ATTN: TROJAN HIJACK GURUS...

I have a little problem. I've Been Hijacked by a Stealth Trojan and Nobody seems to have ever heard of it?!!

My web browser has been hijacked for the past 2 days and is now permanently being redirected to this crappy search engine called "Magic Search," and my system is being plagued with porn popup ads and pop up ads that advertize "Stop Popups!"

The offending URL is this:

http://www.magicsearch.ws

THERE ARE NO KNOWN REMOVAL METHODS AND NOBODY SEEMS TO BE AWARE SUCH A TROJAN-HIJACK EVEN EXISTS! I NEED HELP!!!

I've run the following spyware/Trojan/virus scanners programs with absolutely zero success in getting rid of this nightmare (every single program I ran has been updated with the latest definition, pattern and update files of Feb 11, 2004 and every single program FAILED TO DETECT NOR REMOVE the www.MagicSearch.ws Trojan):

Webroot Spy Sweeper v2.2 – FAILED
HijackThis! v1.97.7 - FAILED
Spybot Search & Destroy v1.2.0.8 - FAILED
Spyware Blaster v2.06.0001 - FAILED
Spy Agent v5.1 - FAILED
Lockdown SwatIt! Trojan Squasher v1.07 - FAILED
CWS.Killer (Latest version) - FAILED
Lavasoft Adware v6.01.81 - FAILED
Guidescope v9.994 – FAILED
Norton Tools VirusScan - FAILED
Ad-Zapp v2.206 - FAILED
SmartKiller CWS Variant Remover (latest ver) - FAILED
NGB Cleaner (latest ver) - FAILED
Tauscan's The Cleaner! (latest def)- FAILED
Reg Cleaner v4.2 – N/A
Spybot S&D FileAlyzer v1.0 – N/A
Foundstone’s Vision WinService Mapper v1.001 – N/A

Spy Sweeper fails to find the root cause of this Trojan Hijack, nor do any other Spyware removers such as "Spyware Blaster," "Spy Bot Search & Destroy," "Lavasoft Adaware (registered version)."

My real internet home page/search page should be www.Google.com and was as of 2 days ago, but MagicSearch has utterly taken over this computer and prevents me from going to Google.com or any other search engine including Yahoo.com, Lycos.com, DogPile.com, WebCralwer.com, MSN.com and countless others, which only redirects back to itself: www.magicsearch.ws

MagicSearch.ws is the worst search engine I've ever seen, and only contains links to Viagra and XXX An*al Sex sites and for any search I perform on any subject other than Magic Search’s forced-search results. Let me tell you, I am not looking for Porn nor Viagra nor Pre Teen Sex, I'm looking for a cure to my Basset Hound's issue he’s got which is bad breath! WTF? This trojan has ruined Windows XP. I don’t want to F-DISK because of this crap!

MagicSearch has turned the use the internet on this system, an utterly useless endeavor and prevents any other website from loading, and prevents anything but Porn and Viagra in the results display windows it forces on me. I am typing this on another system not infected by the MagicSearch.ws parasite. I performed a WHOIS search to see who owns the site, and it’s bogus information as to who the owner is.
And I even used the best WHOIS engine on the planet, the one that gets through any NetSol or GoDaddy privacy bots: http://www.cybersyndrome.net/whois.html
Unfortunately, it appears even CyberSyndrome can’t decipher the REAL REGISTRANT of this scourge that has ruined my new system.

I never clicked any popups anywhere in the last few days. The MagicSearch.ws hijack appeared instantly (from what I can tell) as an auto-downloading popunder that was hidden behind a JavaScript PORN AD that Google's Popup Blocker Toolbar failed to kill. This system is connected to a T1 line. The MagicSearch.ws hijack downloaded itself in 2 seconds flat and I have been able to do nothing on my internet connection ever since early this morning, I have been working to find a solution for the past 5 hours to no avail whatsoever.

Even my multiplayer gaming is now severely affected when the stupid MagicSearch throws a pop-under porn or insurance ad onto my screen, it seems to demand 100% of my resources which interfere with both Medal of Honor, BF1942 and Quake 3 gaming sessions. Who ever heard of SPYWARE that demands your full attention, so much so they kill whatever application you’re running in the foreground so you are forced to look at their unwanted ADVERTISEMENTS! As if this kind of marketing makes me want to buy whatever crap these idiots are selling. If anything, I want to kill somebody, NOT buy what they’re so desperate to sell.

Even Norton’s Antivirus with latest pattern file tells me I have no Trojans, no Viruses and no Spyware of any kind. This is simply not the case, and obviously proves the majority of software on the market designed to rid this type of junk are virtually worthless.

Typing in "Google.com" in my Internet Explorer browser results in a failed page load error, then the MagicSearch.ws redirects my browser to itself and gives me the following link every single time I try to to any of my own web pages, URL's or IE Favorites:

http://www.magicsearch.ws/Viagra+Erection.html

I am not looking for Viagra!!!!!!!!!!!! I am looking for a cure to my dog’s bad breath!!!

I'm sick to death of this b---tardized hijack that has killed my day off just trying to figure out how to get my internet back. I can't even log into my email account at www.mail.com to check if there is any replies to this spyware report because MagicSearch forces me back to one of its many Penile Erection sites to further demand my attention and abuse my time!

These companies need to be found and burned to the ground! Their CEO's need to be put in jail or shot on site. This is an outrageous abuse of people's time and energy and there must be some laws enacted to end this brazen corruption, otherwise this may be the end of the internet as we know it, certainly it’s the end of my PC, and the end of my productivity this week.

No other website can be browsed except MagicSearch.ws.
No other ‘results’ can be found except MagicSearch.ws's sleazy smut, which it appears they think I am actually going to pay them money to buy from them!
No other website can be loaded nor logged into except MagicSearch.ws
eBay cannot be found nor loaded. All I get is MagicSearch.ws
Searching for eBay.com through MagicSearch.ws, results in 100 Viagra and 100 Pre Teen Porn and 100 Multilevel Marketing sites, but eBay appears to never have existed since MagicSearch cannot find nor will it let me load it. I have lost all of the bids I was planning on bidding on.
Oh, you say use a Sniping Service like BidNapper or AuctionStealer? I would if I could surf on over to those sites, unfortunately, MagicSearch.ws won’t let me do that. It’s too selfish to let me ever see a single website other than itself again.

My so-called "search results" for "Basset Hound" +"remedy" +"Bad breath" should have resulted in various websites and veterinary pages for a cure to my dog Rocky’s foul breath issue, but all I end up getting is XXX Russian Porn sites, intermixed with Viagra rip-offs and insurance offers from Russia! I do not live in Russia. What use is Russian life insurance if I don’t live in Russia?!

What the hell is going on here?! The use of the internet on that new system has become a useless waste of time. I have permanently disconnected my router from that system and pulled out my F-DISK floppy and industrial magnet, which it looks like I am now doomed to using since none of this software seems to be of much use. All because of this crappy little Trojan that nobody on earth seems to know about.

By the way, I have rebooted into safe mode, I’ve done all the registry searches and did come up with some little treats hanging around deep inside my Windows directories. I would have mentioned this sooner, and provided my HiJackThis log, but what’s use when after deleting the ‘suspected files’ with HiJackThis, every single MagicSearch.ws file is back with a vengeance once I’ve rebooted.

The file folders of most interest are these:

1) C:\Program Files\Common Files\Services
2) C:\Windows\system32

I have found and “tried to delete” the following suspicious items, which are also active services in my Task Manager. They cannot be turned off. The message is that System Files while “in use” cannot be turned off nor deleted.

C:\Program Files\Common Files\Services\systeem.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\tksrv98.exe

Note the extra “e” in the 2 first filez? These service apps, both “systeem.exe” and “exploreer.exe” seem very suspicious and somehow ties to the MagicSearch.ws hijack I’ve been contaminated with. The TKSRV98.EXE is bizarre and I have no idea what it is, but what I DO know is that 100% of all the spyware apps I have running (each with is latest updates) all failed to catch those 3 files, and they are the only three files I cannot find a Windows Startup List Description for at: http://www.answersthatwork.com/Tasklist_pages/tasklist.htm in their “Windows Background Task List Dictionary” lookup service, which usually has everything a person can imagine, including Trojans, Works and Spyware. The 3 Trojans above that have somehow taken over my system are NOT LISTED.

