger 5.6.0.1358) wrote some stuff
in tempory internet files, spacer[1].gif, m[1].bin (which it deleted after
writing random named dll) and sp.html in the local settings temp folder

ad-aware reports it as coolwebsearch, trend housecall as troj_strtpage.ix

but yahoo shouldnt have installed it, its supposed to come from malicious
websites ??

its installed every night between 1-4am while i wasnt using pc (and idle on
yahoo messenger), and today 930am (while not idle but not using it (but it
was running :-) while i was monitering file i/o ..

is something exploiting yahoo messenger or have i had the wool pulled over
my eyes? :-/
 
Coolwebsearch is a bloody nuisance! It seems to get into a lot of computers
and one of the things it does is to hijack homepages to about:blank. You may
well find that you've got a folder in your folder list that you don't
recognise (I can't remember its name) and which contains everything to put
the hijacker back again when you've deleted it.

Rob graham
 
"john smith" <[email protected]> squirted these wordjisms deep
inside the bumtube of the newstwat in
lookout express stopped responding on 1st execution monday or tuesday,
i ran it again and it worked fine, i checked the dll's it was using in
process explorer and found a random named one in system32 created
during the night, installed as a browser helper object..

renamed it, deleted reg key.. all was fine, but the dll was back the
next day, with a new random name, appeared overnight again while pc
was on and i was sleeping

renamed it, deleted reg key.. all was fine, but the dll was back the
next day, with a new random name, appeared overnight again while pc
was on and i was sleeping

repeat until today :-) ran filemon , monitering writes, for around
6hrs, and caught the culprit! ypager.exe (yahoo messenger 5.6.0.1358)
wrote some stuff in tempory internet files, spacer[1].gif, m[1].bin
(which it deleted after writing random named dll) and sp.html in the
local settings temp folder

ad-aware reports it as coolwebsearch, trend housecall as
troj_strtpage.ix

but yahoo shouldnt have installed it, its supposed to come from
malicious websites ??

its installed every night between 1-4am while i wasnt using pc (and
idle on yahoo messenger), and today 930am (while not idle but not
using it (but it was running :-) while i was monitering file i/o ..

is something exploiting yahoo messenger or have i had the wool pulled
over my eyes? :-/
Click to expand...

Download, install and CWShredder.

Then download, install and run Sybot S&D, and use the immunise feature
and choose to 'black all bad pages silently'.

Also download, install and run Spywareblaster, and turn on all
protection.

If you remember to keep these applications updated regularly with the
latest signatures, you should not be infected.

These apps, plus AdAaware, an anti-trojan application like The Cleaner,
and obviously a good firewall and anti-virus program will make your
computing safer and less frustrating. It will certainly save you manually
trawling through lists on Process Explorer and the like to catch a rogue
dll and deleting it, which is usually only a temporary fix because this
sort of shite is generally coded to thwart the sort of solution you
tried.

--
--
*********************************
David Qunt
Click to expand...
****************************************************
 
my systems clean!
Click to expand...

if it does, another program to try is about:blank

a computer I was fixing had ypager as well and I took it off. but i didnt
look for the other files you mentioned. there is still something on it...
a dialup trojan I think that I cant find.
 
these kinda things are easy to spot, and remove, usually.. (when im really
bored i go hunting with unpatched internet exploder to all sorts of dodgy
sites :p ) (and i win the fight against them!) whats perplexing is its
apparant intergration/exploitation into/of yahoo messenger, i keep a close
eye on my pc.. i have no rogue processes installed or running, and no other
browser helper objects injected into explorer, or loaded by shelldelayload,
or dodgy new services.. since i witnessed it being installed by ypager.exe
today, i tried two online virus scans (mcaffee and trend(and ad-aware)) to
check ypagers integrity, and i scanned the dll i quarantined to get an ID
for it

my systems clean!

i have a good firewall built into my router, cept for the odd ports i
forwarded (i cant survive on http alone) .. and my isp blocks all the fun
ports on my behalf :(

waiting for it to appear again with regmon/filemon monitering & ethereal
capturing all network data, to try and figure it all out.. (might be 6-18hrs
waiting, or it might never appear again)

i dont mind in the slightest bit being infected when i got monitering sw
running, and i go hunting for rougue websites, or run sth i got emailed,
but, this being infected while im asleep, in the middle of the night, not
physically using my pc, not clicking links or checking email, no microsoft
port vunrabilities being exploited as all those are blocked by isp and
router (netbios, lsass, rpc dcom, upnp, whatever else`)
These apps, plus AdAaware, an anti-trojan application like The Cleaner,
and obviously a good firewall and anti-virus program will make your
computing safer and less frustrating. It will certainly save you manually
trawling through lists on Process Explorer and the like to catch a rogue
dll and deleting it, which is usually only a temporary fix because this
sort of shite is generally coded to thwart the sort of solution you
tried.
Click to expand...

