|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
killing a particular piece of spyware
#3635087 - 01/16/05 01:35 PM (19 years, 2 months ago) |
|
|
(2/4/05: This post has been updated. At the bottom of this thread should be the information on how to remove. All the other info in this thread if pretty helpful too, however.)
So I've got one of those evil pieces of spyware on my puter. The kind that reset your homepage to a search engine, and then give you 2352502 popups telling you that you're infected with (their) spyware.
The domain for the popups is: http://vv2.s13.tempx.cc
Question (1) ANyone seen this one before? I've updates/run ad-aware, spypot, norton... NONE of these can find what's causing this. I've run and run these three a few times EACH this weekend to the point where they say my system is SCOTT FREE and it still keeps fucking with me. I tried seeing what processes were running, and sorting by CPU usage to see what rose up to the top when this thing hit me, but it doesn't seem to use much CPU power.. even for a second... and there's way too many processing running for me to figure out what should/shouldn't be there.
Q (2) Anyone know anything about DOS attacks? I'm getting sick of these 'companies' that load this kind of spyware. I'm at the piint where I'm ready to get all their DNS info, figure out where their HQ is physically located and set fire to the offiec building that their software is located in. Anyone else out there want to start a vigilante group to take these mother fuckers out?
Edited by BrAiN (02/06/05 02:32 AM)
|
ummikko
sika joka eilenn? on pelkk?sika
Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 13 years, 10 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3635179 - 01/16/05 02:12 PM (19 years, 2 months ago) |
|
|
(1)Maybe you can't see the process because it's "glued" to your browser? Does this happen with other browsers, too? Have you checked msconfig? just a thought.
(2)I'm SO in.
-------------------- "All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius
|
ummikko
sika joka eilenn? on pelkk?sika
Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 13 years, 10 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3635267 - 01/16/05 02:44 PM (19 years, 2 months ago) |
|
|
-------------------- "All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: ummikko]
#3635631 - 01/16/05 04:28 PM (19 years, 2 months ago) |
|
|
I figured it out. Yea, it *WAS* something 'attached' to my browser. I had to dig through the registry to find all the little helper plugins. I found a couple that didn't look right. TWO of these mofo's in the IE part of the registry were registering a couple of dll files. I deleted the registry keys but they recreated themselves. I looked in all the startup/ini files, but didn't see any references. I renamed the dll files and that finally worked.
The ads that popped up to remove this spyware (the same crap THEY put on there in the fisrt place) came from that domain menioned above.
My question is... how do yuo find out who that domain name is registered to, because they're probably the ones behind it. If not, they probably host the ones that do. How can you get the name/address/etc of people behind the domain. I'd like to pay a little visit to their office.
|
ummikko
sika joka eilenn? on pelkk?sika
Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 13 years, 10 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3635994 - 01/16/05 06:19 PM (19 years, 2 months ago) |
|
|
You'd have to contact their web hosting company to get the names I guess. The IP address for the domain you gave is 69.50.191.147, which is an Esthost Networks address. Esthost servers are located at 200 Paul Avenue, San Francisco, CA, UnitedStates. Maybe ask them?
-------------------- "All substances are poisons; there is none which is not a poison. The right dose differentiates a poison and a remedy." -Paracelsius
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: ummikko]
#3636173 - 01/16/05 07:09 PM (19 years, 2 months ago) |
|
|
I got their IP address, PHYSICAL ADDRESS, email address, phone number, contact info. ANyone want it? They're in Prague. *splat* Anyone down? Edit: We don't need that kind of attention. -Seuss
|
ummikko
sika joka eilenn? on pelkk?sika
Registered: 04/02/03
Posts: 1,222
Loc: Finland
Last seen: 13 years, 10 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3638281 - 01/17/05 10:06 AM (19 years, 2 months ago) |
|
|
Well done! What do you plan on doing first? *splat* Edit: we don't need that kind of attention. -Seuss
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3739063 - 02/06/05 01:25 AM (19 years, 1 month ago) |
|
|
I'm getting a lot of people AIM'ing me about this hijacker. Guys... do a search for "mmnb.dll" on your machine. If you find it.. rename it and it should work... try to find this file in your registry too and delete the key that loads this file. It should be a registry key that loads an IE helper tool... I'm helping some kid get rid of it right now. If this works, I';ll post the results.
I totally forgot to write down the name of the dll file a couple weeks ago when I found this.
