• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

have not been able to remove exploit eXactSearch

hello...have tried for several days to remove exactsearch apparently in the registry...as i understand it, it came to me either via email or a download nd attaches itself to the ie toolbar...have run spybot, adaware, and others and they do not detect it...panda active scan does...have tried to remove manually from info at various sites but can not find registry entries or files listed to remove...when i run panda, the problem pops up while scanning the registry...i have scanned the registry many times with different cleaners to no avail...the info i have says this is not a big problem but i use the panda regularly and the change from green to red bothers me...even removed ie 6.0 and the exploit still showed on the panda scan...thought as a last resort i could uninstall, run a registry cleaner and start over...did not work or i did not do it correctly...i have mozilla and thunderbird installed...glad to do without ie but i have several utilities and programs that will not operate with mozilla...any help would be greatly appreciated as i come to experts after i have reached the point of frustration...thanks in advance...
0
ecedwards
Asked:
ecedwards
  • 9
  • 8
  • 2
1 Solution
 
rossfingalCommented:
Hi!

Make sure "Show all Files and Folders", including hidden and system, is enabled.

Download HijackThis (ver. 1.99.1) from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your log file here!

We'll take a look at it!  :)

Good luck!
RF
0
 
ecedwardsAuthor Commented:
already had hijack but did not know about the analysis url or how to identify bad entries...


http://www.hijackthis.de/index.php#anl
0
 
rossfingalCommented:
Hi!

That link is not to your log file - it's to the Analysis page.
Copy and paste your log into that page - then hit the "Analyze" button.
After the analysis is done - hit the "Save Analysis" button -
Post a LINK to the page that is generated containing your saved analysis.

RF
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
ecedwardsAuthor Commented:
0
 
rossfingalCommented:
Hi!

Download and run "Getservices" (free):
http://www.bleepingcomputer.com/files/spyware/getservices.zip

To use this script, download Getservices.zip from the link above and extract the zip file to your C: drive.
Once it is extracted there will be a directory on your C: drive called getservice.
Inside the C:\getservice directory will be a file called getservice.bat
Simply double-click on the getservice.bat file and when it is completed a notepad will open.
Copy and paste the contents of that notepad file back here.

I'm looking at your log right now.

RF
0
 
rossfingalCommented:
Hi!

Never mind using "getservices" - for some reason I was thinking XP, not 98
Ooops!

RF
0
 
rossfingalCommented:

There have been various problems with this patch:
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
Although, most have been reported with XP - it might cause them in Win 98.
You should think about uninstalling it through Add/Remove Programs - your call.

Did you set (or an anti-spyware program) these restrictions:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Nothing in your log stands out as being "bad".
Did you go through the removal process here:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519

RF
0
 
ecedwardsAuthor Commented:
had removed the win patch previously but went back to startup with the reinstall of ie 6.0 and updates... have removed again from startup...the restrictions i probably did with whichever utility to regain control of ie toolbar...have fixed those also...redid panda and exactsearch  still there...what really bothers me here is that pc world just did an article praising counterspy over all others including webroot...counterspy did not pick this exploit up...had i not been using panda daily i would and probably should have a few doubts with panda...the real frustration with all of this is that you do a download free or trial before pay and you get rid of one spyware and inherit another picked up by yet another utility....feel like i am fighting a losing battle but the war rages on....will deal with you other suggestion now...thanks....
0
 
ecedwardsAuthor Commented:
will have to leave town shortly but will reply to all on friday...

still do not understand why a complete uninstall of ie 6 and registry clean and reinstall will or will not solve my problem...or...is this exploit attached elsewhere also...panda shows only one file infected...
0
 
caza13Commented:
0
 
rossfingalCommented:
Did you go through the removal process here:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519

From above  :)
(I miss stuff, too)
0
 
ecedwardsAuthor Commented:
have been thru the manual list from the site given and i have not been able to find any of the running processes, dll's, or files...i have had meaner bugs but this one has been the most time consuming and difficult to locate and cure...either great stealth or i am missing something...just about out of gas here
0
 
caza13Commented:
I had never tried Panda ActiveScan before, so I thought that I would try it and see what it finds on my computer.  It is indicating that I have Spyware/SurfSideKick and gives the location as ssk.log in my Temporary Internet Files folder.  I couldn't find it, so I just deleted all of the files in that folder.  Another scan shows the same problem.  I suppose that if Panda is the only scanner that can find the problem, you could buy their anti-virus program and see if it will solve the problem.
0
 
ecedwardsAuthor Commented:
got another story...i have used the panda many many times and with  this intrusion i am ready to buy...but...trying to decided between the platinum or the titanium...so i decide on the trial for the platinum to see what the extra features are versus the titanium...downloaded both to disk and could get neither to install... emailed panda saying i am ready to buy with explanation of problem....no response ...[my pc is a 4 plus year old hp pavilion 6683 with a much maligned celeron 2   533 processor...on broadband ...travelling light and moves faster than most would believe, relatively speaking of course ]...i have dclean.exe installed and i clean my disk repeatedly to the point of paranoia when online...when not on ie, i have mozilla set to text only when i want to "feel" more secure...back to task >>> i would still like to hear from someone with the knowledge that...if this thing is attached to the ie6 toolbar and is lodged in the registry...if i uninstall ie and clean the registry, should it not go away??? then reinstall ie6
0
 
rossfingalCommented:
Hi!

