ATTN: TROJAN HIJACK GURUS...
I have a little problem. I've Been Hijacked by a Stealth Trojan and Nobody seems to have ever heard of it?!!
My web browser has been hijacked for the past 2 days and is now permanently being redirected to this crappy search engine called "Magic Search," and my system is being plagued with porn popup ads and pop up ads that advertize "Stop Popups!"
The offending URL is this:
http://www.magicsearch.ws
THERE ARE NO KNOWN REMOVAL METHODS AND NOBODY SEEMS TO BE AWARE SUCH A TROJAN-HIJACK EVEN EXISTS! I NEED HELP!!!
I've run the following spyware/Trojan/virus scanners programs with absolutely zero success in getting rid of this nightmare (every single program I ran has been updated with the latest definition, pattern and update files of Feb 11, 2004 and every single program FAILED TO DETECT NOR REMOVE the www.MagicSearch.ws Trojan):
Webroot Spy Sweeper v2.2 – FAILED
HijackThis! v1.97.7 - FAILED
Spybot Search & Destroy v1.2.0.8 - FAILED
Spyware Blaster v2.06.0001 - FAILED
Spy Agent v5.1 - FAILED
Lockdown SwatIt! Trojan Squasher v1.07 - FAILED
CWS.Killer (Latest version) - FAILED
Lavasoft Adware v6.01.81 - FAILED
Guidescope v9.994 – FAILED
Norton Tools VirusScan - FAILED
Ad-Zapp v2.206 - FAILED
SmartKiller CWS Variant Remover (latest ver) - FAILED
NGB Cleaner (latest ver) - FAILED
Tauscan's The Cleaner! (latest def)- FAILED
Reg Cleaner v4.2 – N/A
Spybot S&D FileAlyzer v1.0 – N/A
Foundstone’s Vision WinService Mapper v1.001 – N/A
Spy Sweeper fails to find the root cause of this Trojan Hijack, nor do any other Spyware removers such as "Spyware Blaster," "Spy Bot Search & Destroy," "Lavasoft Adaware (registered version)."
My real internet home page/search page should be www.Google.com and was as of 2 days ago, but MagicSearch has utterly taken over this computer and prevents me from going to Google.com or any other search engine including Yahoo.com, Lycos.com, DogPile.com, WebCralwer.com, MSN.com and countless others, which only redirects back to itself: www.magicsearch.ws
MagicSearch.ws is the worst search engine I've ever seen, and only contains links to Viagra and XXX An*al Sex sites and for any search I perform on any subject other than Magic Search’s forced-search results. Let me tell you, I am not looking for Porn nor Viagra nor Pre Teen Sex, I'm looking for a cure to my Basset Hound's issue he’s got which is bad breath! WTF? This trojan has ruined Windows XP. I don’t want to F-DISK because of this crap!
MagicSearch has turned the use the internet on this system, an utterly useless endeavor and prevents any other website from loading, and prevents anything but Porn and Viagra in the results display windows it forces on me. I am typing this on another system not infected by the MagicSearch.ws parasite. I performed a WHOIS search to see who owns the site, and it’s bogus information as to who the owner is.
And I even used the best WHOIS engine on the planet, the one that gets through any NetSol or GoDaddy privacy bots: http://www.cybersyndrome.net/whois.html
Unfortunately, it appears even CyberSyndrome can’t decipher the REAL REGISTRANT of this scourge that has ruined my new system.
I never clicked any popups anywhere in the last few days. The MagicSearch.ws hijack appeared instantly (from what I can tell) as an auto-downloading popunder that was hidden behind a JavaScript PORN AD that Google's Popup Blocker Toolbar failed to kill. This system is connected to a T1 line. The MagicSearch.ws hijack downloaded itself in 2 seconds flat and I have been able to do nothing on my internet connection ever since early this morning, I have been working to find a solution for the past 5 hours to no avail whatsoever.
Even my multiplayer gaming is now severely affected when the stupid MagicSearch throws a pop-under porn or insurance ad onto my screen, it seems to demand 100% of my resources which interfere with both Medal of Honor, BF1942 and Quake 3 gaming sessions. Who ever heard of SPYWARE that demands your full attention, so much so they kill whatever application you’re running in the foreground so you are forced to look at their unwanted ADVERTISEMENTS! As if this kind of marketing makes me want to buy whatever crap these idiots are selling. If anything, I want to kill somebody, NOT buy what they’re so desperate to sell.
Even Norton’s Antivirus with latest pattern file tells me I have no Trojans, no Viruses and no Spyware of any kind. This is simply not the case, and obviously proves the majority of software on the market designed to rid this type of junk are virtually worthless.
Typing in "Google.com" in my Internet Explorer browser results in a failed page load error, then the MagicSearch.ws redirects my browser to itself and gives me the following link every single time I try to to any of my own web pages, URL's or IE Favorites:
http://www.magicsearch.ws/Viagra+Erection.html
I am not looking for Viagra!!!!!!!!!!!! I am looking for a cure to my dog’s bad breath!!!
I'm sick to death of this b---tardized hijack that has killed my day off just trying to figure out how to get my internet back. I can't even log into my email account at www.mail.com to check if there is any replies to this spyware report because MagicSearch forces me back to one of its many Penile Erection sites to further demand my attention and abuse my time!
These companies need to be found and burned to the ground! Their CEO's need to be put in jail or shot on site. This is an outrageous abuse of people's time and energy and there must be some laws enacted to end this brazen corruption, otherwise this may be the end of the internet as we know it, certainly it’s the end of my PC, and the end of my productivity this week.
No other website can be browsed except MagicSearch.ws.
No other ‘results’ can be found except MagicSearch.ws's sleazy smut, which it appears they think I am actually going to pay them money to buy from them!
No other website can be loaded nor logged into except MagicSearch.ws
eBay cannot be found nor loaded. All I get is MagicSearch.ws
Searching for eBay.com through MagicSearch.ws, results in 100 Viagra and 100 Pre Teen Porn and 100 Multilevel Marketing sites, but eBay appears to never have existed since MagicSearch cannot find nor will it let me load it. I have lost all of the bids I was planning on bidding on.
Oh, you say use a Sniping Service like BidNapper or AuctionStealer? I would if I could surf on over to those sites, unfortunately, MagicSearch.ws won’t let me do that. It’s too selfish to let me ever see a single website other than itself again.
My so-called "search results" for "Basset Hound" +"remedy" +"Bad breath" should have resulted in various websites and veterinary pages for a cure to my dog Rocky’s foul breath issue, but all I end up getting is XXX Russian Porn sites, intermixed with Viagra rip-offs and insurance offers from Russia! I do not live in Russia. What use is Russian life insurance if I don’t live in Russia?!
What the hell is going on here?! The use of the internet on that new system has become a useless waste of time. I have permanently disconnected my router from that system and pulled out my F-DISK floppy and industrial magnet, which it looks like I am now doomed to using since none of this software seems to be of much use. All because of this crappy little Trojan that nobody on earth seems to know about.
By the way, I have rebooted into safe mode, I’ve done all the registry searches and did come up with some little treats hanging around deep inside my Windows directories. I would have mentioned this sooner, and provided my HiJackThis log, but what’s use when after deleting the ‘suspected files’ with HiJackThis, every single MagicSearch.ws file is back with a vengeance once I’ve rebooted.
The file folders of most interest are these:
1) C:\Program Files\Common Files\Services
2) C:\Windows\system32
I have found and “tried to delete” the following suspicious items, which are also active services in my Task Manager. They cannot be turned off. The message is that System Files while “in use” cannot be turned off nor deleted.
C:\Program Files\Common Files\Services\systeem.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\tksrv98.exe
Note the extra “e” in the 2 first filez? These service apps, both “systeem.exe” and “exploreer.exe” seem very suspicious and somehow ties to the MagicSearch.ws hijack I’ve been contaminated with. The TKSRV98.EXE is bizarre and I have no idea what it is, but what I DO know is that 100% of all the spyware apps I have running (each with is latest updates) all failed to catch those 3 files, and they are the only three files I cannot find a Windows Startup List Description for at: http://www.answersthatwork.com/Tasklist_pages/tasklist.htm in their “Windows Background Task List Dictionary” lookup service, which usually has everything a person can imagine, including Trojans, Works and Spyware. The 3 Trojans above that have somehow taken over my system are NOT LISTED.
