 Ssearch.biz and a-search.biz Analysis, XP Analysis |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
How to use the self-help guides
This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.
If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log
  |
 Sep 28 2004, 04:03 PM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3  |
Note: This has now morphed to redirect you to a-search.biz An example log can be found here: http://www.bleepingcomputer.com/forums/ind...1973&hl=ssearch You can recognize this infection if they get redirect to ssearch.biz and they have this in their log: QUOTE O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll It installs a service that has the name of pnpsvc. The service can not be shutdown by conventional means such as through the services control panel. This services also loads in both forms of safe mode (network, and standard) It uses a random named file which I have found to be in c:\windows\system32. It also creates a file called pnpservice.inf in the c:\windows\system32 directory. I am unsure what that is for. An example file is: KNQTWZ]`.dll with an MD5 of 2613F9159CF2AF041BA9B04282E601F4. It downloads the file and saves the info file in c:\winnt\system32\ as pnpsvc.inf with the readonly attribute set. pnpsvc.inf has an an md5 of: B8AA580284B94670D5B020929837575D It creates the following registry keys: QUOTE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\\netsvcs HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\\Sources HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\Eventlog\Application\\Sources HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\Eventlog\Application\\Sources HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC It also adds a bunch of domains and ip addresses to the ZoneMap entries. The service monitors itself and recreates the registry entries if you remove them. The legacy keys will need a permission change in order to delete them. It downlads a UPX packed version of MYIE that has been altered to open to a porn site located at 206.161.124.180. It saves this file in your profile root as qcache.exe and creates a run entry in the registry like this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Cache This file also adds itself to HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Qcache.exe has a md5 of 6186B3CEC1D8BE225D3B41E690D6E205. To remove it I have the user follow these steps if they are complaining about ssearch.biz redirects: 1. Get a list of their services. If you see a service name of pnpsvc with a display name of Plug and Play svc service, then they have this hijacker. Also have them fix and delete the qcache.exe entry. It wont come back on its own. 2. Find out the name of the dll by having them check the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll 3. Have them add the filename found from step 2 to hijackthis delete on reboot tool and let hijackthis reboot your computer. 4. If file is gone on complete, have them run a regfile to remove the various entries for the service. Regedit/Rlite for the LEGACIES Then they should be clean  Hope this helps some of you as it was driving me nuts.BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. This post has been edited by Grinler: Nov 3 2004, 10:21 AM -------------------- Lawrence
|
 |
 
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 06:37 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.