You could try running this - "Silent Runners" from -
Download:
http://www.silentrunners.org/Silent%20Runners.vbs
Home page:
http://www.silentrunners.org/index.html
Sometimes, it shows things that HijackThis does not.
While you're at their "Homepage" - check under "Launch Points" -
it shows the places that it checks - informative.

RF
0
 
ecedwardsAuthor Commented:
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"kmw_run.exe" = "kmw_run.exe" ["Kensington Technology Group"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"PersFw" = "C:\Program Files\Tiny Personal Firewall\persfw.exe" ["Tiny Software"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_Calc_Inis\(Default) = "Windows Setup - Calculator"
                  \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis_remove 64 C:\WINDOWS.000\INF\applets.inf" [MS]
PerUser_MSWordPad_Inis\(Default) = "Windows Setup - Wordpad"
                       \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis_remove 64 C:\WINDOWS.000\INF\wordpad.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
                    \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS.000\INF\appletpp.inf" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
              \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS.000\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
              \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS.000\INF\ols.inf" [MS]
OlsCompuservePerUser\(Default) = "Windows Setup - CompuServe"
                     \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS.000\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
                  \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS.000\INF\ols.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
                        \StubPath   = "rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS.000\INF\appletpp.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
  -> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PhotoDeluxe HE 3.1\FotoNation Explorer\camview.dll" ["FotoNation Inc."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\spring yard 04\Dcp01581.jpg"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS.000\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS.000\SYSTEM\mswsosp.dll [MS], 1 - 4
C:\WINDOWS.000\SYSTEM\msafd.dll [MS], 5 - 7
C:\WINDOWS.000\SYSTEM\rsvpsp.dll [MS], 8 - 9


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS.000\SYSTEM\MSJAVA.DLL" [MS]

{17A27031-71FC-11D4-815C-005004D0F1FA}\
"ButtonText" = "MktBrowser"
"MenuText" = "MarketBrowser"
"Exec" = "C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
0
 
ecedwardsAuthor Commented:
restored a registry thru dos from 11 / 2004...then the work began deleting remnants and reinstalling...and cleaning and updating and backing up the new registry by increments along the way...still had to be done manually and hijack and silent runner info helped...many thanks to rossfingal and caza13 and experts exchange
0
 
rossfingalCommented:
Hi!

I'm glad someone here could give you some help!

Here are some tips, to reduce the potential for spyware infection in the future,
It's strongly recommended to install the following applications:

    * Spywareblaster <= SpywareBlaster will prevent spyware from being installed -
      http://www.javacoolsoftware.com/spywareblaster.html
    * Spywareguard <= SpywareGuard offers realtime protection
      from spyware installation attempts.
      http://www.wilderssecurity.net/spywareguard.html
    * How to use Ad-Aware to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Ad-Aware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
    * How to use Spybot to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Spybot.
      Similar to Ad-Aware, I strongly recommend both to catch most spyware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
    * Run CWShredder - to remove numerous variants of {KoolWebSearch}
        {CWShredder - "stand-alone"} - http://cwshredder.net/bin/CWShredder.exe

To protect yourself further:

    * IE/Spyad <= IE/Spyad places over 4000 websites and domains
      in the IE Restricted list
      which will severely impair attempts to infect your system.
      It basically prevents any downloads (Cookies etc) from the sites listed,
      although you will still be able to connect to the sites.
      https://netfiles.uiuc.edu/ehowes/www/resource.htm
    * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
      with one containing well know ad sites etc.
      Basically, this prevents your computer from connecting to those sites
      by redirecting them to 127.0.0.1 which is your local computer
      http://mvps.org/winhelp2002/hosts.htm
    * Google Toolbar <= Get the free google toolbar to help stop pop up windows.
      http://toolbar.google.com/

I also suggest that you delete any files from "temp", "tmp" folders.
In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files"
and select the box that says "Delete All Offline Content" and click on "OK" twice.
Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".
These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051

Thanks and good luck!
RF
0
 
ecedwardsAuthor Commented:
many thanks for the tips and links...main lesson learned here is to keep a fresh backup registry...would have saved a lot of work...have had cop 2.2 by plato all along but got complacent since i had gone several months without any problems...ain't real sharp with dos but still got this one done...experts exchange is a great site with quality folks...found that out with my very first problem/question...so glad i have 1900 points to spend for future ills...once again, many thanks to you and everyone who makes this site possible!!

                                           e c edwards
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 9
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now