Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ssearch.biz and a-search.biz Analysis


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 PM

Posted 28 September 2004 - 04:03 PM

This info below applies to Windows XP/2000/2003 only.

Note: This has now morphed to redirect you to a-search.biz

An example log can be found here: http://www.bleepingcomputer.com/forums/ind...1973&hl=ssearch

You can recognize this infection if they get redirect to ssearch.biz and they have this in their log:

O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll


It installs a service that has the name of pnpsvc. The service can not be shutdown by conventional means such as through the services control panel. This services also loads in both forms of safe mode (network, and standard)

It uses a random named file which I have found to be in c:\windows\system32. It also creates a file called pnpservice.inf in the c:\windows\system32 directory. I am unsure what that is for.

An example file is:

KNQTWZ]`.dll with an MD5 of 2613F9159CF2AF041BA9B04282E601F4.

It downloads the file and saves the info file in c:\winnt\system32\ as pnpsvc.inf with the readonly attribute set.

pnpsvc.inf has an an md5 of: B8AA580284B94670D5B020929837575D

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\\netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\Eventlog\Application\\Sources
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC


It also adds a bunch of domains and ip addresses to the ZoneMap entries.

The service monitors itself and recreates the registry entries if you remove them.
The legacy keys will need a permission change in order to delete them.

It downlads a UPX packed version of MYIE that has been altered to open to a porn site located at 206.161.124.180. It saves this file in your profile root as qcache.exe and creates a run entry in the registry like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Cache

This file also adds itself to HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

Qcache.exe has a md5 of 6186B3CEC1D8BE225D3B41E690D6E205.

To remove it I have the user follow these steps if they are complaining about ssearch.biz redirects:

1. Get a list of their services. If you see a service name of pnpsvc with a display name of Plug and Play svc service, then they have this hijacker. Also have them fix and delete the qcache.exe entry. It wont come back on its own.

2. Find out the name of the dll by having them check the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

3. Have them add the filename found from step 2 to hijackthis delete on reboot tool and let hijackthis reboot your computer.

4. If file is gone on complete, have them run a regfile to remove the various entries for the service. Regedit/Rlite for the LEGACIES

Then they should be clean :thumbsup: Hope this helps some of you as it was driving me nuts.



This is a self-help guide. Use at your own risk.


BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

Edited by Grinler, 03 November 2004 - 10:21 AM.


BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users