Even in Command line mode by booting into “safe mode” without logging onto WinXP (I use a modified boot disk from www.bootdisk.com ) I cannot delete the three suspicious files from my HDD. And in my experience, safe-mode command line always works when trying to “del” or “deltree” a dir or sub. I attempt to rid myself of this scourge is harder than trying to delete the system kernel, if I were ever stupid enough to try. These three files simply will not let me delete nor modify them, and I know they are part of the MagicSearch.ws that has cruelly stolen time away from my life and resources in trying to rid them from an otherwise-perfectly functioning system.

This is a sadistic and vicious hoax and I am sick to death of being abused by these criminals who seek to ravage the internet and ruin it’s usefulness to peddle their crap nobody wants. The idiots of these programs need to get a life. If they get a kick out of blowing people time and energy or some sick-headed ego trip from ruining the internet or its usefulness as we know it, then I have only one thing to say to them: KARMA. I would hate to be in their shoes right now. Karma tends to fu*ck people like this and criminalize everything they do, good or bad. It’s one thing to earn an honest living, it’s another to spoil other people’s ability to do the same.

Any suggestions on this www.MagicSearch.ws thing or should I go ahead and F-DISK everything and start over…

HERE ARE MY VARIOUS LOGS (HIJACKTHIS, FILE ANALYZER, ETC.) IF YOU CAN DEDUCE WHAT’S GOING ON, LET ME KNOW. EVERY LINE IN HIJACKTHIS THAT CONTAINS “MAGICSEARCH.WS” HAS BEEN DELETED. THEY ALL REAPPEAR ON NEXT REBOOT. FYI, ALSO I AM USING “IE WATCHGUARD” AND MUR-BLASTER, THEY BOTH FAIL TO PREVENT THIS TOTAL SYSTEM HIJACK.

ALSO, IN CASE ANYONE WANTS TO KNOW, I AM LOGGED IN WITH ADMINISTRATIVE PRIVILEGES, CANNOT DELETE "SUSPECT" TROJAN .EXE FILES. CAN ANYONE HELP ME??! I GIVE UP!!!

************************
FileAlyzer © 2003 Patrick M. Kolla. All Rights Reserved. ************************
Created: 2/11/2004 5:47:38 PM

Suspect File: C:\Program Files\Common Files\Services\exploreer.exe

***** General ***
Object Name: EXPLOREER.EXE
Location: C:\Program Files\Common Files\Services\
Size: 21568
Version: Null Value
CRC-32: 3F34958F
MD5: 5BC7AB58452686206E9E1BE5561BDBBD
Read only: YES
Hidden: YES
System file: YES
Directory: NO
Archive: NO
Symbolic link: NO
Time stamp: Wednesday, February 11, 2004 3:09:22 PM
File Created: Wednesday, February 10, 2004 4:00:34 PM
Last access: Wednesday, February 11, 2004 5:47:20 PM
Last write: Wednesday, February 11, 2004 3:09:22 PM

***** PE Header ***
Signature: 00004550
Number of sections: 000B
Number of sections: 000B
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 18
Size of code: 00007000
Size of initialized data: 00001600
Size of uninitialized data: 00000000
Address of entry point: 00011000
Base of code: 00001000
Base of data: 00008000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012040
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002 - Windows (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

*** PE Sections ************************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
00007000 00001000 00003200 00000400 C0000040
00001000 00008000 00000200 00003600 C0000040
00001000 00009000 00000000 00003800 C0000040
00001000 0000A000 00000400 00003800 C0000040
00001000 0000B000 00000000 00003C00 C0000040
00001000 0000C000 00000200 00003C00 C0000040
00001000 0000D000 00000000 00003E00 C0000040
00001000 0000E000 00000200 00003E00 C0000040
00002000 0000F000 00001200 00004000 C0000040
00000040 00011000 00000040 00005200 C0000040
00000040 00012000 00000040 00005400 C0000040

***** Import table: SYSTEEM.EXE ***************

(libraries: 7)
kernel32.dll (imports: 3)
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll (imports: 1)
GetKeyboardType
advapi32.dll (imports: 1)
RegQueryValueExA
advapi32.dll (imports: 1)
RegSetValueExA
user32.dll (imports: 1)
SystemParametersInfoA
shell32.dll (imports: 1)
ShellExecuteExA
wininet.dll (imports: 1)
InternetGetConnectedState
DownLdTrackCookieRAS

