worldnetsearch?

Discussion in 'Malware Help (A Specialist Will Reply)' started by mcedata, Sep 10, 2004.

  1. mcedata

    mcedata Private E-2

    Hi, I've just run across a new (to me, at least) hikacker. When it infects, it puts three icons on my desktop... http:// links to 5sec.biz, forbiddenconversations.com, and worldnetsearch.org. Spybot and Adaware do not find or remove it. Registry entries are altered to make worldnetsearch.org the default home and searchpage; when all related registry entries are removed, they regenerate. When the three icons on the desktop are removed, they simply pop back up, practically immediately. I've removed them manually, and with hijackthis, no joy. I have a hijackthis log available, if anyone would like to see it. I've searched the net for info on this for two days, and have found nothing. Example registry entry:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnetsearch.org/

    Anyone have any thoughts...or a cure? Thanks for any input.
     
    mcedata, Sep 10, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Not finding a lot on it. If you can take the time to do the tutorial:

    http://forums.majorgeeks.com/showthread.php?t=35407

    Then let us know if the problem continues, at which point we will want you to attach your Hijack This log file, but please do all steps, people tend to skip some for some reason.
     
    Major Attitude, Sep 10, 2004
    #2
  3. mcedata

    mcedata Private E-2

    Found nothing specifically on this thing, but did some research. It appears to be a variation of the trojan.bookmarker.c; instead of using files named mtwirl32.dll and mtwcnl32.dll, this one uses mtwirl.dll and mtwcnl.dll. I was looking through the hijackthis log and noticed that mtwirl.dll was loading at startup. It looked so much like the mtwirl32.dll that bookmarker uses, I figured I was on to something. I nuked that entry from the registry, removed the file; found also that mtwcnl.dll was the file from which the trojan gets it's instructions, and the file from which it re-establishes the registry entries that relate to worldnetsearch should they be removed. Nuked mtwcnl.dll, had hikackthis remove all registry entries that relate to worldnetsearch, booted, and the little bugger is now history.
     
    mcedata, Sep 12, 2004
    #3
  4. Quest2005

    Quest2005 Private E-2

    I recieved a very similar problem to this where 4 new web addresses kept getting added to my favourites in Internet Explorer and defauliting my home page to the same site as yours. I took your advice and searched on the web for the Trojan Horse and found out how to remove the virus from my computer/regestry. Everything appeared fine.

    However, I currently use Adaware and have the latest version and definitions. Although, every time I try and run Adaware it hangs or locks up shortly after starting the memory test .dll file in the System32 directory. The file is called Batmeter.dll which i have looked at and am sure has not been affected by the Trojan Virus. Adaware used to run fine before I encountered the virus and perhaps it is still in the computers memory and that is why Adaware continues to lock up.

    Can anyone advise? I am planning to download some further Spyware and run these.

    Thanks in advance

    Q
     
    Quest2005, Mar 24, 2005
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds