Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Page 1 of 2 12 LastLast
Results 1 to 25 of 37

Thread: http://www.master-search.com/

  1. #1

    http://www.master-search.com/

    Has anyone noticed what they got up on their page now:

    Having problems?
    Please use this utility for the removal

    Note: you need the internet connection to be alive.
    After running the removal utility please restart your browser.

    During the removal operation your personal info will NOT be sent over the internet

    If you got the problems with homepage hijacking - it is the results of failed experiment. It is not because of your computer system security.
    Our team is apologizing for the inconvenience. And sorry at all.

    Paulo

  2. #2
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    What utility? Failed experiment?
    If your experiment gets out on the Internet and screws up our PCs it is not an "experiment", it is OUR reality.

    I would not trust your utility because you/your "team" are SCREW UPS. (that is just my opinion, but I figure I am entitled to it)
    Last edited by PrntRhd; 04-13-2004 at 03:26 PM.

  3. #3
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    Hi PrntRhd-
    Unless I'm totally missing this thing, I think Paulo2002 was simply pointing out what the infamous page says now- (but not making use of the "Quote" button).

    I don't think he has anything to do with the site.
    Then again, I may have missed both yours and his point....What ever the case, the message on the site that he quotes, (and which I went to), is very interesting none the less.
    ~ I had a life once...Now I have a computer and a modem ~

  4. #4
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    Jabber,

    I ran their little "utility" after Budfred posted it, just to see what would happen on my WIN98SE machine and had my home page frozen for 2 days until I figured out how to unlock it.
    Spybot then found a "common hijacker" exploit, received from the removal tool itself.

    The anger is directed at whomever is involved at the website.
    Last edited by PrntRhd; 04-13-2004 at 03:39 PM.

  5. #5
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    I hear you about the site....It was suspicious to me from the start, I just don't think Paulo2002 has anything to do with it.
    Has anyone noticed what they got up on their page now:
    (EDIT) Never mind....I see your addition now. Sorry, guess I'm just confused.
    ~ I had a life once...Now I have a computer and a modem ~

  6. #6
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    I understand your point.

  7. #7
    Yeah sorry i forgot to use the quote button... I was pointing out they now seem to be taking the blame for the spreading of the bug... Very annoying but yet interesting bug seeing as its left almost everyone without a clue of how to get rid of it even after checking out that so called remove utility.
    Paulo

  8. #8
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    ok, I am back under control now

  9. #9
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    Well, since it appears you're not one of the bad guys....Welcome to the forums Paulo2002!

    And PrntRhd...Sorry I made this thing more confusing than it needed to
    be.
    (Edit) Hehe, we're playing tag now....You just slipped in there before me.
    There- I think we're caught up now.
    ~ I had a life once...Now I have a computer and a modem ~

  10. #10
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    Jabber,
    Just was extremely frustrated by the hijack included in a removal tool.
    I had to unlock the checkboxes in Spybot's Immunize page to get my IE home page back to normal and then found the hijacker. Not normal behaviour of Spybot by any means. I tried to repair IE6.0 and it said it was corrupted, and was forced to remove and reinstall it. I am still getting a Windows Update that won't stick.

  11. #11
    I thought that the removal tool had been checked over by more then a few people and that it was safe to use?
    Paulo

  12. #12
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    unbelievable...I can certainly understand your frustration. That page looked very creepy to begin with when their supposed "fix" was posted.

    I'm just grateful I don't have the "original" Hijacker or I might have been tempted to try it myself.
    This is all so crazy....Down the road, I'd love to know how it all fits together.

    (EDIT) Well, Paulo2002....I never got the feeling it was something safe to use. In fact, "aboutblank", another new member, had a post in the original thread that made me Leary from the start about ever trying it.

    Something that you had to "wait up to two hours" for it to work made it sound like some kind of voodoo medicine to me.
    Last edited by jabarnutcase; 04-13-2004 at 04:23 PM.
    ~ I had a life once...Now I have a computer and a modem ~

  13. #13
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    It changed my homepage with a redirect from yahoo.com to MSN.com, greyed out the selection in Internet Options so it could not be changed.

    I knew I was in trouble when the button came up after running it saying "Have a nice day"

    I thought that the removal tool had been checked over by more then a few people and that it was safe to use?
    Budfred thought it was safe too, I was not the only one fooled.

  14. #14
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    I knew I was in trouble when the button came up after running it saying "Have a nice day"


    That's a bummer...I'm sorry though, this last post of yours made me laugh. Honest, I didn't mean it!
    I'll be serious now.

    Yes, right after Budfred posted it, I brought it to his attention that it might not be a good idea and he agreed...(I think)
    ~ I had a life once...Now I have a computer and a modem ~

  15. #15
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    It didn't have the smiley though.

  16. #16
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Sorry guys, I was going on Shadowwar's recommendation and he usually knows what he is talking about with this stuff. What it is beginning to look like is that it really does remove the MasterSearch exploit, but installs a bunch of other garbage in the process... really nasty bugger.... It appears that a more legitimate fix is getting close with a lot of high powered people working on it. Keep your fingers crossed...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  17. #17
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    Sorry guys, I was going on Shadowwar's recommendation and he usually knows what he is talking about with this stuff. What it is beginning to look like is that it really does remove the MasterSearch exploit, but installs a bunch of other garbage in the process
    No problem Budfred, you are one of the good guys, and we were trying anything and everything to try to help. Did you see how I got the homepage back up though? Weird stuff.

  18. #18
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    PrntRhd,

    Actually, that is normal behavior for Spybot's Immunize function. It locks your homepage from changes to prevent hijackers from changing it...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  19. #19
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    Budfred,
    That's just it, it locked in the hijack redirect, not the normal home page from changes. Exactly the opposite of what is is supposed to do!
    Last edited by PrntRhd; 04-14-2004 at 12:56 AM.

  20. #20
    Join Date
    Oct 2001
    Location
    Portland
    Posts
    585
    As a heads up, it either "function calls" or modifies certain .dll files.
    I included a simple hex text of what the file contained.

    If any of those .dll files are acting funny, you'll know why.
    Attached Files Attached Files

  21. #21
    Join Date
    Oct 2001
    Location
    N of the S of Ireland
    Posts
    20,504
    Anyone know yet, how this baby was delivered onto your systems?? or where from?? or did a stork just fly by??
    Take nice care of yourselves - Paul - ♪ -
    Help to start using BiNG. Some stuff about Boot CDs & Data Recovery Basics & Back-up using Knoppix.

  22. #22
    Join Date
    Oct 2001
    Location
    Portland
    Posts
    585
    I downloaded the executable from the web site. http://www.master-search.com

    I didn't actually run it though. If another legitimate web site said it was clean, maybe.

    Then again, I haven't had a problem with my browser and wouldn't see the need to run it.

  23. #23
    Join Date
    May 2002
    Location
    2.37 Million Light Years from M31, USA
    Posts
    2,803
    Anyone know yet, how this baby was delivered onto your systems?? or where from?? or did a stork just fly by??
    Excellent question Paul! I really haven't been able to find out much information about exactly what happened to cause all of this chaos...Or from where it came.
    And.....
    Then again, I haven't had a problem with my browser......
    Thankfully, same here. And as I mentioned in another thread...(perhaps too forcefully), I would have needed a whole lot more confirmation that the "fix" available from MasterSearch was legit before I ever used it.
    The whole thing just looked very suspicious to me....and still does with it's "apology" message, and very little other information on the main page. (maybe there's more after you click on their link....Never got that far.
    ~ I had a life once...Now I have a computer and a modem ~

  24. #24
    Join Date
    Aug 2000
    Location
    GreatNorthWoods
    Posts
    2,883
    Well, you guys know me. I had to do it. I went to the master-search page, downloaded and ran the tool. It downloads access.exe. Once I ran it, it disappeared off my desktop. Kind of spooky. So I rebooted and when I started up IE my start page was redirected to MSN.

    Here is a HJT log from before I did it:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:53:01 PM, on 4/16/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll

    And here is a HJT log from after I did it:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:04:26 PM, on 4/16/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll

    I don't know why they redirect to MSN but there it is.

    What is it all about? I haven't got a clue...

  25. #25
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,429
    Exactly what it did to me! If you uncheck spybot immunization "lock home page" and run spybot you may find a hijack. You may also find a problem with one Windows Update KB823559 after running that exe file.
    Last edited by PrntRhd; 04-16-2004 at 04:54 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •