Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Cool Web Search
From: Dean Porter <dean () centerpartners com>
Date: Fri, 30 Jul 2004 20:07:06 -0600

Has any one dealt with a similar thing called "searchweb2.com"? 

This installed itself into two folders: "C:\Program Files\htm acid soap",
and "C:\Documents and Settings\All Users\Application Data\spam wipe that
audio" and then integrated itself into Internet Explorer as a "Search Bar",
that you can't turn off or on via the Right-Click (over the toolbars)
toolbars menu. It also sets the home page to point to
"http://searchweb2.com"; and then sets the "page can't be found" to a page
with directory it - which reloads it self. 

Neither Adware nor Spybot did anything about this. BHODemon doesn't see it
either (though I loaded BHODemon after I was hit by this). 

It seems to have a "hidden" process that runs an executable from one of
these folders ("2 LOAD SETUP.exe" or "Once Grid.exe") which loads up two
hidden copies IExplore, if you kill the IExplore processes, they relaunch. 

I cleaned it off my system by booting in safe mode, removing the links from
HLM\Software\Microsoft\Windows\CurrentVersion\Run, cleaning with HiJackThis,
and then deleting the files in these folders.

Anyway, I was wondering if anyone else has dealt with this, what it actually
does (besides create a search bar and pop ads), and if I got it all.  


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]