Home | Community | Message Board


Marijuana Demystified
Please support our sponsors.

General Interest >> Science and Technology

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post. Pages: 1
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
killing a particular piece of spyware
    #3635087 - 01/16/05 03:35 PM (12 years, 1 month ago)

(2/4/05: This post has been updated. At the bottom of this thread should be the information on how to remove. All the other info in this thread if pretty helpful too, however.)

So I've got one of those evil pieces of spyware on my puter. The kind that reset your homepage to a search engine, and then give you 2352502 popups telling you that you're infected with (their) spyware.

The domain for the popups is: http://vv2.s13.tempx.cc

Question (1)
ANyone seen this one before? I've updates/run ad-aware, spypot, norton... NONE of these can find what's causing this. I've run and run these three a few times EACH this weekend to the point where they say my system is SCOTT FREE and it still keeps fucking with me. I tried seeing what processes were running, and sorting by CPU usage to see what rose up to the top when this thing hit me, but it doesn't seem to use much CPU power.. even for a second... and there's way too many processing running for me to figure out what should/shouldn't be there.

Q (2) Anyone know anything about DOS attacks? I'm getting sick of these 'companies' that load this kind of spyware. I'm at the piint where I'm ready to get all their DNS info, figure out where their HQ is physically located and set fire to the offiec building that their software is located in. Anyone else out there want to start a vigilante group to take these mother fuckers out?


Edited by BrAiN (02/06/05 04:32 AM)


Post Extras: Print Post  Remind Me! Notify Moderator
Offlineummikko
sika joka eilenn? on pelkk?sika

Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 6 years, 9 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3635179 - 01/16/05 04:12 PM (12 years, 1 month ago)

(1)Maybe you can't see the process because it's "glued" to your browser? Does this happen with other browsers, too? Have you checked msconfig? just a thought.

(2)I'm SO in. :evil: :cool:


--------------------
"All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius


Post Extras: Print Post  Remind Me! Notify Moderator
Offlineummikko
sika joka eilenn? on pelkk?sika

Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 6 years, 9 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3635267 - 01/16/05 04:44 PM (12 years, 1 month ago)



--------------------
"All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: ummikko]
    #3635631 - 01/16/05 06:28 PM (12 years, 1 month ago)

I figured it out. Yea, it *WAS* something 'attached' to my browser. I had to dig through the registry to find all the little helper plugins. I found a couple that didn't look right. TWO of these mofo's in the IE part of the registry were registering a couple of dll files. I deleted the registry keys but they recreated themselves. I looked in all the startup/ini files, but didn't see any references. I renamed the dll files and that finally worked.

The ads that popped up to remove this spyware (the same crap THEY put on there in the fisrt place) came from that domain menioned above.

My question is... how do yuo find out who that domain name is registered to, because they're probably the ones behind it. If not, they probably host the ones that do. How can you get the name/address/etc of people behind the domain. I'd like to pay a little visit to their office.


Post Extras: Print Post  Remind Me! Notify Moderator
Offlineummikko
sika joka eilenn? on pelkk?sika

Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 6 years, 9 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3635994 - 01/16/05 08:19 PM (12 years, 1 month ago)

You'd have to contact their web hosting company to get the names I guess. The IP address for the domain you gave is 69.50.191.147, which is an Esthost Networks address. Esthost servers are located at 200 Paul Avenue, San Francisco, CA, UnitedStates. Maybe ask them?


--------------------
"All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: ummikko]
    #3636173 - 01/16/05 09:09 PM (12 years, 1 month ago)

I got their IP address, PHYSICAL ADDRESS, email address, phone number, contact info. ANyone want it? They're in Prague. *splat* Anyone down?

