CWS Variants

Discussion in 'news, general information and FAQs' started by Unzy, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Much more complicated. Using two randomly named exe and two randomly named dll files.

    Showing up in a HijackThis log:

    C:\WINDOWS\system32\javapm.exe
    C:\WINDOWS\system32\sysmc32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usufr.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://usufr.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://usufr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usufr.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://usufr.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\usufr.dll/sp.html#96676

    O2 - BHO: (no name) - {9F9A9343-3D33-369A-6197-FBD7AB9B0FBC} - C:\WINDOWS\system32\sysrm.dll

    O4 - HKLM\..\Run: [sysmc32.exe] C:\WINDOWS\system32\sysmc32.exe

    The second executable is run as a service named __NS_SERVICE_3 (we have seen __NS_SERVICE_2 a few times as well). In the services window it is listed as Network Security Service. That service installs the BHO dll. When you launch IE for the first time the BHO adds the RO/R1 entries.

    log example: HERE

    NOTE: the files are not necessarily in the System32 folder. We have seen them in the Windows directory as well.

    Removal:

    1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
    2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "" & "". If you find the files, click on them, and then click End Process => Exit the Task Manager.
    3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
    4. Scroll down and find the service called "Network Security Service".
    5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
    6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
      <insert R* entries>
      <insert BHO entry>
      <O4 entries for exe's>
    7. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:
      <insert R* entry dll>
      <insert BHO dll>
      <insert listed exes>
    8. Reboot in Normal Mode.
      Download the file attached to this post and rename it to cwsuninst.reg
      Doubleclick it and confirm you want to merge it with the registry.
    9. Run HijackThis again and post a new log.

    Extra notes
    If given full internet access this variant will delete:
    - your hosts file (good replacements can be found here or here)
    - Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
    - control.exe: follow instructions here: http://www.spywareinfoforum.com/~merijn/winfiles.html#control

    Another extra note:
    In the latest variant it’s possible that the service changed its name.
    Currently known service-names are:
    - Workstation Netlogon Service
    - Remote Procedure Call (RPC) Helper
    As you may notice they are mimicking legit (and very much needed) services, so be carefull what you stop.

    Attached Files:

    Last edited: Jul 28, 2004
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Another about:blank variant

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {FD90346B-9BF1-4018-A409-6F86439A7333} - C:\WINDOWS\System32\jbpoe.dll

    Log example: HERE

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Close all windows except HijackThis and fix the lines above.

    Then start APM.
    In the upper window select explorer.exe
    In the lower window find and rightclick the BHO from the HijackThis log
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware to remove the txt and html protocol association.

    NOTE: this variant, or one that is impossible to discern in a log, now also comes with a hidden dll starting from the APPInit_DLLs key like some of the other about:blank variants
    Last edited: Jun 28, 2004
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Using a BHO with a fixed CLSID

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\j4rc9cgvcr5pkc.dll

    O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe

    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

    O15 - Trusted Zone: *.greg-search.com

    O20 - AppInit_DLLs: (C:\WINDOWS\system32)aroc94t1s8.tlb

    Log example: HERE

    NOTE: This variant adds pornsites to your favorites, kills off all your other BHO's and adds a lot of 0 byte files.

    Still doing some tests for removal, but sofar it looks like fixing the items in the log and removing the files in the log plus
    %Windir%\bad3074.exe takes care of the hijack.
    Use AdAware's smart system scan to remove some unpleasant additions to your favorites and some registry keys.

    A slightly newer variant is being spread. Extra line(s)

    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\64302.exe (filename is a random number)

    O4 - Global Startup: winlogin.exe (Also seen in combination with other variants)

    In this newer version it is not always possible to remove the file starting from the AppInit_DLLs location.
    Renaming the file will allow you to delete it after a reboot.
    Last edited: Aug 17, 2004
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Very similar to the previous one.

    Examples from a log:

    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\4GHW4E~1.DLL

    O4 - Global Startup: winlogin.exe

    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe

    O20 - AppInit_DLLs: hkc1u73pdb36o.dll

    I took the liberty of copying LoPhatPhuud's canned speech for this one:

    Stay tuned for changes because work is still being done and they might be necessary.
  5. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Richfind variant.

