WARNING - Intelligent Explorer Virus

12/7/03 | TC

[Tumbleweed_Connection]

I sat dont at my station over an hour ago and responded to an Explorer upgrade option without thinking.

This ISN'T a normal option, it was simply a pop-up. Without thinking I responded to upgrade and downloaded a nightmare.

I have yet to break this.

It consists of an additional bar which creates a new home page, http://find.intelius.com with files I've deleted in addition to wwd.ieplugin[1] - and proceeds to iniate infinite pop-ups of EVERY type out of http://www.n-case.com.

ANYTHING internet related will be tattooed with the new bar. View - Toolbars - Intelligent Explorer" will eliminate the bar from your current page but each new one you bring up will require you to go through the process of removing it again.

[commish]

MY ISP (knology Cable) has never given me any problem with my router.

I love have the router, I have it configured to only allow in and out on ports I specify, have it firewalled, and then have Norton AV and Zone Alarm running on all my machines.

Takes a little work to get everything running in Sync, but never have any problems browsing or with online gaming. Now if I could just do something about the FRIGGIN SPAM!!!!!! LOL! I have Spamnet, and it catches about 85-90% of the crap, but I still then have to go in and verify that nothing "Real" got snagged, and then manually delete the hundreds of bad ones.

[E Rocc]

Mozilla loads FR a lot faster than IE does on a dialup connection.

-Eric

[arasina]

Thanks for the concern, but I didn't hit NO on the popup ad. My firewall program "asked me" if it was okay to receive a popup supposedly from MS. I clicked NO to that. I know better. :o)

[Malsua]

>>Besides running the scandisk and defragmenter are there any other basic practices or cleanups for keeping a computer healthy?(for the computer illiterate-me)
<<

One of the main reasons people have trouble these days is due to helper applets. Once you've gotten rid of the spyware(I.E. the bad ones), you need to get rid of the "good ones" that you don't use. If you've got more than 4 or 5 icons down in the lower right system tray, you've probably got junk running in the background that doesn't need to be running, you didn't know you had loaded and is of dubious value in the first place.

MSconfig is the best tool to turning this stuff off. Just do START-->Run-->type in MSCONFIG, click ok. Go to the startup tab and start unchecking things. You can turn off everything found there and your computer will still boot. Special keyboards may not have the special functions and other things may stop working that you use. This is your clue to run msconfig again and just recheck the box that appears to apply to whatever thing stopped working.

Furthermore, there is also a very good site that explains what those taskmanager processes are. CTRL-ALT-Delete to open the task manager and then you can decypher what those items are by viewing the following site:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Generally you can link something listed in MSCONFIG with the process name in the taskmanager. By viewing the above site, you can make an informed judgement as to which you should pull and which should remain. If you're lazy, uncheck them all in msconfig and sort out the problems as they come. Heh.

If you have windows 2000 and msconfig is not installed, you can do a google search "windows 2000 msconfig" and find a link where you can download it. The version that runs under XP works fine on 2000. If you still can't find it, freepmail me and I'll put it on my FTP site.

Scandisk and defragment are very good, but not something you need to run more than perhaps once every few months unless you are experiencing a problem.

One final suggestion, delete all the temporary files and cookies you don't use in IE frequently. Tools-->Internet Options-->Delete files. If you don't want to kill all your cookies, open settings-->View files(after you've deleted files, cookies will still be there) and delete all the cookies that don't apply to sites you wish to stay logged into.

Good luck,

-Mal

[Cultural Jihad]

Bleh. Ignore "Cultural Jihad" he is just hung up on punctuation...

Ah, the poor knuckle-dragger got spanked a while ago and is back, lashing out blindly.

[Tree of Liberty]

Any suggestions? Switch to Mozilla Firebird.

I've been using this for about a week and love it. The only problem I've had so far is a little difficulty with Java. Ameritrade stock streamer, specifically.

I use Eudora for mail and Agent for usenet, so I don't need the full version of Mozilla. This is a great alternative.

[Tumbleweed_Connection]

I'm already in a LAN, as I said, this was my mistake.

Before changing browsers my question still remains, how does the virus support itself if the browser is not IE based?

