SearchV?
Results 1 to 2 of 2

Thread: SearchV?

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    256

    Question SearchV?

    Anyone have any programs that offer quick removal of this spyware/trojan? I have looked at PestPatrol, used it, but it doesnt delete the file, simply claims it was but doesnt. Next, I tried Spybot SD, that didnt find it or remove it. I know I can use HiJack This, and remove the entries, but does anyone know of a simple tool used to remove it? Does CWShredder remove it?
    Sex is like \"Social Security\". You get a little each month, but it\'s not enough to live on.

  2. #2
    Banned
    Join Date
    Jun 2002
    Posts
    289
    yep CWShredder should do it.. it's a coolwebsearch variant.

    http://www.spywareinfo.com/~merijn/cwschronicles.html

    CWS.Bootconf
    Variant 2: CWS.Bootconf - Evolution
    Approx date first sighted: July 6, 2003
    Log reference: http://forums.spywareinfo.com/index.php?showtopic=7821
    Symptoms: Massive IE slowdown, illegible URLs ie IE Options, redirections when mistyping URLs, startpage & search page changed on reboot
    Cleverness: 8/10
    Manual removal difficulty: Involves some Registry editing
    Identifying lines in HijackThis log:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e
    %63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
    %63%67%69?%36%35%36%33%38%37
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63
    %6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e
    %63%67%69?%36%35%36%33%38%37
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%
    63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
    %63%67%69?%36%35%36%33%38%37
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e
    %63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e
    %63%67%69?%36%35%36%33%38%37 about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://yourbookmarks.ws/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchxp.com/search.php?qq=%s
    O1 - Hosts: 1123694712 auto.search.msn.com
    O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
    O19 - User stylesheet: C:\WINNT\default.css


    After HijackThis had built-in support for decrypting the URLS:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?100 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.jetseeker.com/ffeed.php?term=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com



    The second variant seemed like the first one in only one way: it used the exact same .css stylesheet file. But it took the hijack one step further by not only changing the IE startpage and search pages, but changing them to illegible hexcode garbage.

    Only when this code was decyphered it became clear that CoolWebSearch was behind this all. It almost seemed as if they let Datanotary take the stylesheet exploit hijack for a test ride, before using it themselves.

    The hijack further involved redirecting the default 'server not found' page to the CoolWebSearch portal homepage by editing the Hosts file, and reloading the entire hijack when the machine was rebooted using a bootconf.exe file that was started with Windows. We also started to see some pages which seemed affiliates of CWS since almost all their links led to www.coolwebsearch.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •