SpaceQuery.com

Posted: March 30, 2012

SpaceQuery.com is another revamp of a ring of scam sites that fake search engine functions to display advertisements, affiliate sites and other self-serving links. While its search interface may look harmless enough, SpaceQuery.com has been blacklisted due to its association with other suspicious sites and due to playing host for harmful software, including browser hijackers. If your browser searches are redirected to SpaceQuery.com or you've had any other type of contact with SpaceQuery.com, we suggest that you scan your PC to identify and remove any PC threats that may have been installed by SpaceQuery.com or one of its many clones. Delay in this necessary cleanup procedure may not only cost you control over your own web searches, but can cause your computer to be unusually vulnerable to other browser-based attacks in the future.

What an Honest Look at SpaceQuery.com Will Show – to This Search Engine's Detriment

Based on casual inspection, SpaceQuery.com does at least look like a safe search engine, but SpaceQuery.com's landing page is an open book that reads like a sordid tale of unwarranted hostility. As a copy of other confirmed and blacklisted scam search engines like Zwankysearch.com, Zinkzo.com, SpaceQuery.com, Zwangie.com, Kwanzy.com, WinkZink.com, Zinkwink.com and BrowserQuery.com, SpaceQuery doesn't have anything worthwhile to offer you as far as search results are concerned. The only thing that SpaceQuery.com's links truly offer is a chance at some profit for SpaceQuery.com's web masters by displaying advertisements and other types of junk content. SpywareRemove.com malware analysts recommend that you use strong browser security to protect against browser hijackers and scan your PC with appropriate diagnostic software after any trip, whether deliberate or not, to SpaceQuery.com.

How to Tell When You've Got a SpaceQuery.com Problem

The most common danger from SpaceQuery.com is that of a browser hijacker that reroutes your online searches through fake search engines like SpaceQuery.com. This browser hijacker may be identified by Adware.Zwunzi!gen1, especially in cases where it's manually installed. At the time of this writing, all variants of SpaceQuery.com-related browser hijackers are only able to attack Windows PCs, although most types of web browsers are vulnerable to SpaceQuery.com redirects.

Other than redirects to SpaceQuery.com, there may be few or no symptoms of the presence of a SpaceQuery.com-affiliated PC threat that's installed on your computer. SpywareRemove.com malware researchers recommend using anti-malware software, rather than manual techniques, to find and delete any browser hijacker, since disabling add-ons and other such manual methods are likely to leave components of the PC threat intact.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%AppData%[trojan name]toolbarstat.log

File name: %AppData%[trojan name]toolbarstat.log
Mime Type: unknown/log

%AppData%[trojan name]toolbardtx.ini

File name: %AppData%[trojan name]toolbardtx.ini
Mime Type: unknown/ini

%AppData%[trojan name]toolbarlog.txt

File name: %AppData%[trojan name]toolbarlog.txt
Mime Type: unknown/txt

%AppData%[trojan name]toolbarpreferences.dat

File name: %AppData%[trojan name]toolbarpreferences.dat
File type: Data file
Mime Type: unknown/dat

%AppData%[trojan name]toolbarguid.dat

File name: %AppData%[trojan name]toolbarguid.dat
File type: Data file
Mime Type: unknown/dat

%AppData%[trojan name]toolbarstats.dat

File name: %AppData%[trojan name]toolbarstats.dat
File type: Data file
Mime Type: unknown/dat

%AppData%[trojan name]toolbaruninstallIE.dat

File name: %AppData%[trojan name]toolbaruninstallIE.dat
File type: Data file
Mime Type: unknown/dat

%AppData%[trojan name]toolbaruninstallStatIE.dat

File name: %AppData%[trojan name]toolbaruninstallStatIE.dat
File type: Data file
Mime Type: unknown/dat

%Temp%[trojan name]toolbar-manifest.xml

File name: %Temp%[trojan name]toolbar-manifest.xml
Mime Type: unknown/xml

%AppData%[trojan name]toolbarversion.xml

File name: %AppData%[trojan name]toolbarversion.xml
Mime Type: unknown/xml

%AppData%[trojan name]toolbarcouponscategories.xml

File name: %AppData%[trojan name]toolbarcouponscategories.xml
Mime Type: unknown/xml

%AppData%[trojan name]toolbarcouponsmerchants.xml

File name: %AppData%[trojan name]toolbarcouponsmerchants.xml
Mime Type: unknown/xml

%AppData%[trojan name]toolbarcouponsmerchants2.xml

File name: %AppData%[trojan name]toolbarcouponsmerchants2.xml
Mime Type: unknown/xml

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}ProgID "[trojan name]IEHelper.UrlHelper.1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} "UrlHelper Class"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}InprocServer32 "C:PROGRA~1WINDOW~4ToolBar[trojan name]dtx.dll"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} "[trojan name] Toolbar"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}VersionIndependentProgID "[trojan name]IEHelper.UrlHelper"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{99079a25-328f-4bd4-be04-00955acaa0a7} "[trojan name] Toolbar"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Classes[trojan name]IEHelper.DNSGuardHKEY_LOCAL_MACHINE\SOFTWARE\Classes[trojan name]IEHelper.DNSGuard.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes[trojan name]IEHelper.DNSGuardCurVerHKEY_LOCAL_MACHINE\SOFTWARE\Classes[trojan name]IEHelper.DNSGuardCLSIDHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "[trojan name] Toolbar"