CoolWebSearch & Umaxsearch.com

0 views
Skip to first unread message

NOISEY

unread,
Oct 31, 2003, 4:58:53 PM10/31/03
to
Hi,

Every now and then when I click on one of Google's replies I am sent
to a CoolWebSearch or Umaxsearch website.

I am still having this problem after running CWShredder.

Does anyone know of a fix? I am afraid this is a new CWS variant.

Thanks,


NZ

YK

unread,
Oct 31, 2003, 5:37:44 PM10/31/03
to

You don't have to be afraid of CWS just on the watch. It's in the HOSTS
file I use and IE-SPYAD so their presence is known. They breed faster than
cockroaches or is mutate more than Chernobyl rats. They are after the
"pay-for-click" market and are ruthless in their methods.

HijackThis is the best tool to identify this mutant rodent.

NOISEY

unread,
Oct 31, 2003, 10:28:02 PM10/31/03
to
Here is my Hijack log. I hope this helps.

Logfile of HijackThis v1.97.3
Scan saved at 9:27:55 PM, on 10/31/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Documents and Settings\Administrator\Desktop\p rollz\WinKill.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\p rollz\mIRC\mirc.exe
C:\Program Files\Netscape\Communicator\Winamp\winamp.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = ms.bermudian.org:80
O1 - Hosts: 213.159.117.51 clicktraq.mtree.com
O1 - Hosts: 213.159.117.51 download.globaldialer.net
O1 - Hosts: 213.159.117.51 dyntraq.mtree.com
O1 - Hosts: 213.159.117.51 network.nocreditcard.com
O1 - Hosts: 213.159.117.51 network.nocreditcard.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - Startup: WinKill.lnk = C:\Documents and
Settings\Administrator\Desktop\p rollz\WinKill.exe
O4 - Startup: Things to Do.txt.lnk = C:\Documents and
Settings\Administrator\Desktop\Things to Do.txt
O4 - Startup: Babylon.lnk = C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program
Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O12 - Plugin for i: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: ChatSpace Java Client 2.1.0.88L -
http://216.65.197.84:8080/Java/cs4msl088.cab
O16 - DPF: ConferenceRoom Java Client -
http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: Yahoo! Blackjack -
http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) -
http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) -
http://207.142.8.119:1995/talk.cab
O16 - DPF: {73020B72-CDD6-4F80-8098-1B2ECD9CA4CA} (VoiceCafe Inc) -
http://lao2000.com/dekunban.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class)
- http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243}
(SecureLogin.SecureControl) -
http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243}
(SecureLogin.SecureControl) -
https://secure2.comned.com/signuptemplates/ActiveSecurity.CAB
O16 - DPF: {79BB2CA8-6079-462B-B68A-C7AAA588FD8A}
(WebDeployerUtil.ctlUtil) -
http://voicecafe.optecs.net/installables/WebDeployerUtil.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://142.163.191.17/activex/AxisCamControl.ocx
O16 - DPF: {9C4A08D4-0F64-4D51-9422-B01EA9E217F0}
(WebDeployer2.ctlLoader) -
http://voicecafe.optecs.net/installables/WebDeployer2.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37773.9630092593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)
- http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload
Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control
4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown
Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Thanks,


NZ

YK

unread,
Nov 1, 2003, 1:43:56 PM11/1/03
to
NOISEY wrote:
> Here is my Hijack log. I hope this helps.
<snip>

With all Internet Explorer windows closed delete these:

> O1 - Hosts: 213.159.117.51 clicktraq.mtree.com
> O1 - Hosts: 213.159.117.51 download.globaldialer.net
> O1 - Hosts: 213.159.117.51 dyntraq.mtree.com
> O1 - Hosts: 213.159.117.51 network.nocreditcard.com
> O1 - Hosts: 213.159.117.51 network.nocreditcard.net

These direct to xwebsearch.biz a CWS parasite mutant.

I do not see any other evidence of CWS but it is best to consult the experts
at http://forums.spywareinfo.com/index.php?showforum=11 but read the FAQ
first http://forums.spywareinfo.com/index.php?act=ST&f=24&t=5187

NOISEY

unread,
Nov 1, 2003, 10:49:06 PM11/1/03
to
Thanks for the reply, YK.

I deleted xlplugin.dll from c:\winnt\system32 and those hosts.

xlplugin.dll was doing most of the redirecting. There has been no
redirection on Google to coolwebsearch.com or umaxsearch.com yet.

This maybe a new variant, since there was no search reply for it.

Thanks again,


NZ

"YK" <YK...@home.invalid> wrote in message news:<M9Tob.144222$3f.1...@twister01.bloor.is.net.cable.rogers.com>...

YK

unread,
Nov 2, 2003, 2:19:48 AM11/2/03
to
NOISEY wrote:
> Thanks for the reply, YK.
>
> I deleted xlplugin.dll from c:\winnt\system32 and those hosts.
>
> xlplugin.dll was doing most of the redirecting. There has been no
> redirection on Google to coolwebsearch.com or umaxsearch.com yet.

Glad you found the problem.

> This maybe a new variant, since there was no search reply for it.

Yes it is. Google now has this thread so others can find this new varient.
Both IE-SPYAD and the HOSTS file I use have this site listed now.

> Thanks again,

YAW. :)

Reply all
Reply to author
Forward
0 new messages