Home > Hijacked By > Hijacked By Cool Web Search & Rightfinder

Hijacked By Cool Web Search & Rightfinder

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) It is similar to previous scan.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:54:09 PM, on 10/4/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Deleting the file and resetting the IE home and search pages fixes the hijack.CWS.Msoffice.:2 A mutation of this variant exists that hijacks IE to sexpatriot.net and royalsearch.net, installs a hosts file Please re-enable javascript to access full functionality. check over here

WhatÂ’s up? In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop. Cleverness: 5/10, second variant 8/10 Manual removal difficulty: Involves lots and lots of Registry editing, a bit of hosts file editing and deleting one file. All virus definitions are up-to-date. https://forums.techguy.org/threads/hijacked-by-cool-web-search-rightfinder.180824/

Here is the report...SmitFraudFix v2.237Scan done at 15:52:17.59, Thu 10/04/2007Run from C:\Documents and Settings\KATHY\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before By the way, both IE and NN browsers work through the dial-up. or perhaps more likely Dell - how new is this box? I downloaded the newest version of Ad-Aware 2007.

CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as Thread Status: Not open for further replies. Thank you! If you have email address at Hotmail, Hotmail.uk, etc etc then you will not get notifications and need to manually check for new replies.

Variant 19: CWS.Alfasearch - Child's Play Approx date first sighted: November 5, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=16730 Symptoms: IE pages changed to alfa-search.com, possibly porn sites being redirected to 216.200.3.32 (alfa-search.com), error The new log is listed at the end. It changed the dreplace.dll so fixing it with either HijackThis or CWShredder will cause your entire system to fail on Windows 98, 98SE and ME! http://www.pieter-arntz.info/cwschronicles.html The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online.

It is ran from win.ini, a method rarely used by programs nowadays. Probably the most active is at The CD Forum. Reboot and run the scan again to make sure they are gone. All rights reserved.

When Spybot was run from Windows PE, the iwantsearch.com hijack and corresponding intbar toolbar were removed, as were the two CWS service startup entries. How do I prevent it from happening again? The filename of the user stylesheet changed into one that didn't even look like a stylesheet on the outside, but got accepted by IE anyway. Share this post Link to post Share on other sites Trilobite Malware Hunter Trusted Advisor 711 posts Location:South Dakota Posted June 2, 2005 (edited) · Report post Quoted from an

It's classified as the JS.Exception.Exploit, and a patch can be downloaded from this MS security bulletin. Search SpywareGuide Database & Site Home Access the Guide List of Products List of check my blog It is unknown if deleting the file has no side-effects, but using CWShredder or running regsvr32 /u c:\windows\system32\xplugin.dll (may vary depending on Windows version) fixes the hijack completely. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. Killing the three BHOs and restoring the IE pages fixed this hijack.

Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] It took a while to find out how this variant works, since it doesn't use any of the standard locations. It took a while to find out how this variant works, since it doesn't use any of the standard locations. this content It redirects the Verisign Sitefinder, so all mistyped domains are redirected to 213.159.117.233.

CWS.Aff.Winshow.3: A third version of this variant exists, that uses the filename winlink.dll for the BHO. It appears that the HOSTS file wasn’t even scanned, leaving all of the CWS HOSTS entries intact.   When Spybot was run from the infected system, the iwantsearch.com hijack and corresponding It combined several hijacking methods, along with random redirections to porn pages, portals and even adult dialers.

The hijack covered most of IE, and a user was left to sit helplessly and

Music Engine\ymetray.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXEC:\Program Files\America Online 9.0\waol.exeC:\Program Files\America Online 9.0\shellmon.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\regmod.exeC:\Program Files\Common Files\Aol\aoltpspd.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ffinder.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ffinder.com/R0 - HKCU\Software\Microsoft\Internet

It is likely that everyone who visits after the upgrade will need to log in again, so please keep this in mind.   Update again - Feb 7 - We have Please help improve this article by adding citations to reliable sources. Plus, in some of my tests, the combination of HJT and runscanner resulted in slight corruptions and garbage left in the target registry. The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve

Two domains were added to the Trusted Zone to ensure CWS could do its dirty work and install any updates if they ever became available.

But most of all, IE start However, once the hijack was identified, it was easy to stop: only the autostarting oemsyspnp.inf file had to be disabled using MSConfig, and then it could be safely deleted. After about the 3rd CWS variant, I realized this particular spyware company moved faster than any other I'd seen before, and that the anti-spyware programs wouldn't be able to keep up have a peek at these guys A hosts file redirection of auto.search.msn.com to globe-finder is installed.

Here is my resulting log from HijackThis after running the second time. The smallest one quicken.exe downloaded and ran the second one editpad.exe (like CWS.Aff.Iedll does) and hijacked IE to therealsearch.com, as well as setting themselves to run at startup. CWS.Oemsyspnp.3: A mutation of this variant exists that uses the filename drvupd.inf, and the Regustry value drvupd instead. It loads from win.ini as well as system.ini in a weird way that shouldn't even work, and installs a BHO with seemingly the purpose to react to certain keywords on webpages.

The responsible file is mtwirl32.dll, and to delete it manually you need to rename it (deleting is impossible since it is in use), restart the system, and then delete the file CWS.Oslogo Variant 3: CWS.OSLogo.bmp - Send in the affiliates Approx date first sighted: July 10, 2003 Log reference: http://forums.spywareinfo.com/index.php?showtopic=8210 Symptoms: Massive IE slowdowns Cleverness: 2/10 Manual removal difficulty: Involves some Registry altoobin, Sep 25, 2016, in forum: Virus & Other Malware Removal Replies: 0 Views: 296 altoobin Sep 25, 2016 Thread Status: Not open for further replies. I use Registry Editor PE (The Triton Revision) because it lets you specify which registry editor to load.

Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: America Online 8.0 It found 1 update for Windows Genuine Advantage. Click here to Register a free account now! It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers.

I had already checked with my cable ISP and found out they don't do any filtering on their end. I'm running McAfee Firewall and don't think that is the problem because I still have connection through the dial-up service. It works on just about any O.S. When I do that, I get a dialog box stating that Windows cannot detect an Internet connection.