******************
FileAlyzer © 2003 Patrick M. Kolla. All Rights Reserved.
******************

Created: 2/11/2004 5:40:52 PM

Suspect File: C:\Program Files\Common Files\Services\systeem.exe

***** General Properties ******************
Object Name: SYSTEEM.EXE
Location: C:\Program Files\Common Files\Services\
Size: 21568
Version: Null Value
CRC-32: 3F34958F
MD5: 5BC7AB58452686206E9E1BE5561BDBBD
Read only: YES
Hidden: YES
System file: YES
Directory: NO
Archive: NO
Symbolic link: NO
Time stamp: Wednesday, February 11, 2004 3:09:22 PM
File Created: Wednesday, February 09, 2004 12:23:52 PM
Last access: Wednesday, February 11, 2004 5:40:12 PM
Last write: Wednesday, February 11, 2004 3:09:22 PM

***** PE Header ***************************
Signature: 00004550
Number of sections: 000B
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 18
Size of code: 00007000
Size of initialized data: 00001600
Size of uninitialized data: 00000000
Address of entry point: 00011000
Base of code: 00001000
Base of data: 00008000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012040
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002-Windows (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

**** PE Sections ******************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
00007000 00001000 00003200 00000400 C0000040
00001000 00008000 00000200 00003600 C0000040
00001000 00009000 00000000 00003800 C0000040
00001000 0000A000 00000400 00003800 C0000040
00001000 0000B000 00000000 00003C00 C0000040
00001000 0000C000 00000200 00003C00 C0000040
00001000 0000D000 00000000 00003E00 C0000040
00001000 0000E000 00000200 00003E00 C0000040
00002000 0000F000 00001200 00004000 C0000040
00000040 00011000 00000040 00005200 C0000040
00000040 00012000 00000040 00005400 C0000040

***** Import table: SYSTEEM.EXE ***************

(libraries: 7)
kernel32.dll (imports: 3)
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll (imports: 1)
GetKeyboardType
advapi32.dll (imports: 1)
RegQueryValueExA
advapi32.dll (imports: 1)
RegSetValueExA
user32.dll (imports: 1)
SystemParametersInfoA
shell32.dll (imports: 1)
ShellExecuteExA
wininet.dll (imports: 1)
InternetGetConnectedState
DownLdTrackCookieRAS

Logfile of HijackThis v1.97.7
Scan saved at 4:02:16 PM, on 2/11/2004
Platform: Windows XP SP1a
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe

C:\Progra~1\Common Files\Services\tksrv98.exe

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe

C:\Progra~1\Common Files\Services\Systeem.exe
C:\Progra~1\Common Files\Services\Exploreer.exe

C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Progra~1\AtomicClock\Atomic.exe
C:\Progra~1\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Progra~1\Common Files\Services\exploreer.exe
C:\Progra~1\Internet Explorer\iexplore.exe
C:\Progra~1\RegCleaner\RegCleanr.exe
C:\Progra~1\Foundstone\Vision\Vision.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Magic Search.ws
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\Acrobat 5.0\Reader\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\PROGRA~1\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad Aware Six\Ad-aware.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\AtomicClock\Atomic.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\exploreer.exe
O4 - Global Startup: Guidescope.lnk = C:\Program Files\Guidescope\guide.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\PROGRA~1\Common Files\Services\exploreer.exe

08 - WWW Prefix: http://www.magicsearch.ws/?q=Null.html
O8 - DefaultPrefix01: http://www.magicsearch.ws/?q=PreTeen+Sex.html
O8 - DefaultPrefix02: http://www.magicsearch.ws/?q=Online+Loan.html
O8 - DefaultPrefix03: http://www.magicsearch.ws/?q=Arizona+Health+Insurance.html
O8 - DefaultPrefix04: http://www.magicsearch.ws/?q=Sex+p--sy+Anal.html
O8 - DefaultPrefix05: http://www.magicsearch.ws/?q=Viagra+Erection+Porn.html
O8 - DefaultPrefix06: http://www.magicsearch.ws/?q=Personal+Loan.html
O8 - DefaultPrefix07: http://www.magicsearch.ws/?q=Toys+Anal+Teen.html
O8 - DefaultPrefix08: http://www.magicsearch.ws/?q=Payday+Loan+Online.html
O8 - DefaultPrefix09: http://www.magicsearch.ws/?q=Bill+Consolidation.html
O8 - DefaultPrefix10: http://www.magicsearch.ws/?q=Payday+Viagra+Sex.html

O9 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O9 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

******* EOF ********

Go Here

http://www.computing.net/security/wwwboard/forum/9514.html

HTH
D4

O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\exploreer.exe

'eplorEEr.exe is not a legitimate program.

