Browser Hijacking - www.findwhatevernow.com

Ragen

Primećen član
Poruka
592
Dakle, na samom pocetku da napomenem da se poprilicno razumem u sve sto znaci sigurnost, operativni sistemi i ostalo... mislim, u ovom poslu sam preko 15 godina. Problem je sledeci: bila mi komsinica i ja kreten, pustim je da pogleda mail... sa laptopa.. to je jedan mali IBM ThinkPad sa stalnom internet konekcijom.. Problem je sto je dobila neki mail na koji je dala click.. guska jedna... i instalirala mi je neki toolbar, ne secam se kako se zvao, jer sam ga u tom momentu i dezinstalirao, obrisao sam i sve iz registryja vezano za njega, kao i sa harda. Medjutim, idiotski toolbar mi je ostavio nesto na hardu sto ne mogu da nadjem i krade mi bilo kojibrowser. Mislio sam prvo da je zbog glupog IE, ali kada mi je blokirao i Operu, instalirao sam Mozilla Firefox.. Nista ne pomaze.. pustio sam Adware 6.0 da mi sredi problem, nista, kao i hiajckthis... medjutim, nisam nasao bilo koju bibioteku, oCX ili bilo sta slicno.. kako functionise IE ili ostalo? Kontam da sve koristi neki isti DLL za net, ako mi posle svakog searcha bilo koji browser blokira pristup na www.google.com, www.symantec.com i neke druge sajtove??? dole mi pise na status baru da mi ucitava podatke i kontaktira www.findwhatervernow.com ... ajde hakeri, da vas vidim, zna li neko nesto o ovom!!! nema sanse da reinstaliram windows, mrzi me :)
 
Googlala sam za tebe: Nisam nasla resenje posto je izgleda taj trojanac imun na programe za ciscenje i stalno se vraca ali sam nasla neke preporuke pa pokusaj:

I already solve the problem with outlook express and findwhatevernow.
You must clean your registry.
1. Click Start, and then click Run, and then type regedit in the Open box.
2. Locate the following registry keys, right-click the registry key, and then click Delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express
HKEY_LOCAL_MACHINE\Software\Microsoft\WAB
HKEY_CURRENT_USER\Identities
HKEY_CURRENT_USER\Software\Microsoft\Outlook Express
HKEY_CURRENT_USER\Software\Microsoft\WAB
HKEY_LOCAL_MACHINE \Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE \Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11D2-AF11-00C04FA35D02}
3. Quit Registry Editor.

If you do use a firewall then just put findwhatevernow.com as a forbidden domain (if you have this capability). That should stop it from ever infecting your machines.

Hi, I have the solution to the problem

First go here:
http://jupiter.spaceports.com/~jsanjuan/products.html
And download
Outlook Express 5.0 Tweak'r (works with older versions of Outlook too)
Install it, and then run it. One of the options you will notice is welcome page. Change whatever is written in that field to "(default)" without the "
Now open Outlook. Problem solved :)
i removed my find whatever now toolbar by going to my control panel, then going to add/remove programs and then removing the FWN toolbar. darn porn. :rolleyes:


Take a look at this link:
http://www.kephyr.com/spywarescanner/library/hungryhands/index.phtml
You may want to verify that nothing is left over from the cleanup instruction on this link and then see if IE will work for you.
Once you have removed the items it is a good idea to print it off and go into the registry and manually remove them. Even though HiJack This has found them and removed them they are still hidden in the HKEY areas.
 
Ragen:
Dakle, na samom pocetku da napomenem da se poprilicno razumem u sve sto znaci sigurnost, operativni sistemi i ostalo... mislim, u ovom poslu sam preko 15 godina. Problem je sledeci: bila mi komsinica i ja kreten, pustim je da pogleda mail... sa laptopa.. to je jedan mali IBM ThinkPad sa stalnom internet konekcijom.. Problem je sto je dobila neki mail na koji je dala click.. guska jedna... i instalirala mi je neki toolbar, ne secam se kako se zvao, jer sam ga u tom momentu i dezinstalirao, obrisao sam i sve iz registryja vezano za njega, kao i sa harda. Medjutim, idiotski toolbar mi je ostavio nesto na hardu sto ne mogu da nadjem i krade mi bilo kojibrowser. Mislio sam prvo da je zbog glupog IE, ali kada mi je blokirao i Operu, instalirao sam Mozilla Firefox.. Nista ne pomaze.. pustio sam Adware 6.0 da mi sredi problem, nista, kao i hiajckthis... medjutim, nisam nasao bilo koju bibioteku, oCX ili bilo sta slicno.. kako functionise IE ili ostalo? Kontam da sve koristi neki isti DLL za net, ako mi posle svakog searcha bilo koji browser blokira pristup na www.google.com, www.symantec.com i neke druge sajtove??? dole mi pise na status baru da mi ucitava podatke i kontaktira www.findwhatervernow.com ... ajde hakeri, da vas vidim, zna li neko nesto o ovom!!! nema sanse da reinstaliram windows, mrzi me :)


Uzmi Window Wacher 5 i Spybot Search&Destroy 1.3, garantovano sve brisu!
 
Andreavk:
...da iskljucis System Restore i u Folder Options cekiras Show hiden files and folders verovatno znas

da,da, samo sto imam ovde win98.. ok, koristim licencirani zone alarm pro koji je odlican, plus nod32 antivirus, koji isto tako radi sjajno.. ipak je ovo previse slab malisan za norton2004.

sa druge strane, primetio sam da, kada trazim sajtove poput symantec.com, an adress baru mi se pojavi adresa sajta, ali izgleda da mi ucita nesto sa hard diska, zapravo html koji jakooooo mnogo lici na msn search, samo sto su linkovi promenjeni, tako da, bilo gde da kliknes, on pokazuje link spre findwhatevernow.com...

probacu sa spy search...

sa druge strane, nikad nisam pokusao da skinem internet explorer i outlook express.. misli, ne koristim ih, jer koristim the bat i firefox.. ne,ne, siguran sam da se ne moze skinuti iz win98..
 
Very Good. Hajde da ja odGOOGLEam po koju :D Poshto tebe mrzi da istrpish 45 minuta totalne reinstalacije sistema (i da rasteretis win98 registarsku bazu) onda se muchi i dalje i odlazi reshavanje problema do mile volje. :roll: Programi koji se koriste su ok, ali u pravu si PROMENJEN je DLL fajl (system32 folder). :evil: I sad imash "genetski modifikovan" windows. :!: Pre nego shto reinstalirash komp probaj sa System Mechanicom (radi za "DZ" 30 dana) da popravish explorer.exe (najranjiviji fajl na win98). A mozda uspesh i sa AntiyGhostBusters paletom (bash se pishe Antiy). :? Eh, ako je bar zbog necheg dobar Black Ice Defender (firewall) a to je zbog toga shto je mnooogooo dosadan kad treba neshto da ti se instalira na komp. :idea: A taj LapTop shto ga nafali (samo shto nisi napisao i fabrichki serijski broj od istog i dan kad si ga kupio :wink: ), jel moze da "pogura" Windows XP? Pazi za xp treba oko 128 MB rama za rad sistema resto memorije je tvoje? Tamo ima bar jedna lepa stvar - Limited User. Kad radish u ovom rezimu onda ne mozes nishta da instalirash i deinstalirash (ali ne moze ni iko drugi)... Sretjno "lenjivche". A da nije bio AlexaToolbar? hehehe 8)
 
Ocisti komp sa ovim programima:CWShreder-meni je on do sad uvek vracao ukraden explorer,SpyBot S&D i Ad-aware pa onda skeniraj registry sa Hijack this (prethodno-show all hiden files and folders).
Kad zavrsi skeniranje Scan button se promeni u Save Log. Sacuvaj log negde i posalji na neke od ovih adresa:
http://forums.spywareinfo.com/
http://boards.cexx.org/
http://www.dslreports.com/forums/all
http://forums.net-integration.net/index.php?
http://www.lavasoftsupport.com/
http://www.tomcoyote.org/
http://forums.techguy.org/
 
Hakeri moji, za sada mi jedino mirise verzija za "genetski modifikovan windows".. naime, verujete li mi da sam sve fajlove proverio jedan po jedan, ee znam ih napamet koliko sam puta u zivotu radio sisteme klijentima.. znam da je win98 sranje, ali, ja imam zone alarm 4.5.530, nod32 i toliko o tome.. ne idem na one XXX sajtove i gluposti... tako da i ne brinem u vezi toga.. istina je da se XP izbori sa tim, 98 ne, ali, kada vec ne idem tamo... malecki ima 128rama i 400mhz, ali, neeeee bih ja xp na njega... na radnoj stanici imam 1Gb i 2500+ procesor, pa mi koci :) :) :) :) salim se, ne koci, ali zna da stuca ponekad (a radim DV editing hehe)

dobro, da ne skrecem sa teme, moguce je da je neki dll modifikovan i zamenjen, to mi je jedino logicno, cim mi se ista stvar desava u svakom browseru. banovao sam www.findwhatevernow.com u firewallu, pa mi vise ne ucitava taj sajt, ali, i nista drugo.. sada mi se desi da, kada ukucam www.symantec.com , dole upise reading data from www.find.... , a posto je banovan, naravno da ga ne ucita...

ako neko zna, moze li da mi objasni koje dll koristi win98 za komunikaciju sa www servisom na netu, posto samo ovaj i pravi probleme.. ostali servisi su ok.,.. kontam da je nesto za HTML decoding ili tako nesto (ne znam sto cika Bill placa one idiote u razvojnom timu u redmondu)

eto tako hakeri... malo sam lud, ne bih mogao da spavam ako bih obrisao windows , a da ne nadjem FAJL koji je promenjen....

fala...fala...
 
hmmm.. sada sam se setio... ako reinstaliram win98 preko ovog, kontam da ce se "mod" fajl zameniti originalnim??

i dalje me zanima koji je to spy sto menja .exe .dll ili nesto drugo...

sa druge strane, ono za hijackThis otpada, odavno sam procackao ceo registry, a i jedan sam od ljudi sto daje savete na onim sajtovima :) :) :)
 
hmm.. obrisao sam key registryje za IE i reinstalirao ga.. zadnja verzija.. ne znam, nisam sihuran da je sve ok.. javicu se ako je i dalje ista stvar.. mada sumnjam da se nesto popravlja ovim..

log iz ZoneAlarm mi je pokazao da se cak i ICQ konektuje (ili je bar pokusao da se konektuje, posto je domen www.find... banovan) na malopre navedenu adresu... znaci, definitivno je neki www servis windowsa.. nisam znao da se jedna komponenta koristi za sve sto znaci www u win98; o cemu se radi?

DA LI SAM JA JEDINI IDIOT KOME SE OVO DESILO? SRAMOTA ME DA KAZEM DA SAM STRUCNJAK!!! :)
 
A sta kazes na ovo:
To sto ti se instaliralo u toolbar zvalo se Qidon

1.Open Add/Remove Programs in the Control Panel and remove the entry 'Searchit - toolbar' (Searchit variant), 'Toolbar - My toolbar' (Search-Explorer variant), 'qidion - toolbar' (Qidion variant) or 'masterbarHallmedia.net' (MasterBar variant).

2.Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for Pugi/Searchit:
Or, for Pugi/Qidion:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\qi32.dll"

A ovo je cela strana:

Pugi is a search toolbar program which has been customised and stealth-installed by many different sites.

Variants
Pugi/Searchit, pointed at www.searchit.com, distributed through inet-traffic.com.

Pugi/SearchExplorer, pointed at www.search-explorer.com, distributed through and controlled by adpowerzone.com.

Pugi/Qidion, controlled by qidion.com, pointed at www.findwhatevernow.com.

Pugi/Masterbar, pointed at masterbar.com; also sets search pages to point at masterbar.com.

Pugi/XXXToolbar, part of the ISTbar/XXXToolbar parasite, documented on the ISTbar page.

Distribution
ActiveX drive-by download in pop-up adverts.

Pugi/SearchExplorer is also installed by the 2ndThought parasite from June 2003.

What it does
Advertising
Possible. The SearchExplorer variant is the only version known to use this facility.

Privacy violation
Possible, again in the SearchExplorer variant which may pass URLs being viewed to its controlling server every few pages (including local folders viewed using the Windows Explorer!).

Security issues
Yes. Can download and execute arbitrary code as directed by its controlling site, as an update feature.

Stability problems
None known.

Removal
Open Add/Remove Programs in the Control Panel and remove the entry 'Searchit - toolbar' (Searchit variant), 'Toolbar - My toolbar' (Search-Explorer variant), 'qidion - toolbar' (Qidion variant) or 'masterbarHallmedia.net' (MasterBar variant).

Manual Removal
Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for Pugi/Searchit:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\srchitbar.dll"
Or, for Pugi/SearchExplorer:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Search-Explorer\explbar.dll"
Or, for Pugi/Qidion:

cd "%WinDir%\System"
regsvr32 /u "..\Downloaded Program Files\qi32.dll"
Or, for Pugi/MasterBar:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\MasterBar\masterbar.dll"
Restart the computer and you should be able to delete the program files. For the SearchExplorer and MasterBar variants you can delete the entire 'Search-Explorer' or 'MasterBar' folder in the Program Files on the C: drive (regardless whether or not that is your system drive).

For Pugi/Qidion use this command to delete the files:

del "%WinDir%\Downloaded Program Files\qi32.dll"
For Pugi/Searchit use this command to delete the files:

del "%WinDir%\Downloaded Program Files\srchitbar.dll"
2ndThought removal
If you had Pugi/SearchExplorer, check whether it was installed by 2ndThought. 2ndThought is a commercial trojan controlled by 2nd-thought.com. It is installed by ActiveX drive-by-downloads from the advertising network AdsCPM, who wrote it (as well as FreeScratchAndWin).

Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the 'stcloader' entry if you have it. If so, restart the computer and you should be able to delete the 'STC' folder inside Program Files, and '2ndsrch.dll' and 'stcloader.exe' from the System folder (which is inside the Windows folder, and called 'System32' on Windows NT/2000/XP).

Links
Searchit portal
SearchExplorer portal
Findwhatevernow portal
MasterBar portal
 

Back
Top