Lately a new strain of cws variants are following eachother very rapidly.

They are becoming harder and harder to clean because they are using all sorts of tricks to prevent scanning tools from detection or proper removal (like re-infection).

It's getting more difficult now for Merijn to update CWShredder (http://www.spywareinfo.com/~merijn/files/CWShredder.exe) both because of the more complex coding and the amount of new types/variants that appear on a very regulary basis.

Bare in mind that experts are working around the clock looking for successfull removal tips and prevention fixes.

This means however, that as long as the shredder is not updated, victims will be advised to clean their infection manually. Although experts and more savy computer people are used working in the registry, and all sorts of tools which involves editing in windows it will be more and more difficult for the normal computer user to clean up once he/she is infected. Advise given by expert people may look rather complex, when having any doubts whatsoever, don't hesitate to ask for more advise.

Expertised people in this area (on this board) who are more closely involved in analysing and know the latest details are :

Pieter Arntz (aka Metallica on other numerous boards)
dvk01
shadowwar

Feel free to contact one of the mod's if any questions. They are all very knowledgable and will at least be able to point you in the correct direction :

dave38, puff-m-d, wizard, Technodrome, JacK, Dan Perez, MickeyTheMan, Detox, Unzy, snowbound, snapdragin, rodsoto, bigc73542

Below follows a summation of those new strains of more complex CWS variants, beginning with the drxcount one,which seems to be the first one to introduce a whole new set of invisible CWS hijacks and tricky coding. I will try to give the most common instructions summed by experts. Some of them work very well, other are a bit complex. Some work for user X, while user Y complains of a re-infection, after following the exact same instrucions.

Note :

After cleaning a CWS infection always check your 'Favorites' folder for added porn links***

A list of all known CWS domains can be found here :

http://users.skynet.be/bk136527/CWS/CWSdomains.htm

drxcount.biz / real-yellow-page.com

A very great place to start, where we gathered all info together with infected users is a topic started by Pieter Arntz (Metallica). It shows investigation of expert people nicely evolving from sleepless nights to succesfull removal instructions! If you are interested in reading the developments you can check it here :

Click Me (http://boards.cexx.org/viewtopic.php?t=4493)

Usually, the following instructions are given now :

{QUOTE->
If your browser has been hijacked to drxcount.biz, real-yellow-page.com or list2004.com:
We are working on a fix for this one and drawing near to a solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it automatically.

So far, the following manual fix should work:

Download PrcView here: http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it to the desktop.

Be sure to have at least 1 Internet Explorer window open, then double click on the runme.bat.

Notepad will open with a log in it. Look for a line with this file, size and beginning to it.
The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.

Write down the filename behind it.

Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip and run it.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and choose "Add File". The file you copied earlier should now show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

After rebooting, make sure the file is gone
<-QUOTE}

CWS.Systeminit variant - (hijacks to your-search.info, in some cases to another CWS domain)

Note* : CWShredder takes care of this successfully so far

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://www.your-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.your-search.info/start.html

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe

O4 - Global Startup: sytem32.exe (note the spelling!)

O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

Log examples :

HERE (http://forums.techguy.org/showthread.php?threadid=215138&ed266d67047dce68f3216b2bbb5fe356)
HERE (http://www.spywareinfo.com/forums/index.php?showtopic=36742)

About:blank / linklist.cc

This is a very complex hijack to solve for now, as only manual instructions are given. Please only follow instructions when you are guided by an Advanced or Expert member!

Responsible entries in a HijackThis log :

R0 and R1 entries pointing to the following similar looking location : res://C:\WINDOWS\System32\kfiokk.dll/sp.html

O2 - BHO: (no name) - {54DDBEA0-AAE2-43A1-9076-3F064D0DEA55} - C:\WINDOWS\System32\kfiokk.dll*

* the dll is randomly named for each victim, and is showed as a 02 - BHO in a HijackThis log.

Although the entries in a HijackThis log are pretty obvious, the tricky part of this variant is a cleverly disguised re-infection method, after a certain amount of time when the victim connects again to the internet.

The methods so far all failed to give a 100% clean result, even with an updated shredder for this particular variant, so I'm not gonna bother to list them here, as experts are now in the middle of looking for answers, as we speak. As soon as we have a successfull removal method, this topic will be updated.

For those interested I can inform what we gathered so far :

It all comes down to these two files :

{QUOTE->
1. The randomly named BHO file (a .dll) in the system (win9x/ME) or system32 (win2k/XP) folder with the corresponding ClassID's (in some logs there were up to 11 morphed ones!)

2. The AppInit_DLLs entry, a registry key which points to a hidden dll located in the system/system32 folder, responsible for the re-infection.
<-QUOTE}

The key is :

Trying to make this superhidden dll visible so it's removable! Lately, it seems best to start with the removal of this dll, before following other instructions!

*UPDATE!

Shadowwar has pulled dllfix, too many bugs and variants within the hijack itself are making it impossible to work properly.

It's best to post your problem at the corresponding forums, and wait untill you get a responce from an expert, for further guidance.

Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it, after doing so post your HijackThis log.

Old fix : (keeping this here, just in case)

As we are drawing near a successfull removal method, this is the canned fix of procedures to follow :

(Note that at this time only manual instructions are given and they can be somewhat complex)

© freeatlast :

*for win2k / XP (win98 is at bottom)

{QUOTE->
1.)
***Identifying the file***

http://freeatlast.100free.com/index.html

Download find-all.exe (win2k/xp only!)

run findall.cmd and post log

At this point, based on "output.txt"
and "windows.txt" we should have the file name:

***Removal***

Based on the "System info" header in
"Find-All", 'Fat32/NTFS', can pick the best course of action.
--2K/XP/Pro/home/Fat32/Ntfs ALL can use Recovery console.
I will not list the steps, some users would need guidance
and for some it may not be an option .
--2K/XP/Pro/home/Fat32< only (minority, most likely)
Can go to bootdisk.com make Win95/98 startup disk, and
nuke the file by accessing the partition with
basic known good ol' dos commands!
=============================================

***If NOT using Dos/RC option***:
The only known working way, currently is by
renaming the 'Windows' key-- Applies to both fat/ntfs
supported sys.

Tools:
1.) Registrar Lite (http://www.resplendence.com/reglite)
2.) RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer) By PepiMK, (also known from SpyBot S&D!)

Same procedure in both tools to
rename the key, erase data, rename back, followed
by RESTARTING the computer! :

{QUOTE->
-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\xxxxxxx.dll (random named dll) <- delete this line ,
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible
<-QUOTE}

***Delete File***

Only needed for:
--2K/XP/NTFS< !

--Move file+Modify it's permissions:

1.) Go to your root drive: C:\ and create
new folder,
Name it: "junk"

Download, unzip to folder and run WinFile.zip (http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip) (note : for win2k/xp!)
Expand and navigate to System32 folder.
You need to navigate by Double clicking to expand.

When in System32 click top menu: File>Select files
Copy and paste to the box:
xxxxx.dll hit select-
Find and hilite that file.

Lastly, try this: Menu -File>move...
In From: Copy/paste:
C:\WINDOWS\System32\xxxxxx.dll
To: Copy and paste:
C:\junk\xxxxxx.dll
And hit ok.
Close Winfile and check in C:\junk for that file.

2.)
RightClick on the
junk\"xxxxxxx.dll"/Properties/Security/permissions\
advanced,
and take ownership giving yourself-> 'Full control'.
(Preferably to Administrators 'group')

3.)
Shadowwar wrote:
{QUOTE->
-Right click the "junk folder" folder itself.
-hit properties.
-go to the security tab and click the advanced button.
-check the box-
to reset permissions on all child objects.
Hit apply.
ok your way out.
File can now go bye bye!
<-QUOTE}

4.)
Delete file+junk folder.
-------------------------------------------------------------------------
--WinXP home edition/NTFS (only!):
Must Follow last Steps# 2-4 in Safe Mode
in order to access security tab.
(Alternatively run cacls.exe, if familiar)

--2K/XP/All-versions/Fat32< only,
Can simply find and delete the file after
restart! (skip all 'winfile' &onward steps!)
=======================================
***ALL platforms/sys that
renamed the 'Windows' key:***
--Because we renamed it, Windows REMOVED defaults
security settings on this key and
allowed the 'everyone' group read access!
(Just as if new key was created)
(regedt32 started alerting me that the "new" key
settings are incomatible with windows! )
***Repair***:
--*WinXP/Pro/Home:
-> regedit.exe-> RightClick 'Windows'->
->Security/permissions/Advanced
*Win2K ->regedt32-> hilite 'Windows' key->
->top menu->Security
->permissions->Advanced tab
--------------------------------------------------------------
UNcheck: "inherit permissions" box,-> Select
COPY on next prompt!
(That will restore last saved settings in database)
-Hilite "Everyone" (group/only!)->Select-> REMOVE!
-Hit 'Apply and 'ok' on all check boxes.
*Sample pix correct/incorrect settings added to \'Find-All\' link.
<-QUOTE}

*WIN98

Tools :

Win98Fix (http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm)
StartDreck (http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm)

{QUOTE->

**Identify file:**
Download: "StartDreck", unzip!
DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Check specificly for this entry in the log :

{QUOTE->
»Local Machine
»RunServicesOnce
**ozkc=rundll32 C:\WINDOWS\SYSTEM\XXXXX.DLL,StreamingDeviceSetup
<-QUOTE}

After identifying the dll, proceed with :

-Download: "Win98Fix.zip", Unzip!
-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!
-File should be visible!
-Do 'find files' for dll listed on log, delete.
*Note: Be sure to Save the StartDreck log before, so
you you'd be able to find the file later!
If lost (Since nothing else will find it when not hooked)
Simply run the included: "who.bat", file
will be found & listed
in "Badfile.txt".
<-QUOTE}

It should be located in C:\WINDOWS\SYSTEM\XXXXX.dll


Note* Please follow instructions carefully, doublecheck before you delete and make sure you have a backup of your registry : HERE's How (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617)

enjoysearch

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.enjoysearch.info

O4 - HKLM\..\Run: [jushed32] C:\WINDOWS\jushed32.exe <- win9x/ME
O4 - HKLM\..\Run: [jushed32] C:\WINDOWS\system32\jushed32.exe <- win2k/XP

Other variants have also been spotted, responsible for the enjoysearch hijack :

O4 - HKLM\..\Run: [xvwiz32] C:\WINNT\system32\xvwizard32.hta
O4 - HKCU\..\Run: [xvwiz32] C:\Documents and Settings\{user's name}\{folder name}\xvwizard32.hta

O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\Documents and Settings\{user's name}\{folder name}\xxxvideo.hta

Shredder should take care of this when updated

Log examples :

HERE (http://www.wilderssecurity.com/showthread.php?p=161847)
HERE (http://www.wilderssecurity.com/showthread.php?p=160478)
HERE (http://forums.techguy.org/showthread.php?p=1557156)
HERE (http://www.spywareinfo.com/forums/index.php?showtopic=32381)


Edit by DVK01: main problem with this one is that the O4 entry doesn't show in the HJT log.
The jushed32.exe does show in running processes and once you have stopped it running and deleted it then the O4 appears so it can also be fixed

wholeworldmarket (CWS.Systeminit.2)

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.wholeworldmarket.com/search/top/

O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe

O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

Note* : CWShredder tackles this one as of version 1.56.3

Log examples :

HERE (http://boards.cexx.org/viewtopic.php?t=5759&highlight=wholeworldmarket)
HERE (http://computercops.biz/modules.php?&name=Forums&file=viewtopic&p=144433)

Freednshost

Responsible entries in a HijackThis log :


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = hxxp://freednshost.info/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://213.159.118.226/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://freednshost.info
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://213.159.118.226/sp.php

O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\Help\svchost.exe -sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\Help\svchost.exe -sr -0

O8 - Extra context menu item: Debt Solutions - hxxp://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker - hxxp://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com - hxxp://213.159.118.226/tools.php?qq=Party+Poker.com

O13 - DefaultPrefix: hxxp://freednshost.info/page/
O13 - WWW Prefix: hxxp://freednshost.info/page/

O19 - User stylesheet: C:\WINDOWS\system32\g02q.l24


Not always shown in a Hijackthis log is a hosts file redirect to various porn sites. Some logs do show this hosts file (/edit Unzy) -> example HERE (http://boards.cexx.org/viewtopic.php?t=5908)


Log examples :

HERE (http://www.wilderssecurity.com/showthread.php?p=158399)

e-finder.cc, tadstore.cc and rightfinder.net (CWS.Addclass.2)

Note* : The shredder is updated to deal with this particular variant

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://homepage.com
%00@www.e-finder.cc**/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://homepage.com
%00@www.e-finder.cc**/search/ (obfuscated)

etc...

(I've put ** in the url to disable it)

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe

O13 - DefaultPrefix: hxxp://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: hxxp://%65%68%74%74%70%2E%63%63/?

Log example : (It's on a dutch forum, but log shows in english with a few dutch words, like : 'links' = 'koppelingen' etc)

HERE (http://www.helpmij.nl/forum/showthread.php?postid=1061738#post1061738)

start.chm / MSITStore (MasterSearch)

A new type of CWS variant that uses an exploit to reset a user's homepage.

More info HERE (http://www.securityfocus.com/bid/9658/exploit)

Responsible entries in a HijackThis log :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html

A workaround for this exploit is provided HERE (http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm)

There should be an official microsoft patch soon, please keep an eye for updated patches at windowsupdate.com

NOTE* : There is offered a removal tool (remove.exe) on their site which seems legit and does work, however it is believed it creates a GUID (Global Unique IDentifier) which can always 'distinguish' a user, meaning : they can track you down and follow your actions on the net, kinda like WMP.

NOTE 2*: CWShredder removes start.chm and start.html as of version 1.56.3 It does not always cure the Hijack (yet).

Log example :

HERE (http://computercops.biz/modules.php?name=Forums&file=viewtopic&p=137852)
HERE (http://www.wilderssecurity.com/showthread.php?p=161042)

EDIT: It seems that there is normally a file in the temp directory that has something to do with this one as well so also clear out the temp folder
on W2K & XP it will be C:\Documents and Settings\user name \Local Settings\Temp

on 9x/ME systems c:\windows\temp

on XP/W2k select and delete eveything in the folder
on 9x systems select everything except temporary internet files folder and cookies folder


You will need to do the cleaning for every account holder on the computer

Update** :

Shadowwar has come up with a fix for this particular hijack :

{QUOTE->
Please download this to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it. Run it and extract the folder to the desktop preferably.

Open the folder after extracted.

Double click the fix.bat

Please make sure all Internet Explorers are closed.

Only run it once or you will lose the backups although they shouldn't be needed.
<-QUOTE}

Notepad will open at the end with a message and the bad file listing at the end. Ask the user to post the contents of that notepad box.

runwin32.exe, wininet32.exe (write-up by Pieter Arntz)

Hijacks to a CWS domain (searchmeup, easy-search.biz etc)

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchmeup.com/search.php?aid=1057
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchmeup.com/search.php?aid=1057
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.searchmeup.com/search.php?aid=1057

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

O4 - HKCU\..\Run: [wininet32] C:\WINDOWS.000\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS.000\runwin32.exe

The tricky part here is, that it overides your proxy settings! :

{QUOTE->
After removing the files you have to uncheck the proxy to get your internet connection back.
<-QUOTE}

Note* : The shredder should be updated for this soon

Log example :

HERE (http://www.wilderssecurity.com/showthread.php?p=163492#post163492)

OsbornTech Popup Blocker

This is a fake entry created by CWS mainly to try and trick HijackThis analysers to not have fix this entry, so re-infection could be easier or clean-up wouldn't be proper

Responsible entry in a HijackThis log :

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

(Notice the mshelper.dll to identify it)

Note* : The shredder is updated and should take care of this entry.

Log example :

HERE (http://computercops.biz/modules.php?name=Forums&file=viewtopic&p=137954)
HERE (http://www.spywareinfo.com/forums/index.php?showtopic=39375)

nkvd.us

A classic one that is spreading around now again with some more tricky coding added to it, more specificly the mtwirl.dll / mtwirl32.dll file (use killbox to clean that one up).

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://nkvd.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nkvd.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nkvd.us/

etc...

O13 - DefaultPrefix: hxxp://www.nkvd.us/
O13 - WWW Prefix: hxxp://www.nkvd.us/
O13 - Home Prefix: hxxp://www.nkvd.us/
O13 - Mosaic Prefix: hxxp://www.nkvd.us/

O19 - User stylesheet: c:\windows\my.css

Fix these entries with HijackThis, restart PC in Safe Mode and manually remove mtwirl.dll / mtwirl32.dll (in system/system32 folder)

Use this registry fix after clean-up :

{QUOTE->
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA 23B61E40F}"=-
<-QUOTE}

Log examples :

HERE (http://forums.net-integration.net/index.php?showtopic=13050&st=0&#entry64235)
HERE (http://computercops.biz/modules.php?name=Forums&file=viewtopic&p=137954)

msole.dll

Hijacks to a CWSdomain (R0 and R1 entries in a HijackThis log), using a 02 BHO

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.payfortraffic.net**/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.payfortraffic.net**/mainsearch.htm

(added ** to disable URL)

O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msole.dll

Log example :

HERE (http://www.xonio.com/forum/thread.html?bwthreadid=625786)

searchpage.html

Another variant that has been spotted which looks like a combo of nkvd.us and master-search.

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1504
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1504
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1504
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1504
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1504

etc...

O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=

Those are the only visible entries in that log.

Still awaiting how shredder deals with this and for more info about the possible culprit of this hijack (dll).

Update* :

The fake OsbornTech has been spotted with this one as well :

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

Log examples :

HERE (http://boards.cexx.org/viewtopic.php?p=30098#30098)
HERE (http://boards.cexx.org/viewtopic.php?p=30489#30489)

CHP.DLL

Symptoms :

-Explorer has caused an error in CHP.DLL, which causes Internet Explorer to crash. (Thnx to bad coding probably :) )

-Messes with Windows media Player (WMP) (not working properly anymore)

Stripping the UPX packed file revealed the following link : lookingfor.cc/search.php, which is a cws domain

Removal :

Unregister the dll

Visible entries in a HijackThis log :

None

Update* : It's not a random named dll, other people were experiencing the error message as well refering to this dll. Most likely a result of bad coding from one of the variants.

Log Example :

HERE (http://www.spywareinfo.com/forums/index.php?showtopic=43872&st=0&#entry220132)

IEengine.exe (hijacks to a CWS domain)

Drops the exe in the Internet Explorer folder in Program Files to make it look as legit as possible

Responsible entries in a Hijackthis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://your-searcher.com/index.htm

etc.

O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

*Shredder should be updated soon for this

For those who are interested, a disassembly report after unpacking the exe(done by Mo) can be downloaded HERE (http://computercops.biz/modules.php?name=Forums&file=download&id=975)

Log example :

HERE (http://forums.techguy.org/showthread.php?p=1628616#post1628616)

Also spotted with (not always present though):

O4 - Global Startup: winlogin.exe

CWShredder normally finds and deletes those 2 in XP/W2K but it needs manually fixing in ME/9X

mrhop.dll

Although it looks very similar to the variant described in post 4, it works differently.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {33B13F77-E06C-4C6F-B347-EBF7CE2BC08F} - C:\WINDOWS\mrhop.dll

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
In the upper window select explorer.exe
In the lower window find and rightclick mrhop.dll
Select Unload DLL and click OK on the prompts that follow.

Close all windows except HijackThis and fix the lines above.
Reboot and scan with AdAware.

system32.dll (jksearch.biz , greatsearch.biz)


Responsible entries in a Hijackthis log :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://jksearch.biz/redir.php

etc.

*NOTE :


As of HijackThis version 1.98.1 a line similar to this will show:
O21 - SSODL: System - {1F0B125B-7C1F-4B45-BAE9-20FEEF841480} - C:\WINDOWS\system32\system32.dll
Fixing that will have the same effect as the first line in the clear.reg fix.


c:\windows\system32\system32.dll (win2k / XP)
c:\windows\system\system32.dll (win9x / ME)

Do watch out for other 04 entries related to CWS

{QUOTE->

Copy the contents of the quote box to notepad:

{QUOTE->

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

<-QUOTE}

hit 'save as'
give it the name 'clear.reg'
under the filename set file types to all files.
save it to the desktop.

After done double click the clear.reg
when asked to merge say yes

then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.

Also does the following things! :

1. it drops a hosts file blocking all competitor cws sites.

2. It attacks the updater modules for Antivirus. Please check to make sure the users's Antivirus updates still work.

<-QUOTE}

*NOTE 2 :

We are still waiting if this one uses random CLSID tags (for CWShredder), it looks like it uses random

*NOTE 3 Regfile available as attached txt file: http://www.wilderssecurity.com/attachment.php?attachmentid=137126

Log example :

HERE (http://www.computercops.biz/postt42285.html)
HERE (http://forums.techguy.org/t230245.html)

CWS related BHO's : (please edit in all cws related BHO's here)

O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINNT\System32\msxmlfilt.dll

Also seen, but only once sofar:
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\msxslab.dll

Log example: here (http://www.lavasoftsupport.com/index.php?showtopic=27180)

{QUOTE->
Also seen, but only once sofar:
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\msxslab.dll
<-QUOTE}

I've seen it as well Pieter, looks like they are not random

Accompanied with these :

O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {12D02C08-218F-4A11-BDE1-6611ADB7B81F} - C:\WINDOWS\SYS32_~1.DLL

Log example : here (http://www.wilderssecurity.com/showthread.php?p=182524#post182524)

dpe.dll

A new BHO

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com
%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com
%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com
%00@www.e-finder.cc/search/ (obfuscated)
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll
O13 - DefaultPrefix: www
O13 - WWW Prefix:

dpe.dll also comes in these shapes:

O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll

O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\IETLBASS32.DLL

CLSID is fixed, original filename is dpe.dll

Log example :

Here (http://forums.thatcomputerguy.us/index.php?showtopic=1959)

{root dir}:/spad/start.html | myexexex.com

Responsible entries in a HijackThis log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

etc.

Culprit dll :

HPCMDTY.DLL

Most likely in :

C:\WINNT\system32\HPCMDTY.DLL (win2k/xp)
C:\windows\system (win9x/me)

Also been spotted in the temp folder, so watch out for that as well!

C:\DOCUME~1\.....\LOCAL~1\Temp\HPCMDTY.DLL

Fix the entries in HijackThis log (R0 and R1)

Restart PC in Safe mode and remove :

c:/spad/ <- this folder

HPCMDTY.DLL <- this dll

Also do additional search for this file, and remove if present :

c_10230.dll

On win2k / XP systems dropped in the system32 folder!

Use this reg file:


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]



Save it in notepad, save it as spad.reg and doubleclick it.
Confirm to merge with the registry.
You can also download this file (http://www.wilderssecurity.com/attachment.php?attachmentid=137184) and rename it to spad.reg

Log examples :

Here (http://www.wilderssecurity.com/showthread.php?t=33927)

sysstartup.exe (hijacks to a cwsdomain)

-drops sysstartup.exe in the system/system32 folder

-accompanied with a randomly named BHO dll but STATIC clsid! :

{A9A674BF-771F-42E5-A440-D20DDA85A862}

-hijacks startpage

-can be spotted with a 016 entry

Responsible entries in a hijackthis log :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\uubztmiy7mnslh.dll

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

Log examples :

Here (http://boards.cexx.org/viewtopic.php?p=33977#33977)
Here (http://www.wilderssecurity.com/showthread.php?t=33987)

Some BHO's that deliver pornographic content are presumed to be exploited by the CWS crew.

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS.000\SR.DLL

LOG examples
HERE (http://forums.net-integration.net/index.php?showtopic=16474)
HERE (http://computercops.biz/postitle45535-0-0-.html)

Protocol hijack

Shows in log as:

O1 - Hosts: 213.159.117.235 auto.search.msn.com

O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

Related file:

MSXSLAB.DLL

Example log: HERE (http://forum.mks.com.pl/forum/viewthread.php?tid=3807)

This one is pretty straightforward as far as I can tell:

Shows in log as:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

Log example: HERE (http://www.wilderssecurity.com/showthread.php?t=35994)

Much more complicated. Using two randomly named exe and two randomly named dll files.

Showing up in a HijackThis log:

C:\WINDOWS\system32\javapm.exe
C:\WINDOWS\system32\sysmc32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usufr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://usufr.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://usufr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usufr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://usufr.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\usufr.dll/sp.html#96676

O2 - BHO: (no name) - {9F9A9343-3D33-369A-6197-FBD7AB9B0FBC} - C:\WINDOWS\system32\sysrm.dll

O4 - HKLM\..\Run: [sysmc32.exe] C:\WINDOWS\system32\sysmc32.exe

The second executable is run as a service named __NS_SERVICE_3 (we have seen __NS_SERVICE_2 a few times as well). In the services window it is listed as Network Security Service. That service installs the BHO dll. When you launch IE for the first time the BHO adds the RO/R1 entries.

log example: HERE (http://www.wilderssecurity.com/showthread.php?t=36583)

NOTE: the files are not necessarily in the System32 folder. We have seen them in the Windows directory as well.

Removal:

Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "" & "". If you find the files, click on them, and then click End Process => Exit the Task Manager.
Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service".
When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
<insert R* entries>
<insert BHO entry>
<O4 entries for exe's>
Reboot into Safe Mode - How do I boot into "Safe" mode? (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam), and delete the following files:
<insert R* entry dll>
<insert BHO dll>
<insert listed exes>
Reboot in Normal Mode.
Download the file attached to this post and rename it to cwsuninst.reg
Doubleclick it and confirm you want to merge it with the registry.
Run HijackThis again and post a new log.

Extra notes
If given full internet access this variant will delete:
- your hosts file (good replacements can be found here (http://www.mvps.org/winhelp2002/hosts.htm) or here (http://webpages.charter.net/hpguru/hosts/hosts.html))
- Spybot S&D's BHO (download SDHelper.dll (http://www.spywareinfo.com/~merijn/winfiles.html), put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
- control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/winfiles.html#control

Another extra note:
In the latest variant it’s possible that the service changed its name.
Currently known service-names are:
- Workstation Netlogon Service
- Remote Procedure Call (RPC) Helper
As you may notice they are mimicking legit (and very much needed) services, so be carefull what you stop.

Another about:blank variant

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FD90346B-9BF1-4018-A409-6F86439A7333} - C:\WINDOWS\System32\jbpoe.dll

Log example: HERE (http://forums.maddoktor2.com/index.php?showtopic=548)

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and fix the lines above.

Then start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware to remove the txt and html protocol association.

NOTE: this variant, or one that is impossible to discern in a log, now also comes with a hidden dll starting from the APPInit_DLLs key like some of the other about:blank variants

Using a BHO with a fixed CLSID

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\j4rc9cgvcr5pkc.dll

O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe

O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O15 - Trusted Zone: *.greg-search.com

O20 - AppInit_DLLs: (C:\WINDOWS\system32)aroc94t1s8.tlb

Log example: HERE (http://spywarewarrior.com/viewtopic.php?t=4337)

NOTE: This variant adds pornsites to your favorites, kills off all your other BHO's and adds a lot of 0 byte files.

Still doing some tests for removal, but sofar it looks like fixing the items in the log and removing the files in the log plus
%Windir%\bad3074.exe takes care of the hijack.
Use AdAware's smart system scan to remove some unpleasant additions to your favorites and some registry keys.

A slightly newer variant is being spread. Extra line(s)

O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\64302.exe (filename is a random number)

O4 - Global Startup: winlogin.exe (Also seen in combination with other variants)

In this newer version it is not always possible to remove the file starting from the AppInit_DLLs location.
Renaming the file will allow you to delete it after a reboot.

Very similar to the previous one.

Examples from a log:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4GHW4E~1.DLL

O4 - Global Startup: winlogin.exe

O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe

O20 - AppInit_DLLs: hkc1u73pdb36o.dll

I took the liberty of copying LoPhatPhuud's (http://forum.gladiator-antivirus.com/index.php?showuser=2879) canned speech for this one:

{QUOTE->

Go Here: http://download.broadbandmedic.com and download Pocket KillBox

Run Killbox.exe and be sure that 'Delete on Reboot is checked'

Copy and paste each of the following file(s) to the address bar:
<*** insert files ***>

After each file press the 'Delete' icon to the far right of the address bar
A dialog box will ask if you want to delete and reboot now - on all but the last file, answer 'No'
For the last file (or first, if only one file), answer 'Yes'

On restart, verify that the files have been deleted


Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg* on your Desktop

REGEDIT4

-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin6.DNSErrObj.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\redalert.here.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft]



Locate fixme.reg on your Desktop and double-click on it.

You will* receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully"


Third:
Before we begin, please be sure that* HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a* temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis.* <-- IMPORTANT

Check the following items in HijackThis.


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following:* (you may need to show hidden files**)


*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406 (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.

Addendum:

There are also some zero (0) byte files that this exploits leaves behind. They are installed to prevent the competiton from re-installing itself. This one removes a lot of other spyware.

The ones that have been seen so far are:
D2KPAX.DLL
BRIDGE.DLL
JAC.DLL
MSXSLAB.DLL
SYSTEM32.DLL
WINLOGIN.EXE

Use DLLCompare by O^E to find them. If they refuse to delete try this batch file:

attrib -h -r -s D2KPAX.DLL
ren D2KPAX.DLL D2KPAX.bad
del D2KPAX.bad
attrib -h -r -s BRIDGE.DLL
ren BRIDGE.DLL BRIDGE.bad
del BRIDGE.bad
attrib -h -r -s JAC.DLL
ren JAC.DLL JAC.bad
del JAC.bad
attrib -h -r -s MSXSLAB.DLL
ren MSXSLAB.DLL MSXSLAB.bad
del MSXSLAB.bad
attrib -h -r -s SYSTEM32.DLL
ren SYSTEM32.DLL SYSTEM32.bad
del SYSTEM32.bad

<-QUOTE}

Stay tuned for changes because work is still being done and they might be necessary.

Richfind variant.

Log examples:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/

R3 - URLSearchHook: Richfind - {3E9AF8C8-21E8-49D3-A4F9-ED3BE2180F5F} - C:\WINDOWS\System32\Q309578.dll
O2 - BHO: Richfind - {1B3D4154-0038-4CF9-AFC2-A00EE7887069} - C:\WINDOWS\System32\Q309578.dll
O3 - Toolbar: Richfind - {1D2535DE-6114-47A8-ADCA-DE775F6CF1B3} - C:\WINDOWS\System32\Q309578.dll
O9 - Extra button: Richfind - {1D2535DE-6114-47A8-ADCA-DE775F6CF1B3} - C:\WINDOWS\System32\Q309578.dll
O18 - Filter: text/html - {5AC4C85E-EDC4-40D1-8611-5958A00E197B} - C:\WINDOWS\System32\Q309578.dll
O18 - Filter: text/plain - {5AC4C85E-EDC4-40D1-8611-5958A00E197B} - C:\WINDOWS\System32\Q309578.dll

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

R3 - URLSearchHook: Richfind - {D7DE3638-927F-47CF-824E-CC94C6A766AA} - C:\WINDOWS\System32\Q2866062.dll
O2 - BHO: Richfind - {1073AD4E-C394-466E-ADA5-017AD9CFA48D} - C:\WINDOWS\System32\Q2866062.dll
O3 - Toolbar: Richfind - {6E732EF6-A1F8-4836-AE75-54B194EEBE56} - C:\WINDOWS\System32\Q2866062.dll
O9 - Extra button: Richfind - {6E732EF6-A1F8-4836-AE75-54B194EEBE56} - C:\WINDOWS\System32\Q2866062.dl
O18 - Filter: text/html - {728189AF-83F1-4771-BB7B-ACAF2F3E9E3E} - C:\WINDOWS\System32\Q2866062.dll
O18 - Filter: text/plain - {728189AF-83F1-4771-BB7B-ACAF2F3E9E3E} - C:\WINDOWS\System32\Q2866062.dll

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

R3 - URLSearchHook: Richfind - {CF258978-39E3-49E0-9D79-BF4A4FDCAA7A} - C:\WINDOWS\system32\Q672390.dll
O2 - BHO: Richfind - {0B17146F-5481-4FB9-A1B3-B6D416868CB8} - C:\WINDOWS\system32\Q672390.dll
O3 - Toolbar: Richfind - {5A0A4CA4-67E3-4FFE-A8B8-229C1BC1D8B2} - C:\WINDOWS\system32\Q672390.dll
O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - (no file)
O9 - Extra button: Richfind - {5A0A4CA4-67E3-4FFE-A8B8-229C1BC1D8B2} - C:\WINDOWS\system32\Q672390.dll
O18 - Filter: text/html - {262A428B-2061-4A72-96A9-7793FF328968} - C:\WINDOWS\system32\Q672390.dll
O18 - Filter: text/plain - {262A428B-2061-4A72-96A9-7793FF328968} - C:\WINDOWS\system32\Q672390.dll

The CLSID's look to be random, the filenames start with a Q and usually have 6 or more numbers next. (Mimicking MicroSoft KB article numbers?)

69sexsearch aka DETECTIVE Searcher aka realsearch.cc

Two main components:
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe

and a couple of random entries looking like:
O4 - HKLM\..\Run: [9F2C3C5E] C:\WINDOWS\system32\3dtpanco.exe
O4 - HKLM\..\Run: [8BC6B8CE] C:\WINDOWS\system32\cleuagtvid.exe
O4 - HKLM\..\Run: [D06E6F66] C:\WINDOWS\system32\dsmads.exe

Example log (http://boards.cexx.org/viewtopic.php?p=47876#47876)

Removal is pretty straightforward as long as you remove the two main components in safe mode.

bestsearch

It's characterized by these log entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b12484
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a12484
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a12484
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b12484
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a12484
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a12484
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.53/search.cgi?b12484

O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [scvhost] C:\WINDOWS\scvhost.exe

O13 - WWW Prefix: http://69.50.191.50/1/?

O15 - Trusted Zone: *.bestsearch.cc
O15 - Trusted Zone: *.dapsol.com
O15 - Trusted Zone: *.bestsearch.cc (HKLM)
O15 - Trusted Zone: *.dapsol.com (HKLM)

This one requires a special treatment.
(Thought out by TonyKlein)

Copy the text inside the 'Quote' box to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')


{QUOTE-> Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe]

[-HKEY_CLASSES_ROOT\exefile\shell\open]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bestsearch]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"scvhost"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"scvhost"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://" <-QUOTE}


Now do NOT run the regfile yet, but Start your computer in Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) (it may help to print this out), and find and delete these files:


C:\WINDOWS\scvhost.exe.
C:\WINDOWS\windbg.exe.
C:\WINDOWS\Teens Anal ****ing.url.
C:\WINDOWS\SEXXX.url.
C:\WINDOWS\Online Porn.url.

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Next, still in Safe Mode, run Hijack This, and have it fix these items:

blah....

Next, doubleclick the regfile you just created, and answer yes when prompted to add its contents to the Registry.

Restart your computer, and post a fresh log.


NOTE: For Windows 95, 98, ME you want to use the following regfile instead:

{QUOTE-> REGEDIT4

[-HKEY_CLASSES_ROOT\.exe]

[-HKEY_CLASSES_ROOT\exefile\shell\open]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bestsearch]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"scvhost"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"scvhost"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://" <-QUOTE}

Thanks Tony

my-search4u

Showing in a HijackThis log as:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm

O4 - HKCU\..\Run: [xncvwgn] c:\windows\gisvyhv.exe

The name of the startup entry and the executable are random.

Invisible damage:
Adds 4 favorites and wipes the contents of the hosts file.

To remove:
Stop the running process, fix the entries in the log and remove both the executable file and the extra URL's in the favorites.

Credit flrman1

ietlbass(32)

Shows up in a HijackThis log as:
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll
or
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll

Seen with some but not necessarily all of these in combination.

O4 - Global Startup: RealAudio.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

I made a regfile to undo (most of) the changes made by regsitering the dll

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AddClsReg]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssBnxt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssID]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssutid]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

[-HKEY_CLASSES_ROOT\IETLBAss.DOMP]

[-HKEY_CLASSES_ROOT\IETLBAss.DOMP.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C1B116F-2860-46db-8E6C-B4BFC4DFD683}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IETLBAss.DOMP]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IETLBAss.DOMP.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C1B116F-2860-46db-8E6C-B4BFC4DFD683}]

[-HKEY_USERS\S-1-5-21-2900930173-3585485010-497596463-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4C1B116F-2860-46DB-8E6C-B4BFC4DFD683}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BD0022A3-A43F-4F44-B64F-53EA7575F097}]

Also attached as a txt file.

Several variants using a .hta file in the All Users Startup folder.

I have seen:

O4 - Global Startup: Microsoft.hta

O4 - Global Startup: M-soft Office .hta

O4 - Global Startup: Microsoft Office.hta

O4 - Global Startup: MS Office.hta

All work slightly different, but the endresult is you get hijacked to a CWS domain.