D4

Disconnect from the internet

Open Task manager (ctrl/alt/delete) End process for:

exploreer.exe
Systeem.exe

Then delete the entire folder here:
C:\Program Files\Common Files\Services

Close ALL windows, open HJT, scan,and put marks in the following. Hit the fix checked button (make sure you get them all)

Remove the two entries for (the filename will have changed since the last time.
O4 - HKLM\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\filename
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\filename

The file name may/will have changed, these are some of the varients
iexplorer.exe
explore.exe
exploreer.exe
sistem.exe
systeem.exe
critical.exe
directx.exe
internet.exe
window.exe
winmgnt.exe
clrssn.exe
splorer32.exe
win32e.exe
inetinf.exe
directx32.exe
uninstall.exe
time.exe
volume.exe
autorun.exe
user32.exe
clrssn.exe

As well as these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.magicsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.magicsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.magicsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Magic Search.ws
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.magicsearch.ws/?q

08 - WWW Prefix: http://www.magicsearch.ws/?q=Null.html
O8 - DefaultPrefix01: http://www.magicsearch.ws/?q=PreTeen+Sex.html
O8 - DefaultPrefix02: http://www.magicsearch.ws/?q=Online+Loan.html
O8 - DefaultPrefix03: http://www.magicsearch.ws/?q=Arizona+Health+Insurance.html
O8 - DefaultPrefix04: http://www.magicsearch.ws/?q=Sex+p--sy+Anal.html
O8 - DefaultPrefix05: http://www.magicsearch.ws/?q=Viagra+Erection+Porn.html
O8 - DefaultPrefix06: http://www.magicsearch.ws/?q=Personal+Loan.html
O8 - DefaultPrefix07: http://www.magicsearch.ws/?q=Toys+Anal+Teen.html
O8 - DefaultPrefix08: http://www.magicsearch.ws/?q=Payday+Loan+Online.html
O8 - DefaultPrefix09: http://www.magicsearch.ws/?q=Bill+Consolidation.html
O8 - DefaultPrefix10: http://www.magicsearch.ws/?q=Payday+Viagra+Sex.htm

Reboot and run Hijackthis once more. Post your new log.

shep

Ok, I picked up this hijacker today.

To remove it, you need to download a free software application HijackThis! from Download.com (Click my homepage link, it should take you to the download page for it on download.com and bypass the trojan).

When you have this software and you have run it click the scan button at the bottom of the window. The listbox should then fill up with crap. Tick everything and click the Fix Checked button. When it is done, wait 20 seconds and click scan again. The listbox will fill up again with stuff all with the www.magicsearch.ws URL in it. This time, press CTRL and ALT and DELETE (or DEL) at the same time and go to the processes tab in Windows XP. Look for a file in that list called directx.exe or some executable file that isn't meant to be there running from you're user account. Click it and click end task. You have closed the secret file that is putting the entries back into the listbox. Go back to HijackThis! and check all of the lines and click Fix Checked again. Wait 20 seconds and click Scan. There, all gone!

Now to make sure that our little twat friend that puts the entries back dosn't come back. Click start, My Computer. Double Click you're main hard drive and go to Program Files and in there go into a folder named Common Files. In the Common Files directory, there should be a folder called Services. Delete that. If you recieve an access denied error, look at the filename in the error box and press CTRL + ALT + DEL again and close it's ass.

When that Services folder is deleted and when you press scan in HijackThis! and nothing appears, CONGRATULATIONS! YOU HAVE KICKED THE PIECE OF CRAP MAGICSEARCH.WS IS OFF YOUR SYSTEM!

RunningHoove

Follow advice of sxshep and Dog....Do Not check all entries in HijackThis scan!...you will disable everything that is supposed to start up including any antivirus program you have, printer software if any, firewall if any.....Much of what you see in the scan is safe or even essential! Altho Hijackthis does make backups in case a mistake is made...recovery is possible but is still a headache trying to determine what entries to recover.
HijackThis lists all that is starting up...it cannot determine what is good or bad. It will delete what you tell it to with sometimes undesirable affects including having to re-install some of your software.
I am sure you wouldn't follow "The Helper's'" advice....but just wanted to make sure. HijackThis is a very good and powerful program but can be dangerous at the same time if not careful.

Take care and all the best!

I never give up!

My machine was infected for about a day
before finally clearing it.

Stop and of variants listed in the earlier post from running with Task Manager and then delete them from c:\program files\common files\services. The files are hidden and I would delete anything other than bmps in this directory.
These variants are responsible for continously altering the registry.

Next look for c:\windows\notepad32.exe
Again its hidden and delete it.
Its responsible for creating and running the variants above whenever notepad is run.

Then look in the registry for notepad32.exe
and change anything like
c:\windows\notepad32.exe %1 note
back to
c:\windows\notepad.exe %1

Hopefully this doesnt have any other variants and worked for me. But look out
for any dodgy looking files around 22k.

Kris

Go to www.aameen.org and click on forum button at the top to see the posts under Troubleshooting and Virus Removal now they have given cleaning method for all the variant that exist today of magicsearch.ws

iinfoque

They should find the Azhole who created this peice of crap (magicsearch.ws) and file a Class Action Lawsuit against them for Mass Computer Damage and invasion of privacy (also caused me to beat my poor Dog)...then Tar and Feather them to boot.

How did this virus get onto our PCs because I havn't opened anything that could possibly be a virus... Is there any chance it is using TFTP or something like that like the MSblast worm?

Here's how to I got reed of this problem. Got reed of notepad32 – this is the executable that generates all the other *.exe files in C:\Program Files\Common Files\Services.
Remove any notepad32 entries in the registry and rename the valid notepad entries form notepad32 to notepad.
Use Hijackthis (or do a manual search in regedit) to remove you magicsearch entries and the *.exe file currently in C:\Program Files\Common Files\Services.

There is a fiery pit of eternal hellfire for these magicsearch.ws f*cks. my 'infection' or whatever the heck it is happened around 10 pm on the feb. 14th 04, from what i've read, this is a pretty new problem

Here's what I did:
1. tried resetting home page - ha!

2. tried adaware, etc. - no dice

3. i then went to program files/common files/services and deleted the last letter of the file extensions of all the files (hidden and otherwise) therein

4. went to the Run items in the registry and deleted the only thing that appeared there (i just reinstalled windows, so, yes, sorry i know that doesn't help most of you very much).

now magicsearch doesn't hijack my IE UNLESS i typed in a webpage without the http or www. not the best fix, but it makes IE usable until there is some sort of quick fix. (can't seem to download hijackthi, if you've got a good download site, point us to it... be sure to check it's still working first).

I found that my homepage was being set every single time I reset my computer.

So I copied down the IP address that it was setting my homepage to, then I did a search for all files on my computer that contained this address.

It came up with 3 files:
- tksrv98.exe
- tmksrvu.exe
- xplugin.dll

So I made backup copies of these files and removed them from my system, and I haven't had any problems since. :) Hope this helps.

search the entire registry for entries containing the word: magic. the culprit values will immediately stand out. it's good to have another xp machine around to know what to change them back to. after taking the steps in my previous post, i went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix www

changed the data from magicsearch crap to: http://

now things seem to be working right

hope this isn't too confusing, i learned what i know about hacking the registry from getting rid of this thing today.

i have tried almost everything

heres what i did
1.) opened task manager and ended processes that need to be ended
2.) deleted C:\Program Files\Common Files\Services
3.)Looked in the registry for notepad32.exe
and change anything like
c:\windows\notepad32.exe %1 note
back to
c:\windows\notepad.exe %1
4.)deleted these files tksrv98.exe and tmksrvu.exe
5.)Went to regedit and then HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix www

changed the data from magicsearch crap to: http://
6.) Still nothing worked i dont know what to do next. The only thing that i havent tried is "hijack this" but that is only because i cant find a place to download it..

GET ME SOME HELP

Vyhper, David Monroe

For Hijackthis download go here:

http://www.lurkhere.com/!nicefiles/

I never give up!

This stupid website was created on 2004-01-03
name servers:
ns2.smartdns.org....213.159.117.225
ns1.smartdns.org....213.236.177.230

www.magicsearch.ws is a West Samoa extension.

If you want to complain go there:
http://www.iana.org/root-whois/ws.htm

and send an email of complaints to:
Raymond@samoa.ws

Let's get this little co@#sucker and cancel his account!

i was able to remove magicsearch but now i have something similiar allthough not that agressive as magicsearch. I found it using Hijackthis. After every restart i always get this:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\Temp For Downloaded Stuff\REMOVING MAGICSEARCH\HijackThis.exe

!!!!!!!!!! (added by me)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbhywy.t.muxa.cc/h.php?aid=291 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbhywy.t.muxa.cc/h.php?aid=291 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sbhywy.t.muxa.cc/s.php?aid=291 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://sbhywy.t.muxa.cc/h.php?aid=291 (obfuscated)
!!!!!!!!!(added by me)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

note the section i marked with !!!!!. This stuff always comes back, and sometimes but really rare it also makes itself as a homepage. I can't find what i have to delete and i can't find a process that look suspect.

So please help if you know something.

Sorry guys for bothering you, i don't know how i didn't see this line

O4 - HKLM\..\Run: [sys] regedit -s sys.reg

After removing it everything is ok now.

Hi

Glad you got it cleared up...Good work!

make sure you do a search for that sys.reg file and get rid of it....that is the file responsible for your hijack. One of the 30+ CWS trojan (cool web search) varients.

I never give up!

i am having the same problem, but a different website pops up and i get a ton of these .zip files in a folder. when i delete them they come back right away.

Was just prompted this evening for a Windows update. IE security update that FIXED THAT FREAKIN TARD OF A SITE THAT I AND ALL I KNOW WILL REIGN FOREVER TERROR ON. I am speaking of such crap as that magicsearch.ws - We should show our appreciation by repaying them the favor. Windows actually came through!!! :0

I got the same problem, but i found something
all files have a signature at its end:
[HIDE PE by BGCorp]
You can find it by using a hex-editor
The files are a least 21.0 KB (21,568 bytes)
small, contains a package and uses some interesting handlers as followed:
VirtualAlloc
VirtualFree
kernel32.dll ExitProcess user32.dll (Shuts down?)
MessageBoxA (the ad's)

And finally:
······GetKeyboar
dType (Keylogger) RegQuery
ValueExA (Checks the regkeys) RegSe
tValueExA (That why the regkeys re-appear)SystemParametersInfoA
···ShellExecute
ExA···InternetGe
tConnectedState (...)

wsprintfA <- Looks interresting! WS?

And thats the keys:
!"#$%&'()*+,-./0
123456789:;<=>?@
ABCDEFGHIJKLMNOP
QRSTUVWXYZ[\]^_`
abcdefghijklmnop
qrstuvwxyz{|}~Ç
üéâäàåçêëèïîìÄÅÉ
æÆôöòûùÿÖÜø£Ø׃á
íóúñѪº¿®¬½¼¡«»_

To be human is to have the freedom to control one's fate
-Karl Marx

Ok Peeps, Looks like this little burger is causing a fuss. I personally would like to do some serious harm to the person who thought this would be a good idea. Anyway, now time for something useful. It looks like PestPatrol detects and removes this. This spyware/trojan apparently stops adaware, spybot, and many other anti-spyware programs. Read this to learn about it,

hXXp://pestpatrol.com/pestinfo/c/cws_time.asp#Detection%20and%20Removal

hXXp://pestpatrol.com/downloads/Corporate/SetupPestPatrolCorporate.exe

Ok Peeps, Looks like this little burger is causing a fuss. I personally would like to do some serious harm to the person who thought this would be a good idea. Anyway, now time for something useful. It looks like PestPatrol detects and removes this. This spyware/trojan apparently stops adaware, spybot, and many other anti-spyware programs. Read this to learn about it,

hXXp://pestpatrol.com/pestinfo/c/cws_time.asp#Detection%20and%20Removal

Open Internet Explorer
Go to Tools
Go to Options
Click on Privacy Tab
Click on Edit
You Will Find The @)(&%#*$ MUdda so and so there

jsut delete it or u can block it from teh options

I hope this works for youall
take care