[Free Trapper]

Thanks a million.:)

This is the kind of info I was looking for.I'm not thinking straight enough(flu)right now to tackle this but I'll sure give it a shot.I've got W98 on an older computer and I'm beginning to learn a few things.

Getting Martin's downloads was my first puter class and this will be next.Thanks again.:O)

[clueless idiot]

bttt for later read

[bvw]

I like "the Bat" for windows email.

[Publius6961]

Give it a rest.

[StriperSniper]

Quick question, another poster had said that one of the recent Windows updates had disabled his Mozilla which was cleared up after he deleted that latest update. I was going to give the update a shot and back it out(if I could figure out how ;-) if need be. Well, you know how it goes, I've been too lazy to take the shot and get frustrated trying to fix it. So, have you heard of that problem and/or have you done a Windows update in say the last two weeks that has been 'Mozilla compatible'?

[FourtySeven]

mark for helpful thread

[Cultural Jihad]

Get a load of this trollish rant.

[Danette]

I did a search for Gator on my computer. I have a GatorRes.dll and Gator.log that won't delete. It says "Cannot delete Gator. Access denied. The source file may be use."


I had downloaded "No Gator" to rid my computer of Gator (from Bayden Systems-PopupPopper):

"To help prevent the sneaky or accidental installation of GATOR on your PC, simply click this link.

Warning: GATOR continually makes changes to your registry which are incompatible with PopupPopper. If you wish to use PopupPopper, please uninstall the ad/spyware first."


Are those two files that won't delete part of the "No Gator" delete program I downloaded OR are they leftovers from the original Gator?

Are you dizzy yet?

[Tumbleweed_Connection]

I have written a letter in detail reporting this to MSN.

I'll post their response.

[Fishrrman]

Tumbleweed Connection laments:
I sat dont at my station over an hour ago and responded to an Explorer upgrade option without thinking.
This ISN'T a normal option, it was simply a pop-up. Without thinking I responded to upgrade and downloaded a nightmare.
I have yet to break this.

I've been using a Macintosh for the last 16 years. Never touched Windows.

I've been on the Internet since 1995.

I use _NO_ "live" virus protection. Nothing at all.

I download freely and _NEVER_ check the downloaded files for viruses, worms, etc.

Having said that...

I've NEVER had a virus infection on any of my computers. Not one.

I've NEVER had a worm infection on any of my computers. Not one.

I've NEVER had a trojan on any of my computers. Not one.

Macintosh: the thinking man's computer (big laugh)!

Cheers!
- John

[arasina]

Were you able to fix the problem yet? I had a similar problem recently. I know someone else already posted the info about Hijack This and CWShredder as options to correct the problem, but this describes what the process of the spyguerillas and I thought it might be helpful to post it.

By: Mike Healan July 9, 2003

CWS is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.

This hijack is similar to the datanotary.com hijack discovered last month. As with datanotary, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the trojan involved with CWS is an updated version of the same malware involved with datanotary.

In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker's web site.

An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that's where it's webserver is listening.

Yet another variant hijacks Internet Explorer's SearchHook setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.

Finally, the trojan lists the hijacker's web site in Internet Explorer's trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer's file system.

We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

This trojan is detected by Computer Associates antivirus products under the following names (More info):
Win32.Startpage.C
JS.CSSPopup.B,
JScript/IEstart.Trojan,
Win32/IEstart.Trojan

Removal Instructions
Merijn, author of HijackThis and StartupList, has created CWShredder specifically to remove this parasite. Please make certain that all browser and folder windows are closed before using CWShredder. If any symptom of the problem remains afterward, then follow these directions below. If you have any problem with CWShredder, please ask for help in our support forums.

This article is located at http://www.spywareinfo.com/articles/cws/

Hijacker Web Sites The following web sites have been found in log files of people infected with this trojan. To our best knowledge, they are all affiliated with coolwebsearch.com

193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws

[Tall_Texan]

I just use the free Zone Alarm version also. The newest one I just upgraded to is v 1.2 . As I understand it, Zone Alarm Pro is designed for business use or for server systems - IOW, for folks with a more complicated hookup than one PC with a modem.

Restarted my PC twice since then and got the right homepage. By the end of the week, I should know if this is the solution.

[visualops]

The key being to actually read and pay attention.