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: ummikko]
#3739067 - 02/06/05 01:26 AM (19 years, 1 month ago) |
|
|
BTW that HIJACK this program crashes everytime I try to run it. Anyone else have this problem?
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3739270 - 02/06/05 02:31 AM (19 years, 1 month ago) |
|
|
Aight here's the deal. For all your non forum members that are googling this page... Here's how to get rid of the "CoolWebSearch" hijacker which keeps forcing IE back to tempx.cc. Read this whole thing to understand how it works:
The mmnb.dll file runs and creates the sp.dll file which is located in your "c:\documents and settings\username\local settings\temp" folder. This sp.dll hijacks Internet Explorer. If you rename or delete sp.dll, mmnb.dll will create sp.dll again. So you have to rename mmnb.dll. Well.. at least that's all I had to do, right? Sounds simple enough, right?
The problem is... When I caught this hijacking program... the file that it put on my machine was called MMNB.DLL. The reason Adaware and SPybot and the like can't protect from this file... is that it seems every once in a while... the creator of this hijacker CHANGES the name of MMNB.DLL... or something else... It creates a random name for the .dll file and slaps it somewhere in your computer. c:\windows\system32 or one of it's subdirectories. Let's call this .dll file the "Phantom File". Adaware can find the registry keys that this phantom file creates, but not the phantom file itself. However, ONE of he registry keys it creates had the name of this phantom file in it. It's usually referred to in a "c:\" or "http://whatever.com" pathname with an argument at the end.
I had someone with this hijacker run adaware and over a dozen registry keys were found. Here are the keys that it created on his machine:
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "HOMEOldSP" Rootkey : HKEY_USERS Object : S-1-5-21-343818398-1303643608-682003330-1003\software\microsoft\internet explorer\main Value : HOMEOldSP
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "HOMEOldSP" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : HOMEOldSP
CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/plain
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/plain Value : CLSID
CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/html
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/html Value : CLSID
CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall Value : DisplayName
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall Value : UninstallString
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\search Value : SearchAssistant
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Search Bar
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Use Custom Search URL
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Use Search Asst
CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\protocols\filter\text/html Value : CLSID
The location of the regitry key is in the "OBJECT" fields above.
IMPORTANT NOTE: Some of these keys won't be the same from computer to computer. Some keys such as "software\microsoft\internet explorer\main" are universal.... however keys that start with a string of letters and numbers such as "S-1-5-21-343818398-1303643608-682003330-1003\software\microsoft\internet explorer\main" are going to be different from computer to computer. You are going to have to run AdAware on your computer and do a deep system scan. Don't rely on the list of object I gave you above. Run Adaware on your own machine as the regitry paths will differ.
ALSO: Make sure you can see all hidden/system files and folders. Open up MY COMPUTER, click on TOOLS, click on FOLDER OPTIONS. When the folder options window pops up, click on the view tab. Make sure the "Show contens to system folders" is checked. Also, under 'hidden files and folders', Make sure "Show hidden files and folders" is selected.
Anyways... Here's how to find your phantom file:
Go to each of these registry keys listen in the object fields. Then.... double click on the VALUE/NAME field (i.e. Searchassistant, Search bar, Homeoldsp" and make note of the paths that these keys refer to. It Like I said, these paths should look like a windows or internet path name with some arguments at the very end like such:"
"c:\windows\system32\phantomfile.dll /argument1 /argument2"
or
"http://.somethingwhatever.com/bla/panphantomfile.dll /argument1 / argument2"
or
"res://c:\windows\system32\phantomfile.dll /argument1 /argument2"
So make a list of all the .dll files referred to in these registry keys. Find and rename all the .dll files. If you rename the sp.dll file first, you'll notice it popping up again. Don't worry.. eventually one of these .dll files is the Phantom File that is the master file that creates this sp.dll file. Eventually if you rename them all, you'll get to the original vampire.
Once you've done this, open IE. It'll probably still be hijacked. Go to your Internet Options and change your homepage to www.google.com, www.cnn.com, or whatever and click ok. Then... ***DON'T*** navigate anywhere. Immediately close your broswer after reseting your homepage.
Reboot your computer. Once rebooted DON'T open IT just yet. Just to be safe... go back in the registry and delete all the keys found above.
Then IE should be back to normal.
I believe the company that registered the tempx.cc domain (some company overseas) is responsible for this hijacking program. I have all their contact info, IP addresses, etc. If anyone wants this info, I can give it to you, for informational purposees only of course wink wink nudge nudge.