Edit: We don't need that kind of attention.  :smile: -Seuss


Post Extras: Print Post  Remind Me! Notify Moderator
Offlineummikko
sika joka eilenn? on pelkk?sika

Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 6 years, 9 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3638281 - 01/17/05 12:06 PM (12 years, 1 month ago)

Well done! What do you plan on doing first? *splat* :tongue:

Edit: we don't need that kind of attention.  :smile:  -Seuss


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3739063 - 02/06/05 03:25 AM (12 years, 25 days ago)

I'm getting a lot of people AIM'ing me about this hijacker. Guys... do a search for "mmnb.dll" on your machine. If you find it.. rename it and it should work... try to find this file in your registry too and delete the key that loads this file. It should be a registry key that loads an IE helper tool... I'm helping some kid get rid of it right now. If this works, I';ll post the results.

I totally forgot to write down the name of the dll file a couple weeks ago when I found this.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: ummikko]
    #3739067 - 02/06/05 03:26 AM (12 years, 25 days ago)

BTW that HIJACK this program crashes everytime I try to run it. Anyone else have this problem?


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3739270 - 02/06/05 04:31 AM (12 years, 25 days ago)

Aight here's the deal. For all your non forum members that are googling this page... Here's how to get rid of the "CoolWebSearch" hijacker which keeps forcing IE back to tempx.cc. Read this whole thing to understand how it works:

The mmnb.dll file runs and creates the sp.dll file which is located in your "c:\documents and settings\username\local settings\temp" folder. This sp.dll hijacks Internet Explorer. If you rename or delete sp.dll, mmnb.dll will create sp.dll again. So you have to rename mmnb.dll. Well.. at least that's all I had to do, right? Sounds simple enough, right?

The problem is... When I caught this hijacking program... the file that it put on my machine was called MMNB.DLL. The reason Adaware and SPybot and the like can't protect from this file... is that it seems every once in a while... the creator of this hijacker CHANGES the name of MMNB.DLL... or something else... It creates a random name for the .dll file and slaps it somewhere in your computer. c:\windows\system32 or one of it's subdirectories.  Let's call this .dll file the "Phantom File". Adaware can find the registry keys that this phantom file creates, but not the phantom file itself. However, ONE of he registry keys it creates had the name of this phantom file in it. It's usually referred to in a "c:\" or "http://whatever.com" pathname with an argument at the end.

I had someone with this hijacker run adaware and over a dozen registry keys were found. Here are the keys that it created on his machine:


CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            : "HOMEOldSP"
    Rootkey            : HKEY_USERS
    Object            : S-1-5-21-343818398-1303643608-682003330-1003\software\microsoft\internet explorer\main
    Value              : HOMEOldSP

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            : "HOMEOldSP"
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\internet explorer\main
    Value              : HOMEOldSP


CoolWebSearch Object Recognized!
    Type              : Regkey
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : protocols\filter\text/plain

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : protocols\filter\text/plain
    Value              : CLSID

CoolWebSearch Object Recognized!
    Type              : Regkey
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : protocols\filter\text/html

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : protocols\filter\text/html
    Value              : CLSID

CoolWebSearch Object Recognized!
    Type              : Regkey
    Data              :
    Category          : Malware
    Comment            : CWS.About:Blank
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            : CWS.About:Blank
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
    Value              : DisplayName

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            : CWS.About:Blank
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
    Value              : UninstallString

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object            : software\microsoft\internet explorer\search
    Value              : SearchAssistant

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object            : software\microsoft\internet explorer\main
    Value              : Search Bar

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\internet explorer\main
    Value              : Use Custom Search URL

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\microsoft\internet explorer\main
    Value              : Use Search Asst

CoolWebSearch Object Recognized!
    Type              : RegValue
    Data              :
    Category          : Malware
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : software\classes\protocols\filter\text/html
    Value              : CLSID

The location of the regitry key is in the "OBJECT" fields above.

IMPORTANT NOTE: Some of these keys won't be the same from computer to computer. Some keys such as "software\microsoft\internet explorer\main" are universal.... however keys that start with a string of letters and numbers such as "S-1-5-21-343818398-1303643608-682003330-1003\software\microsoft\internet explorer\main" are going to be different from computer to computer. You are going to have to run AdAware on your computer and do a deep system scan. Don't rely on the list of object I gave you above. Run Adaware on your own machine as the regitry paths will differ.