Even in Command line mode by booting into “safe mode” without logging onto WinXP (I use a modified boot disk from www.bootdisk.com ) I cannot delete the three suspicious files from my HDD. And in my experience, safe-mode command line always works when trying to “del” or “deltree” a dir or sub. I attempt to rid myself of this scourge is harder than trying to delete the system kernel, if I were ever stupid enough to try. These three files simply will not let me delete nor modify them, and I know they are part of the MagicSearch.ws that has cruelly stolen time away from my life and resources in trying to rid them from an otherwise-perfectly functioning system.
This is a sadistic and vicious hoax and I am sick to death of being abused by these criminals who seek to ravage the internet and ruin it’s usefulness to peddle their crap nobody wants. The idiots of these programs need to get a life. If they get a kick out of blowing people time and energy or some sick-headed ego trip from ruining the internet or its usefulness as we know it, then I have only one thing to say to them: KARMA. I would hate to be in their shoes right now. Karma tends to fu*ck people like this and criminalize everything they do, good or bad. It’s one thing to earn an honest living, it’s another to spoil other people’s ability to do the same.
Any suggestions on this www.MagicSearch.ws thing or should I go ahead and F-DISK everything and start over…
HERE ARE MY VARIOUS LOGS (HIJACKTHIS, FILE ANALYZER, ETC.) IF YOU CAN DEDUCE WHAT’S GOING ON, LET ME KNOW. EVERY LINE IN HIJACKTHIS THAT CONTAINS “MAGICSEARCH.WS” HAS BEEN DELETED. THEY ALL REAPPEAR ON NEXT REBOOT. FYI, ALSO I AM USING “IE WATCHGUARD” AND MUR-BLASTER, THEY BOTH FAIL TO PREVENT THIS TOTAL SYSTEM HIJACK.
ALSO, IN CASE ANYONE WANTS TO KNOW, I AM LOGGED IN WITH ADMINISTRATIVE PRIVILEGES, CANNOT DELETE "SUSPECT" TROJAN .EXE FILES. CAN ANYONE HELP ME??! I GIVE UP!!!
************************
FileAlyzer © 2003 Patrick M. Kolla. All Rights Reserved. ************************
Created: 2/11/2004 5:47:38 PM
Suspect File: C:\Program Files\Common Files\Services\exploreer.exe
***** General ***
Object Name: EXPLOREER.EXE
Location: C:\Program Files\Common Files\Services\
Size: 21568
Version: Null Value
CRC-32: 3F34958F
MD5: 5BC7AB58452686206E9E1BE5561BDBBD
Read only: YES
Hidden: YES
System file: YES
Directory: NO
Archive: NO
Symbolic link: NO
Time stamp: Wednesday, February 11, 2004 3:09:22 PM
File Created: Wednesday, February 10, 2004 4:00:34 PM
Last access: Wednesday, February 11, 2004 5:47:20 PM
Last write: Wednesday, February 11, 2004 3:09:22 PM
***** PE Header ***
Signature: 00004550
Number of sections: 000B
Number of sections: 000B
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 18
Size of code: 00007000
Size of initialized data: 00001600
Size of uninitialized data: 00000000
Address of entry point: 00011000
Base of code: 00001000
Base of data: 00008000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012040
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002 - Windows (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
*** PE Sections ************************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
00007000 00001000 00003200 00000400 C0000040
00001000 00008000 00000200 00003600 C0000040
00001000 00009000 00000000 00003800 C0000040
00001000 0000A000 00000400 00003800 C0000040
00001000 0000B000 00000000 00003C00 C0000040
00001000 0000C000 00000200 00003C00 C0000040
00001000 0000D000 00000000 00003E00 C0000040
00001000 0000E000 00000200 00003E00 C0000040
00002000 0000F000 00001200 00004000 C0000040
00000040 00011000 00000040 00005200 C0000040
00000040 00012000 00000040 00005400 C0000040
***** Import table: SYSTEEM.EXE ***************
(libraries: 7)
kernel32.dll (imports: 3)
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll (imports: 1)
GetKeyboardType
advapi32.dll (imports: 1)
RegQueryValueExA
advapi32.dll (imports: 1)
RegSetValueExA
user32.dll (imports: 1)
SystemParametersInfoA
shell32.dll (imports: 1)
ShellExecuteExA
wininet.dll (imports: 1)
InternetGetConnectedState
DownLdTrackCookieRAS
******************
FileAlyzer © 2003 Patrick M. Kolla. All Rights Reserved.