been on the net 6yrs, its been fun, never fustrating, without any
av/malware/trojan software ever needed (until today when i saw ypager was
infecting me with cws), just need to figure this one out, or quit using
yahoo 5.x , its either an exploit in yahoo, or my yahoo's been 0wned and
online scans dont detect, or, only time will tell


you can run, but you cant hide :d (add some fake echo on that)
 
if it does, another program to try is about:blank

a computer I was fixing had ypager as well and I took it off. but i didnt
look for the other files you mentioned. there is still something on it...
a dialup trojan I think that I cant find.
Click to expand...

Try the Escan AV Toolkit Utility from my web site.


Art
http://www.epix.net/~artnpeg
 
john said:
been on the net 6yrs, its been fun, never fustrating, without any
av/malware/trojan software ever needed (until today when i saw ypager was
infecting me with cws), just need to figure this one out, or quit using
yahoo 5.x , its either an exploit in yahoo, or my yahoo's been 0wned and
online scans dont detect, or, only time will tell
Click to expand...

Things that help are patching, GAIM, and SPI firewall.

michael
 
Try the Escan AV Toolkit Utility from my web site.
Click to expand...

Thanks I will try this next time Im in front of that computer.

On another AV related note, Im rapidly losing faith in NAV. Ive used it for
several years and thought it worked well. But now I think it had more to do
with me following safe computer practices. I sent a trojan I got to
symantec on monday because their product didnt pick it up. On tuesday they
sent an autoreponse back identifying it and that it would be included in
the daily updates. I kept the file (renamed extention so it wouldnt
execute) to see how long it would take for NAV to catch up and find it. It
still doesnt. Yet this morning the online bitdefender scan did. If it
werent for these free online scans I think I would dump symantec today and
get something else. At least these free ones will afford me some time to
get opinions on what the best is.

bitdefender identified it as 'Backdoor.SDBot.JT' btw
 
i tried escan with the updates detected a startpage.mf in some java file,
not the culprit, i tried cwshredder, found cws.searchx and removed (no
details about it, what it removed or where it was removed from) (those two
wernt working anyway )

was monitering my pc whole weekend 36hrs worth of logs and it didnt surface,
back from work today and it appeared when i was using lookout express, i
removed it and went through the same steps i did with lookout it didnt come
back, i put date forwards and went through same steps it re-appeared, i
filtered through the steps with my date 1 more day forwards each time, it
appeared when i tried to read some chinese spam (up pops a internet exploder
message box "you need to download chinese font to view this!")

seems it wont install twice on the same day, and it will install through any
program that uses internet exploder dll's (yahoo messenger does , thus why i
1st thought that was the culprit)

opening internet exploder doesnt get me infected, but as soon as i goto any
webpage it suddenly appears, the 30kb searchpage.is or searchpage.ix dll (as
long my date is 1 day ahead of my last infection (currentally on august 31st
:-)

well housecall, f-secure, mcaffee, ad-aware, escan, cwshredder, dont detect
anything except the dll, without the dll present im effectivally clean, but
without it present, put my clock forwards one day, use anything that uses
internet exploder for html/htm/installation of language pack message/etc,
blam! im re-infected!


arrrrrrrrrrrrrrrrgh!!!11
 
if i'd clicked next id have seen this ->

Done!
Removed from your system:
- CWS.Searchx
- 6 infected IE registry values

...

thats probabally the 6 values this one is putting in there, cant be arsed to
remove those all the time, just remove the dll i do, sp.html what those
values refer to never opens up anyway :-/
 
grrr, pc dns's xml.zork.tv , then downloads space.gif from 81.211.105.37
(popular site on google for cws/online.exe), then downloads m.bin from
66.98.144.29/m.bin , and that installs itself as the dll (if you dont have a
folder view open in explorer.exe)

66.98.144.29 opens up a nasty site if u visit it with all the links
reffering to coolwebsearch for searching :/

google turns up this page searching for that ip that asks to download some
other dodgy exe, http://66.98.144.29/mtree2.html . istinstall_netscape.exe
:p **** knows that that is.. (ignore it , nothing to do with this issue atm)

but whys my pc doing this! !! !

hosts is clean, 3 virus scanners and ad-aware say im clean.. filemon show no
weird activity b4 the "program" suddenally downloads space.gif and m.bin, i
dunno what space.gif is i tried opening it directly in iexplore and it didnt
display, and nothing else happened, and it isnt executable

spose i should search my registry for those ip's or that dns request

dont panic :d
 
Back
Top