"Global-Finder" homepage hijacker (trojan)

almagary · Cadet Joined: Aug 23, 2003 Posts: 3 Location: USA

For about 10 days, in the midst of dealing with an inbox flooded with 2,200 copies of Sobig.F, I was trying to get rid of a homepage hijacker (apparently a trojan) that kept dumping Google News and putting up "Global-Finder," an adult-oriented directory/search page.

I'm a reasonably competent user and can even edit the registry, but I found this trojan was well designed and disguised--and very hard to get rid of on my own. I would no sooner quarantine a suspected .exe file and delete the dozen registry entries when it would come back (every 24 hours, it seems).

As of 9/6/03 Ad-Aware and McAfee were not programmed to find it and delete/quarantine it.

First, I learned how this trojan works by reading the discussion at http://www.computing.net/security/wwwboard/forum/6234.html
which has the latest news on this hijacker.

Next, I get the CWShredder utility (by the author of Ad-Aware anti-spyware program and the HijackThis scanning utility) at:
http://www.spywareinfo.com/articles/cws/

When I installed this small utility, the welcome screen gave me a choice to Scan Only (which I did for safety as well as the educational value, to see where the trojan has been hiding--which was all over) and then went Next (to procede with removal).

That was four days ago and I haven't had any problems since. Google News is once again my home page.

Good luck!
almagary
San Francisco

BillC · Posted: Sat Sep 13, 2003 7:04 pm Post subject:

Great info. It is nice to hear about things that work and I know CWS does it's job.

You might be surprised to know that the author of Hijack This and CoolWebShredder, Merijn, is a 22 year old Dutch student that does this for fun. A nice guy too.

Damn Trojans · Guest

After trying every AD Ware out there and then some I finally found CW Shredder. Spyware didn't work, Ad Ware didn't work. I installed CW Shredder and it did a complete search and found every trace of this little nightmare. It found and removed the associated imbedded files like BOOT, msinfo and all the .hta files . I recognized all the files on the results from what others had said to look for on other message boards and it removed them all. I rebooted and IE settings are normal and my homepage is there. It worked! Amazing! I would like to find the F*****R who created this crap. I am on day three without Global-Finder. God Bless

Scud · Guest

So out with his email address, I'd like to write him a thank you letter! Hey, why not his home address, I'd rather file a class action lawsuit to put this waste of flesh behind bars. Anyone with me in burning this dipsh*t at the stake?

Scud · Guest

after reading that, it made no sense. Merijn you're a god! What I meant is I want the guy's head that wrote the trojan. Need to cut back on the booze.

BillC · Posted: Thu Sep 18, 2003 9:47 am Post subject:

I get what you mean. I can't help with the home address of the trojan writer, but I can give you Merijn's - . He is a very talented young man.

BillC

lou_balou · Guest

thanks so much for helping me get rid of the problem! Smile

greggo · Guest

I've dug up some information on the person responsible for the Global Finder fiasco. Although repetitive application of electroshock to the scrotum would be the appropriate way to deal with the situation, perhaps there are less Saudi Arabian means of creating positive change. Personally I have no idea of what legal steps can be taken, but perhaps somebody on this thread with more insight into such matters can find this useful.

domain: global-finder.com
status: production
organization: General Suomen Laatuporssi Oy
owner: Niiko Johtaja
email:
title: Mr.
address: Runeberginkatu 732/56
city: HELSINKI
postal-code: 00260
country: FI
admin-c: #0
tech-c: #0
billing-c: #0
nserver: a.ns.joker.com 194.176.0.2
nserver: b.ns.joker.com 194.245.101.19
nserver: c.ns.joker.com 194.245.50.1
registrar: JORE-1
created: 2003-07-28 13:08:27 UTC JORE-1
modified: 2003-07-29 15:27:39 UTC JORE-1
expires: 2004-07-28 09:08:10 UTC
source: joker.com

houston · Guest

Found this program after searching and searching. Computor on some websites was slow, jumpy, scrolling was delayed (FOx CNN, Very Happy

etc...

a whole bunch of crap going on.

Ran this download and wham !!!!- computor has never been better.

Pass it on

RUN THIS PROGRAM !!!!!!!!!!!!!!!! IT WORKS.

Run google - ask about CWShredder - click on and follow steps.

( I have been hassled by a pop-up "Globalweb search" / I hope this stops this constant problemo - time will tell.)

just me · Guest

i ran the program before when i had the problem worked great... got the problem AGAIN ran it... it DID NOT fix it , what the hell?

phoenix22 · Posted: Fri Oct 10, 2003 4:45 am Post subject:

here's the whole enchilada from Mike:
By: Mike Healan
July 9, 2003

Updated August 6, 2003

CWS is a trojan that hijacks Internet Explorer start and search settings to one of several different web sites (see below). Most of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. There could be other domains involved in the future.

This hijack is similar to the datanotary.com hijack discovered last month. As with datanotary, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the trojan involved with CWS is an updated version of the same malware involved with datanotary.

In the original variant, the start and search settings were changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also made it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker's web site.

An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

More current variants also install a small web server, contained in a file named svchost32.exe. It adds several google addresses (google.de, google.ch, google.ca, etc) search.yahoo.com, and search.msn.com to the HOSTS file, telling windows that the IP addresses for those sites is 127.0.0.1, and that's where it's webserver is listening.

Yet another variant hijacks Internet Explorer's SearchHook setting with a file named dnsrelay.dll. This redirects all search and start page settings to allhyperlinks.com.

Finally, the trojan lists the hijacker's web site in Internet Explorer's trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer's file system.

We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

This trojan is detected by Computer Associates antivirus products under the following names (More info):
Win32.Startpage.C
JS.CSSPopup.B,
JScript/IEstart.Trojan,
Win32/IEstart.Trojan

Removal Instructions

Merijn, author of HijackThis and StartupList, has created CW Shredder
specifically to remove this parasite. Please make certain that all browser and folder windows are closed before using CWShredder. If any symptom of the problem remains afterward, then follow these directions below. If you have any problem with CWShredder, please ask for help in our Support Forums.

This article is located at http://www.spywareinfo.com/articles/cws/

Hijacker Web Sites
The following web sites have been found in log files of people infected with this trojan. To our best knowledge, they are all affiliated with coolwebsearch.com

193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gratis-porn-movie.com, hardloved.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, noblindlinks.com, nocensor.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws

Links:
http://security.kolla.de/ :: Spybot
http://www.lavasoft.de/ :: Ad-aware
http://www.spywareinfo.com/articles/datanotary/ :: Datanotary article at SWI
http://www.spywareinfo.com/~merijn/files/hijackthis.zip :: HijackThis
http://www.spywareinfo.com/~merijn/files/cwshredder.zip :: CWShredder
http://www3.ca.com/virusinfo/virus.aspx?ID=35839 :: Computer Associates virus info page

Guest · Posted: Fri Oct 10, 2003 6:42 pm Post subject:

Found to whom it may concern at:Info com corp. ITX co. and e at:infocom-they are the founders of the blessed globalfinders!Where are hackers when you need them!

nergard · Cadet Joined: Oct 26, 2003 Posts: 1 Location: USA

For months now, I have been experiencing jumpy, delayed, slow scrolling. In fact, I seemed to always be waiting for the computer to respond in a lot of different areas while using internet explorer. It all started when one day my homepage had mysteriously been changed automatically to global finder. I went in and changed it back, but noticed the scrolling problems at a later date, and didn't put the two together. The homepage never changed again, but the scrolling problems persisted. In searches, I finally got a hit on google and was directed to this forum. Most of the posts were concerning the homepage being changed, but one mentioned the scrolling issue. CWShredder was recommended and I quickly gave it a shot. To make a long story short, It worked. After installing, it pointed out that most of the files infected by this trojan horse were ok, but that some of them were corrupt. Anyway, the download worked. Thanks to all those that were involved in creating CWShredder. And to the jerk that put this trojan horese out there, Shame On You!!

Guest · Guest

Hmmm...well I have tried the shredder, but that doesnt work! It removes everything, but my AVG still picks up on the 2 Trojans in my _RESTORE folder, which I have no idea about. I can't delete them and hey are hidden as well. I've also tried anirojan software, buit that didn't do anything either...any suggestions? P.S I also got it through global finder - hate that website.

CalamityJane · Posted: Sat Nov 08, 2003 7:01 am Post subject:

Hello Guest Hello

First, you need to disable the System Restore feature and run AVG again. Let it find those two trojans and it will put them in the virus vault where they are rendered harmless and can be deleted.

Here are the instructions for disabling system restore, depending on your Operating System.

Please post back here with your results Smile

Disabling Windows XP AutoRestore feature
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
In Windows Millenium there was a new feature introduced called System Restore. The new Windows XP has this feature. It creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes disinfection difficult as backup files can get infected and copied to System Restore folder by Windows. Then after disinfection Windows will copy the infected file back over the clean ones.

System Restore feature can be disabled using the following steps:

1. Select Start/My Computer.
2. Click on "View system information".
3. Select the tab "System Restore".
4. Check the "Turn off System Restore on all drives" checkbox and click "Apply" button.
5. The program asks if you want to turn off System Restore. Click "Yes" button.
6. "Drive settings" has now turned to grey. Click "OK" button.
7. Windows XP System Restore feature is now disabled.

The System Restore feature can be enabled again with the same steps. At step 4. you have to uncheck the Turn Off System Restore on All Drives checkbox.

..............................
Disabling System Restore on Windows ME
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
In Windows Millenium there was a new feature introduced called System Restore. Windows ME creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes the disinfection difficult since the backup files can get infected. In those cases Windows will copy the infected file in the place of the clean one.

This feature can be disabled with the following steps

1. Right-click on the My Computer icon and select Properties
2. In the System Properties windows select the Performance tab
3. Click on File System... button
4. In the Filesystem Properties window select the Troubleshooting tab
5. Check the Disable System Restore checkbox
6. Click Apply button
7. Close the windows using the Close button
8. Click Yes when prompted for reboot

The System Restore feature can be enabled again with the same steps. At step 5. you have to uncheck the Disable System Restore checkbox.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 797 pages served in previous 5 minutes. Page Rendered: 0.712 seconds.