ALSO: Make sure you can see all hidden/system files and folders. Open up MY COMPUTER, click on TOOLS, click on FOLDER OPTIONS. When the folder options window pops up, click on the view tab. Make sure the "Show contens to system folders" is checked. Also, under 'hidden files and folders', Make sure "Show hidden files and folders" is selected.

Anyways... Here's how to find your phantom file:

Go to each of these registry keys listen in the object fields. Then.... double click on the VALUE/NAME field (i.e. Searchassistant, Search bar, Homeoldsp" and make note of the paths that these keys refer to. It Like I said, these paths should look like a windows or internet path name with some arguments at the very end like such:"

"c:\windows\system32\phantomfile.dll /argument1 /argument2"

or

"http://.somethingwhatever.com/bla/panphantomfile.dll /argument1 / argument2"

or

"res://c:\windows\system32\phantomfile.dll /argument1 /argument2"

So make a list of all the .dll files referred to in these registry keys. Find and rename all the .dll files. If you rename the sp.dll file first, you'll notice it popping up again. Don't worry.. eventually one of these .dll files is the Phantom File that is the master file that creates this sp.dll file. Eventually if you rename them all, you'll get to the original vampire.

Once you've done this, open IE. It'll probably still be hijacked. Go to your Internet Options and change your homepage to www.google.com, www.cnn.com, or whatever and click ok. Then... ***DON'T*** navigate anywhere. Immediately close your broswer after reseting your homepage.

Reboot your computer. Once rebooted DON'T open IT just yet. Just to be safe... go back in the registry and delete all the keys found above.

Then IE should be back to normal.

I believe the company that registered the tempx.cc domain (some company overseas) is responsible for this hijacking program. I have all their contact info, IP addresses, etc. If anyone wants this info, I can give it to you, for informational purposees only of course :wink: wink wink nudge nudge.

-BrAiN
b@bulala.com


Edited by BrAiN (02/06/05 04:35 AM)


Post Extras: Print Post  Remind Me! Notify Moderator
InvisibleVvellum
Stranger

Registered: 05/24/04
Posts: 10,920
Re: killing a particular piece of spyware [Re: BrAiN]
    #3740826 - 02/06/05 03:36 PM (12 years, 24 days ago)

so, its a coolwebsearch?
use cwshredder

http://www.intermute.com/spysubtract/cwshredder_download.html

and stop the madness - ditch the IE man.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: Vvellum]
    #3740947 - 02/06/05 04:11 PM (12 years, 24 days ago)

Well sometimes, bio, you don't have a choice. A lotta websites will only let you use IE to view.

Also.. Flash for IE sychs up a little better the audio/video than Flash for mozilla. Also.. there's a lotta bugs in mozilla's CSS.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisibleblacksabbathrulz
 User Gallery
Registered: 05/22/02
Posts: 2,511
Re: killing a particular piece of spyware [Re: BrAiN]
    #3741193 - 02/06/05 05:13 PM (12 years, 24 days ago)

Quote:

BrAiN said:
BTW that HIJACK this program crashes everytime I try to run it. Anyone else have this problem?




No, you have spyware that detects it, and then shuts it down. I bet the virus is in your system 32 folder, look for it when you are in safe mode.


--------------------
.


Post Extras: Print Post  Remind Me! Notify Moderator
InvisibleVvellum
Stranger

Registered: 05/24/04
Posts: 10,920
Re: killing a particular piece of spyware [Re: BrAiN]
    #3741677 - 02/06/05 07:20 PM (12 years, 24 days ago)

Quote:

Well sometimes, bio, you don't have a choice. A lotta websites will only let you use IE to view.




...and a user agent switcher will fool 99% of these bogus sites.

Quote:

Also.. Flash for IE sychs up a little better the audio/video than Flash for mozilla.




havent noticed. seems just fine for me.