-BrAiN b@bulala.com
Edited by BrAiN (02/06/05 02:35 AM)
|
Vvellum
Stranger
Registered: 05/24/04
Posts: 10,920
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3740826 - 02/06/05 01:36 PM (19 years, 1 month ago) |
|
|
so, its a coolwebsearch? use cwshredder
http://www.intermute.com/spysubtract/cwshredder_download.html
and stop the madness - ditch the IE man.
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: Vvellum]
#3740947 - 02/06/05 02:11 PM (19 years, 1 month ago) |
|
|
Well sometimes, bio, you don't have a choice. A lotta websites will only let you use IE to view.
Also.. Flash for IE sychs up a little better the audio/video than Flash for mozilla. Also.. there's a lotta bugs in mozilla's CSS.
|
blacksabbathrulz
Registered: 05/22/02
Posts: 2,511
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3741193 - 02/06/05 03:13 PM (19 years, 1 month ago) |
|
|
Quote:
BrAiN said: BTW that HIJACK this program crashes everytime I try to run it. Anyone else have this problem?
No, you have spyware that detects it, and then shuts it down. I bet the virus is in your system 32 folder, look for it when you are in safe mode.
-------------------- .
|
Vvellum
Stranger
Registered: 05/24/04
Posts: 10,920
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3741677 - 02/06/05 05:20 PM (19 years, 1 month ago) |
|
|
Quote:
Well sometimes, bio, you don't have a choice. A lotta websites will only let you use IE to view.
...and a user agent switcher will fool 99% of these bogus sites.
Quote:
Also.. Flash for IE sychs up a little better the audio/video than Flash for mozilla.
havent noticed. seems just fine for me.
Quote:
Also.. there's a lotta bugs in mozilla's CSS.
yeah, lots of bugs here's the biggest one: http://www.w3.org heh
IE has terrible css support. firefox uses standards. not sure what you are talking about.
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: Vvellum]
#3741711 - 02/06/05 05:28 PM (19 years, 1 month ago) |
|
|
I can't tell you how many times Ive used CSS to tell an object to be placed at x100 and y 100 and mozilla fucks it up and sticks it at 0,100
There are assloads of CSS bugs with Mozilla. Mozilla can't handle css positioning with tables for shit. Do a search for "mozilla css bug" and see how many hundreds of sites pull up.
|
Vvellum
Stranger
Registered: 05/24/04
Posts: 10,920
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3741906 - 02/06/05 06:17 PM (19 years, 1 month ago) |
|
|
Results 1 - 10 of about 309,000 for mozilla css bugs. (0.19 seconds)
and
Results 1 - 10 of about 783,000 for internet explorer css bugs. (0.21 seconds)
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: Vvellum]
#3741965 - 02/06/05 06:30 PM (19 years, 1 month ago) |
|
|
bah... mozilla's bugs are major... As a programmer I have to bend over backwards to handle CSS and tables for Mozilla browsers.
|
Vvellum
Stranger
Registered: 05/24/04
Posts: 10,920
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3742082 - 02/06/05 06:59 PM (19 years, 1 month ago) |
|
|
why not follow standards?
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: Vvellum]
#3742173 - 02/06/05 07:20 PM (19 years, 1 month ago) |
|
|
I do... the bugs specific to Mozilla are a major pain in the ass though... plus with flash it gets a bit buggy sometimes... Although I like Mozilla's web develpoper tools more than IE...
Still.. I gotta use em both. I'm a web programmer/designer... so I try to force myself to use both IE and mozilla equally.
|
BrAiN
Art Fag
Registered: 03/01/01
Posts: 6,875
Loc: Chocolate City
Last seen: 2 years, 7 months
|
Re: killing a particular piece of spyware [Re: BrAiN]
#3742183 - 02/06/05 07:22 PM (19 years, 1 month ago) |
|
|
I think a lot of the hatred for IE comes not from inferiority to Mozzilla, but:
a) general hatred for Microsoft
and
b) The fact that there's so much spayware out there that can fuck with IE. The thing is though... that's just because IE has a huge corner on the market. If all the hackers out there devoted just as much energy to fucking with Netscape as they do with IE... You'd have a lot more people talking smack about NS/FireFox/Mozilla...
I thik both products are equal to be honest... both have a shitload of bugs and a lotta great proprietary features as well.
|
|