******************
Created: 2/11/2004 5:40:52 PM
Suspect File: C:\Program Files\Common Files\Services\systeem.exe
***** General Properties ******************
Object Name: SYSTEEM.EXE
Location: C:\Program Files\Common Files\Services\
Size: 21568
Version: Null Value
CRC-32: 3F34958F
MD5: 5BC7AB58452686206E9E1BE5561BDBBD
Read only: YES
Hidden: YES
System file: YES
Directory: NO
Archive: NO
Symbolic link: NO
Time stamp: Wednesday, February 11, 2004 3:09:22 PM
File Created: Wednesday, February 09, 2004 12:23:52 PM
Last access: Wednesday, February 11, 2004 5:40:12 PM
Last write: Wednesday, February 11, 2004 3:09:22 PM
***** PE Header ***************************
Signature: 00004550
Number of sections: 000B
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 18
Size of code: 00007000
Size of initialized data: 00001600
Size of uninitialized data: 00000000
Address of entry point: 00011000
Base of code: 00001000
Base of data: 00008000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012040
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002-Windows (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
**** PE Sections ******************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
00007000 00001000 00003200 00000400 C0000040
00001000 00008000 00000200 00003600 C0000040
00001000 00009000 00000000 00003800 C0000040
00001000 0000A000 00000400 00003800 C0000040
00001000 0000B000 00000000 00003C00 C0000040
00001000 0000C000 00000200 00003C00 C0000040
00001000 0000D000 00000000 00003E00 C0000040
00001000 0000E000 00000200 00003E00 C0000040
00002000 0000F000 00001200 00004000 C0000040
00000040 00011000 00000040 00005200 C0000040
00000040 00012000 00000040 00005400 C0000040
***** Import table: SYSTEEM.EXE ***************
(libraries: 7)
kernel32.dll (imports: 3)
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll (imports: 1)
GetKeyboardType
advapi32.dll (imports: 1)
RegQueryValueExA
advapi32.dll (imports: 1)
RegSetValueExA
user32.dll (imports: 1)
SystemParametersInfoA
shell32.dll (imports: 1)
ShellExecuteExA
wininet.dll (imports: 1)
InternetGetConnectedState
DownLdTrackCookieRAS
Logfile of HijackThis v1.97.7
Scan saved at 4:02:16 PM, on 2/11/2004
Platform: Windows XP SP1a
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Progra~1\Common Files\Services\tksrv98.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Progra~1\Common Files\Services\Systeem.exe
C:\Progra~1\Common Files\Services\Exploreer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Progra~1\AtomicClock\Atomic.exe
C:\Progra~1\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Progra~1\Common Files\Services\exploreer.exe
C:\Progra~1\Internet Explorer\iexplore.exe
C:\Progra~1\RegCleaner\RegCleanr.exe
C:\Progra~1\Foundstone\Vision\Vision.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Magic Search.ws
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\Acrobat 5.0\Reader\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\PROGRA~1\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad Aware Six\Ad-aware.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\AtomicClock\Atomic.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\exploreer.exe
O4 - Global Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\PROGRA~1\Common Files\Services\exploreer.exe
08 - WWW Prefix: http://www.magicsearch.ws/?q=Null.html
O8 - DefaultPrefix01: http://www.magicsearch.ws/?q=PreTeen+Sex.html
O8 - DefaultPrefix02: http://www.magicsearch.ws/?q=Online+Loan.html
O8 - DefaultPrefix03: http://www.magicsearch.ws/?q=Arizona+Health+Insurance.html
O8 - DefaultPrefix04: http://www.magicsearch.ws/?q=Sex+p--sy+Anal.html
O8 - DefaultPrefix05: http://www.magicsearch.ws/?q=Viagra+Erection+Porn.html
O8 - DefaultPrefix06: http://www.magicsearch.ws/?q=Personal+Loan.html
O8 - DefaultPrefix07: http://www.magicsearch.ws/?q=Toys+Anal+Teen.html
O8 - DefaultPrefix08: http://www.magicsearch.ws/?q=Payday+Loan+Online.html
O8 - DefaultPrefix09: http://www.magicsearch.ws/?q=Bill+Consolidation.html
O8 - DefaultPrefix10: http://www.magicsearch.ws/?q=Payday+Viagra+Sex.html
O9 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O9 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
******* EOF ********