Quote:

Also.. there's a lotta bugs in mozilla's CSS.




yeah, lots of bugs
here's the biggest one: http://www.w3.org
heh

IE has terrible css support.
firefox uses standards.
not sure what you are talking about.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: Vvellum]
    #3741711 - 02/06/05 07:28 PM (12 years, 24 days ago)

I can't tell you how many times Ive used CSS to tell an object to be placed at x100 and y 100 and mozilla fucks it up and sticks it at 0,100

There are assloads of CSS bugs with Mozilla. Mozilla can't handle css positioning with tables for shit. Do a search for "mozilla css bug" and see how many hundreds of sites pull up.


Post Extras: Print Post  Remind Me! Notify Moderator
InvisibleVvellum
Stranger

Registered: 05/24/04
Posts: 10,920
Re: killing a particular piece of spyware [Re: BrAiN]
    #3741906 - 02/06/05 08:17 PM (12 years, 24 days ago)

Results 1 - 10 of about 309,000 for mozilla css bugs. (0.19 seconds)

and

Results 1 - 10 of about 783,000 for internet explorer css bugs. (0.21 seconds)


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: Vvellum]
    #3741965 - 02/06/05 08:30 PM (12 years, 24 days ago)

bah... mozilla's bugs are major... As a programmer I have to bend over backwards to handle CSS and tables for Mozilla browsers.


Post Extras: Print Post  Remind Me! Notify Moderator
InvisibleVvellum
Stranger

Registered: 05/24/04
Posts: 10,920
Re: killing a particular piece of spyware [Re: BrAiN]
    #3742082 - 02/06/05 08:59 PM (12 years, 24 days ago)

why not follow standards?


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: Vvellum]
    #3742173 - 02/06/05 09:20 PM (12 years, 24 days ago)

I do... the bugs specific to Mozilla are a major pain in the ass though... plus with flash it gets a bit buggy sometimes... Although I like Mozilla's web develpoper tools more than IE...

Still.. I gotta use em both. I'm a web programmer/designer... so I try to force myself to use both IE and mozilla equally.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineBrAiN
Art Fag
 User Gallery
Registered: 03/01/01
Posts: 6,870
Loc: Chocolate City
Last seen: 7 years, 4 months
Re: killing a particular piece of spyware [Re: BrAiN]
    #3742183 - 02/06/05 09:22 PM (12 years, 24 days ago)

I think a lot of the hatred for IE comes not from inferiority to Mozzilla, but:

a) general hatred for Microsoft

and

b) The fact that there's so much spayware out there that can fuck with IE. The thing is though... that's just because IE has a huge corner on the market. If all the hackers out there devoted just as much energy to fucking with Netscape as they do with IE... You'd have a lot more people talking smack about NS/FireFox/Mozilla...

I thik both products are equal to be honest... both have a shitload of bugs and a lotta great proprietary features as well.


Post Extras: Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

General Interest >> Science and Technology

Similar ThreadsPosterViewsRepliesLast post
* Got spyware? popups? hidden files? annoying programs?
ShroomismM
2,001 9 04/13/04 06:39 PM
by SkorpivoMusterion
* Hijack this flip3084 445 3 01/15/09 07:51 PM
by supra
* Infuriating piece of malware Viveka 2,035 18 05/01/06 06:01 PM
by ALHOFF177A17
* all my url links are hijacked by a search engine psilocyben 738 5 06/29/05 07:13 PM
by CptnGarden
* Homepage Hijacker Help ToTheSummit 2,001 10 12/14/03 07:30 PM
by AlienPrimate
* please help with spyware/virus protection programs Edge 1,640 19 04/06/05 11:26 AM
by trendal
* Stupid spyware. How the fuck to remove? SteinM 1,159 9 11/22/04 11:09 PM
by AhronZombi
* what's the best spyware killer these days? stefan 1,138 15 09/09/06 06:15 PM
by OJK

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Lana, trendal, Diploid, automan
2,425 topic views. 0 members, 5 guests and 0 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]
Search this thread:
SoulSpeciosa Kratom
Please support our sponsors.

Copyright 1997-2017 Mind Media. Some rights reserved.

Generated in 0.137 seconds spending 0.003 seconds on 14 queries.