MoonPoint Support Logo

 




Advanced Search
March
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
2026
Months
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec


Sun, Dec 03, 2006 10:12 pm

Exploit searchterror.com

I ran a scan of a system, G, with BazookaTM Adware and Spyware Scanner v1.13.03. It found Exploit searchterror.com on the system.

The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" in the Windows® Control Panel to remove the malware. I looked for "SpySheriff" and "WeirdOnTheWeb" entries as suggested, but found none.

The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware. 


c:\loader.exe
c:\mailz.txt
c:\sys.exe
c:\tmp.txt
c:\trig.dtl
c:\winstall.exe
%WinDir%\weirdontheweb_topc.exe
%WinDir%\zsettings.dll
%WinDir%\tool1.exe
%WinDir%\tool2.exe
%WinDir%\tool3.exe
%WinDir%\svchost.exe
%WinDir%\ms1.exe
%WinDir%\ms2.exe
%WinDir%\ms3.exe
%WinDir%\ms4.exe
%WinDir%\msmsgr2.exe
%WinDir%\drexinit.dll
%WinDir%\kernels32.exe
%WinDir%\vr_sys.dll
%WinDir%\desktop.html
%WinDir%\dvpd.dll
%WinDir%\installer_SIAC.exe
%WinDir%\sasent.dll
%WinDir%\sasetup.dll
%WinDir%\cdmweb\
%SystemDir%\latest.exe
%SystemDir%\maxd.exe
%SystemDir%\newdial.exe
%SystemDir%\realupd32.exe
%SystemDir%\realupd_32.exe
%SystemDir%\thn.dll
%SystemDir%\thn32.dll
%SystemDir%\tibs.exe
%SystemDir%\vx.tll
%SystemDir%\init32m.exe
%SystemDir%\cssrs.exe
%SystemDir%\abc.exe
%SystemDir%\paytime.exe
%SystemDir%\vxgame1.exe
%SystemDir%\vxgame2.exe
%SystemDir%\vxgame3.exe
%SystemDir%\vxgame4.exe
%SystemDir%\win32.exe
%SystemDir%\newdial1.exe
%SystemDir%\zolk.dll
%SystemDir%\ztoolber.dll
%SystemDir%\ztoolbar.bmp
%SystemDir%\ztoolbar.xml
%SystemDir%\~update.exe
%ProgramsDir%WeirdOnTheWeb\

%WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

%SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%ProgramsDir% is a variable. By default, this is C:\Program Files.

The file svchost.exe is part of the list, but is also a file normally found on Windows systems. On Windows NT and later systems, though, it is found in %WinDir%\system32, rather than in %WinDir%. The Kephyr webpage indicates its presence in the %WinDir% directory indicates the presence of this malware.

I created a batch file, searchterror-files.bat to search for any intances of the above files or directories on the system. The script did not find either of the two directories associated with the malware %WinDir%\cdmweb\ nor %ProgramsDir\%WeirdOnTheWeb\. The only file from the list which it found was C:\temp.txt, which had a creation timestamp of Thursday, December 23, 2004, 4:21:31 PM. When I renamed that file, Bazooka no longer reported the presence of Exploit searchterror.com on the system. Since it didn't find any registry entries associated with the malware, I believe the report was a false positive.

References:

  1. Exploit searchterror.com

[/security/spyware/searchterror] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo