Re: BuyDomains.com > Seeq.com Hijack

From: Fred Marshall (fmarshallx_at_remove_the_x.acm.org)
Date: 08/09/04 

Date: Sun, 8 Aug 2004 16:51:26 -0700

I think I finally got rid of it. It is mysterious enough that maybe this
will give a hint:

Spybot S&D found a DSO Exploit that it seemed to fix but really didn't. A
second scan would reveal this one DSO remaining.

The items listed were:
Data source object exploit
HKEY_USERS\S-15-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
HKEY_USERS\S-15-21-746137067-160690848-854245398-1004\Software ..and the
same as above thereafter
HKEY_USERS\S-15-20\Software ... and the same as above thereafter
HKEY_USERS\S-15-19\Software ... and the same as above thereafter
HKEY_USERS\DEFAULT\Sofware ... and the same as above thereafter

Each of these had a string entry labeled "1004" and there was no information
evident that associated these entries with buydomains.com or its IP address.
There were many more entries with labels like this one... 1200, 1201,1400,
etc. but they were all DWORD entries. So, the 1004 string-type entry stood
out like a sore thumb.

I deleted each of them manually and the problem went away.

I hope this helps someone!

Fred

"Fred Marshall" <fmarshallx@remove_the_x.acm.org> wrote in message
news:OU9CHEuZEHA.2444@tk2msftngp13.phx.gbl...
> See thread entitled:
>
> Normal / virus / hijack? ... here in microsoft.public.security.virus
>
> and, please post responses there.
> (This post is to get the key words in the Subject line for visibility)
>
> Description of problem:
>
> Type in a *bad URL* ending in .net or .org
> Instead of getting a benign Error page / page not found, you get directed
> to:
> www.BuyDomains.com and then, if you wait a few seconds,
> a second window is opened for
> www.seeq.com
> when you close the second window, you will be asked:
> Do you want to make www.seeq.com your home page? Yes_ No_
>
> Anyone else with this problem?
> Any known solutions?
>
> Many people do not see this problem - including computers using the same
> name servers as those who *do* see it - so it probably isn't the name
server
> you're using. It is probably resident malware / hijack.
>
> Trying to raise the visibility on this issue.
> Trying to find a solution for getting rid of it.
>
> Fred
>
>
>
>
>

Relevant Pages

  • Re: BuyDomains.com > Seeq.com Hijack
    ... > I think I finally got rid of it. ... > Spybot S&D found a DSO Exploit that it seemed to fix but really didn't. ... > evident that associated these entries with buydomains.com or its IP ...
    (microsoft.public.security.virus)
  • Re: DSO EXPLOIT
    ... Delete what two entries? ... What all is installed that has a service, like antivirus, ... > something, and when I remove the DSO exploit with SpyBot, it will be okay ... > and reboot, this Dell will run normally for a while. ...
    (microsoft.public.security)
  • Re: How to remove DSO Exploit spyware from the registry?
    ... but I can't seem to get rid of DSO Exploit. ... When I try to remove it after running a scan, Spybot says the ... the makers of SpyBot will soon fix ... Ignore Products> Security> DSO Exploit, to turn off the false alarm. ...
    (microsoft.public.windowsxp.general)
  • Re: ppc/ppc64 and x86 vsyscalls
    ... thus bloating the kernel image. ... You can create one "big" DSO which covers all the configured processors. ... then iterate over the entries and use strcmpfor the names ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: A little help please...
    ... already used to rid my system of this spyware once and for all. ... very decent scan) which found maybe 20 entries and deleted. ... How do I get rid of this software? ... Run HijackThis and post your log to one of the following forums (not ...
    (microsoft.public.windowsxp.security_admin)