Install log for Microsoft Windows.hta (http://www.geekstogo.com/forum/index.php?automodule=blog&blogid=43&cmd=showentry&eid=12)

Variant know as StartPage.O (http://www.sarc.com/avcenter/venc/data/pf/trojan.startpage.o.html)

Showing in a HijackThis log as:

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE

Other possible set of files:

O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll

O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE

Since these processes guard each other and the trojan attaches itself to explorer and iexplore, this requires a special method of cleaning.

Copy the part below into notepad and save it as unhko.reg

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{60371670-81B9-4d06-9C42-4DEC1AABE62B}]

[-HKEY_CLASSES_ROOT\TypeLib\{4947DDCC-D549-4D0B-9685-AA58B20E9642}]

[-HKEY_CLASSES_ROOT\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP.1]

Doubleclick the file and confirm you want to merge it with the registry.

*Click Here (http://www.geekstogo.com/modules.php?modid=5&action=download&id=4) to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Windows\explorer32dbg.exe
C:\Windows\iexplore_dbg.exe

NOTE: paths may and will be different for other versions of Windows. Please adjust accordingly

Then fix the entries in HijackThis.

Looks like there is a third variant:

O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlass.dll

O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
O4 - HKCU\..\Run: [ALGU] C:\WINDOWS\System32\ALGU.EXE
O4 - HKCU\..\Run: [SPOOLSV32] C:\WINDOWS\System32\SPOOLSV32.EXE

Credit: Symantec

They are now masquerading as a spyware-remover.

Recognizable in a HijackThis log as:

O4 - HKCU\..\Run: [SpywareNo] C:\Program Files\SpywareNo\SpywareNo.exe

Often accompanied by entries looking like this:

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{EDE84B22-C464-4C10-AB39-23DBD08AA3FB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{EDE84B22-C464-4C10-AB39-23DBD08AA3FB}\SECURITY.EXE

The CLSID is random.

I'm adding a regfile that should get rid of some of the 'bundled'ware

Copy the part in bold below into notepad and save it as cwsspyno.reg

REGEDIT4

[-HKEY_CLASSES_ROOT\MediaPass.Installer]

[-HKEY_CLASSES_ROOT\Bridge.brdg]

[-HKEY_CLASSES_ROOT\Bridge.brdg.1]

[-HKEY_CLASSES_ROOT\WinadX.Installer]

[-HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]

[-HKEY_CLASSES_ROOT \CLSID\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]

[-HKEY_CLASSES_ROOT\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}]

[-HKEY_CLASSES_ROOT\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}]

[-HKEY_CLASSES_ROOT\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Winad Client]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winad Client]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind Updates]

Doubleclick the file and confirm you want to merge it with the registry.

Credit Webhelper (http://www.webhelper4u.com/CWS/cwsmain.html)

Variant known as PremiumSearch aka EasySearch

An installer called l04d3r.exe is dropped and executed using a variant of the "Auto SP2 RC Exploit" covered in http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
Two files are dropped in :\Documents and Settings\[current user]\Local settings\Temp
The dll is random. The other file is not always present and called winmain.exe
After stripping the attributes (metallica.bat does that), running Cleanup gets rid of all the files.

Proposed fix:

Step 1

[b]*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)


Download and unzip http://metallica.geekstogo.com/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.



************************************
**These are the hidden files found**
************************************
De volumenaam van station C is BOOT
Het volumenummer is 88CF-B644

Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp

27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
1 bestand(en) 50.688 bytes
0 map(pen) 27.520.708.608 bytes beschikbaar
************************************
**These are the system files found**
************************************
De volumenaam van station C is BOOT
Het volumenummer is 88CF-B644

Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp

27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
1 bestand(en) 50.688 bytes
0 map(pen) 27.520.704.512 bytes beschikbaar





STEP2


*Click Here (http://www.geekstogo.com/modules.php?modid=5&action=download&id=4) to download Killbox by Option^Explicit.
*Close all Internet Explorer windows
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Standard File Kill and put a checkmark in the "End Explorer Shell While Killing File" box.
<<<<<<<<<<<<<<<Insert dll from metallica.bat>>>>>>>>>>>>>>>>>>>>>>>>>>
*Click the red-and-white "Delete File" button.
*Your taskbar will disappear for a short while

*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\bootpd.exe
C:\WINDOWS\system32\scrsvc.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Pieter\LOCALS~1\Temp\gjuhmzuhyzm.dll

O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\system32\scrsvc.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\bootpd.exe


Download, install, and run [b]CleanUp! (http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe)

Download and unzip the hosts file from http://www.mvps.org/winhelp2002/hosts.htm to the folder that is right for your Windows version.
Acknowledge that you want to overwrite the hosts file that is present except if you were using the hosts file for sonmething usefull before this happened.
This often is true in corporate newtworks, if you are not sure ask the System Administrator.

If you do not have the Google Toolbar installed, you can delete this folder:
c:\program files\google

If you are running Windows XP SP2, copy the part in bold below into Notepad and save it as AUenabled.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\scrsvc.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremiumSearch Startpage]

To re-enable Automatic Windows Updates, reset the Security Center settings to default and remove PremiumSearch Startpage from Add/Remove Software, doubleclick that file and confirm you want to merge it with the registry.

To remove PremiumSearch StartPage from Add/Remove Software if you are running a different version of Windows you can use HijackThis.
Click Config > Misc Tools > Open Uninstall Manager > Select PremiumSearch Startpage and click Delete this entry.

Tested on XP SP2 only. That worked.
It is now being tested on win2k and XP SP1
That shouldn't result in any surprises.