    Log examples:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.richfind.com/home/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/

    R3 - URLSearchHook: Richfind - {3E9AF8C8-21E8-49D3-A4F9-ED3BE2180F5F} - C:\WINDOWS\System32\Q309578.dll
    O2 - BHO: Richfind - {1B3D4154-0038-4CF9-AFC2-A00EE7887069} - C:\WINDOWS\System32\Q309578.dll
    O3 - Toolbar: Richfind - {1D2535DE-6114-47A8-ADCA-DE775F6CF1B3} - C:\WINDOWS\System32\Q309578.dll
    O9 - Extra button: Richfind - {1D2535DE-6114-47A8-ADCA-DE775F6CF1B3} - C:\WINDOWS\System32\Q309578.dll
    O18 - Filter: text/html - {5AC4C85E-EDC4-40D1-8611-5958A00E197B} - C:\WINDOWS\System32\Q309578.dll
    O18 - Filter: text/plain - {5AC4C85E-EDC4-40D1-8611-5958A00E197B} - C:\WINDOWS\System32\Q309578.dll

    =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

    R3 - URLSearchHook: Richfind - {D7DE3638-927F-47CF-824E-CC94C6A766AA} - C:\WINDOWS\System32\Q2866062.dll
    O2 - BHO: Richfind - {1073AD4E-C394-466E-ADA5-017AD9CFA48D} - C:\WINDOWS\System32\Q2866062.dll
    O3 - Toolbar: Richfind - {6E732EF6-A1F8-4836-AE75-54B194EEBE56} - C:\WINDOWS\System32\Q2866062.dll
    O9 - Extra button: Richfind - {6E732EF6-A1F8-4836-AE75-54B194EEBE56} - C:\WINDOWS\System32\Q2866062.dl
    O18 - Filter: text/html - {728189AF-83F1-4771-BB7B-ACAF2F3E9E3E} - C:\WINDOWS\System32\Q2866062.dll
    O18 - Filter: text/plain - {728189AF-83F1-4771-BB7B-ACAF2F3E9E3E} - C:\WINDOWS\System32\Q2866062.dll

    =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

    R3 - URLSearchHook: Richfind - {CF258978-39E3-49E0-9D79-BF4A4FDCAA7A} - C:\WINDOWS\system32\Q672390.dll
    O2 - BHO: Richfind - {0B17146F-5481-4FB9-A1B3-B6D416868CB8} - C:\WINDOWS\system32\Q672390.dll
    O3 - Toolbar: Richfind - {5A0A4CA4-67E3-4FFE-A8B8-229C1BC1D8B2} - C:\WINDOWS\system32\Q672390.dll
    O9 - Extra button: Richfind - {00000000-0000-0000-0000-000000000000} - (no file)
    O9 - Extra button: Richfind - {5A0A4CA4-67E3-4FFE-A8B8-229C1BC1D8B2} - C:\WINDOWS\system32\Q672390.dll
    O18 - Filter: text/html - {262A428B-2061-4A72-96A9-7793FF328968} - C:\WINDOWS\system32\Q672390.dll
    O18 - Filter: text/plain - {262A428B-2061-4A72-96A9-7793FF328968} - C:\WINDOWS\system32\Q672390.dll

    The CLSID's look to be random, the filenames start with a Q and usually have 6 or more numbers next. (Mimicking MicroSoft KB article numbers?)
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    69sexsearch aka DETECTIVE Searcher aka realsearch.cc

    Two main components:
    O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
    O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe

    and a couple of random entries looking like:
    O4 - HKLM\..\Run: [9F2C3C5E] C:\WINDOWS\system32\3dtpanco.exe
    O4 - HKLM\..\Run: [8BC6B8CE] C:\WINDOWS\system32\cleuagtvid.exe
    O4 - HKLM\..\Run: [D06E6F66] C:\WINDOWS\system32\dsmads.exe

    Example log

    Removal is pretty straightforward as long as you remove the two main components in safe mode.
  7. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    bestsearch

    It's characterized by these log entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b12484
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a12484
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a12484
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b12484
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a12484
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a12484
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.53/search.cgi?b12484

    O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\scvhost.exe
    O4 - HKCU\..\Run: [scvhost] C:\WINDOWS\scvhost.exe

    O13 - WWW Prefix: http://69.50.191.50/1/?

    O15 - Trusted Zone: *.bestsearch.cc
    O15 - Trusted Zone: *.dapsol.com
    O15 - Trusted Zone: *.bestsearch.cc (HKLM)
    O15 - Trusted Zone: *.dapsol.com (HKLM)

    This one requires a special treatment.
    (Thought out by TonyKlein)

    Copy the text inside the 'Quote' box to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')



    Now do NOT run the regfile yet, but Start your computer in Safe Mode (it may help to print this out), and find and delete these files:


    C:\WINDOWS\scvhost.exe.
    C:\WINDOWS\windbg.exe.
    C:\WINDOWS\Teens Anal ****ing.url.
    C:\WINDOWS\SEXXX.url.
    C:\WINDOWS\Online Porn.url.

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Next, still in Safe Mode, run Hijack This, and have it fix these items:

    blah....

    Next, doubleclick the regfile you just created, and answer yes when prompted to add its contents to the Registry.

    Restart your computer, and post a fresh log.


    NOTE: For Windows 95, 98, ME you want to use the following regfile instead:

    Thanks Tony
  8. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    my-search4u

    Showing in a HijackThis log as:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-search4u.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-search4u.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-search4u.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-search4u.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm

    O4 - HKCU\..\Run: [xncvwgn] c:\windows\gisvyhv.exe

    The name of the startup entry and the executable are random.

    Invisible damage:
    Adds 4 favorites and wipes the contents of the hosts file.

    To remove:
    Stop the running process, fix the entries in the log and remove both the executable file and the extra URL's in the favorites.

    Credit flrman1
  9. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    ietlbass(32)

    Shows up in a HijackThis log as:
    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll
    or
    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass32.dll

    Seen with some but not necessarily all of these in combination.

    O4 - Global Startup: RealAudio.exe

    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149

    I made a regfile to undo (most of) the changes made by regsitering the dll

    Code:
    REGEDIT4 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AddClsReg] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssBnxt] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssID] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TLBAssutid] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc] 
    
    [-HKEY_CLASSES_ROOT\IETLBAss.DOMP] 
    
    [-HKEY_CLASSES_ROOT\IETLBAss.DOMP.1] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C1B116F-2860-46db-8E6C-B4BFC4DFD683}] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IETLBAss.DOMP] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IETLBAss.DOMP.1] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C1B116F-2860-46db-8E6C-B4BFC4DFD683}] 
    
    [-HKEY_USERS\S-1-5-21-2900930173-3585485010-497596463-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4C1B116F-2860-46DB-8E6C-B4BFC4DFD683}] 
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BD0022A3-A43F-4F44-B64F-53EA7575F097}]
    Also attached as a txt file.

    Attached Files:

    Last edited: Jan 17, 2005
  10. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Several variants using a .hta file in the All Users Startup folder.

    I have seen:

    O4 - Global Startup: Microsoft.hta

    O4 - Global Startup: M-soft Office .hta

    O4 - Global Startup: Microsoft Office.hta

    O4 - Global Startup: MS Office.hta

    All work slightly different, but the endresult is you get hijacked to a CWS domain.

    Install log for Microsoft Windows.hta
  11. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Variant know as StartPage.O

    Showing in a HijackThis log as:

    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

    O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE

    Other possible set of files:

    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll

    O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE

    Since these processes guard each other and the trojan attaches itself to explorer and iexplore, this requires a special method of cleaning.

    Copy the part below into notepad and save it as unhko.reg

    REGEDIT4

    [-HKEY_CLASSES_ROOT\CLSID\{60371670-81B9-4d06-9C42-4DEC1AABE62B}]

    [-HKEY_CLASSES_ROOT\TypeLib\{4947DDCC-D549-4D0B-9685-AA58B20E9642}]

    [-HKEY_CLASSES_ROOT\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

    [-HKEY_CLASSES_ROOT\BHOASS.BHDP]

    [-HKEY_CLASSES_ROOT\BHOASS.BHDP.1]


    Doubleclick the file and confirm you want to merge it with the registry.

    *Click Here to download Killbox by Option^Explicit.
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
    *In the killbox program, select the Delete on Reboot option.
    *Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    Code:
    C:\WINDOWS\System32\SMSSU.EXE
    C:\WINDOWS\System32\Tmntsrv32.EXE
    C:\Windows\explorer32dbg.exe
    C:\Windows\iexplore_dbg.exe
    NOTE: paths may and will be different for other versions of Windows. Please adjust accordingly

    Then fix the entries in HijackThis.

    Looks like there is a third variant:

    O2 - BHO: ATDP Class - {E3D3AFEE-2172-4ef5-8509-1638AFFF0374} - C:\WINDOWS\atlass.dll

    O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
    O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
    O4 - HKCU\..\Run: [ALGU] C:\WINDOWS\System32\ALGU.EXE
    O4 - HKCU\..\Run: [SPOOLSV32] C:\WINDOWS\System32\SPOOLSV32.EXE

    Credit: Symantec
    Last edited: Jun 6, 2005
  12. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    They are now masquerading as a spyware-remover.

    Recognizable in a HijackThis log as:

    O4 - HKCU\..\Run: [SpywareNo] C:\Program Files\SpywareNo\SpywareNo.exe

    Often accompanied by entries looking like this:

    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{EDE84B22-C464-4C10-AB39-23DBD08AA3FB}\SVCHOST.EXE
    O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{EDE84B22-C464-4C10-AB39-23DBD08AA3FB}\SECURITY.EXE

    The CLSID is random.

    I'm adding a regfile that should get rid of some of the 'bundled'ware

    Copy the part in bold below into notepad and save it as cwsspyno.reg

    REGEDIT4

    [-HKEY_CLASSES_ROOT\MediaPass.Installer]

    [-HKEY_CLASSES_ROOT\Bridge.brdg]

    [-HKEY_CLASSES_ROOT\Bridge.brdg.1]

    [-HKEY_CLASSES_ROOT\WinadX.Installer]

    [-HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]

    [-HKEY_CLASSES_ROOT \CLSID\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}]

    [-HKEY_CLASSES_ROOT\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}]

    [-HKEY_CLASSES_ROOT\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}]

    [-HKEY_CLASSES_ROOT\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Winad Client]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winad Client]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind Updates]


    Doubleclick the file and confirm you want to merge it with the registry.

    Credit Webhelper
  13. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Variant known as PremiumSearch aka EasySearch

    An installer called l04d3r.exe is dropped and executed using a variant of the "Auto SP2 RC Exploit" covered in http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
    Two files are dropped in [Bootdrive]:\Documents and Settings\[current user]\Local settings\Temp
    The dll is random. The other file is not always present and called winmain.exe
    After stripping the attributes (metallica.bat does that), running Cleanup gets rid of all the files.

    Proposed fix:

    Step 1
    Code:
    [b]*IMPORTANT*[/b] Be sure you know how to [url=http://www.xtra.co.nz/help/0,,4155-1916458,00.html]VIEW HIDDEN FILES[/url]
    
    
    Download and unzip [url]http://metallica.geekstogo.com/MADEbyOSC.zip[/url]
    Run the file by doubleclicking metallica.bat
    and post the log.
    Do not reboot untill someone has looked at your log and given you the next step.
    If you have to reboot repeat this part when you are back online.
    

    ************************************
    **These are the hidden files found**
    ************************************
    De volumenaam van station C is BOOT
    Het volumenummer is 88CF-B644

    Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp

    27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
    1 bestand(en) 50.688 bytes
    0 map(pen) 27.520.708.608 bytes beschikbaar
    ************************************
    **These are the system files found**
    ************************************
    De volumenaam van station C is BOOT
    Het volumenummer is 88CF-B644

    Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp

    27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
    1 bestand(en) 50.688 bytes
    0 map(pen) 27.520.704.512 bytes beschikbaar





    STEP2

    Code:
    *[URL=http://www.geekstogo.com/modules.php?modid=5&action=download&id=4]Click Here[/URL] to download Killbox by Option^Explicit.
    *Close all Internet Explorer windows
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. 
    *In the killbox program, select the Standard File Kill and put a checkmark in the "End Explorer Shell While Killing File" box.
    <<<<<<<<<<<<<<<Insert dll from metallica.bat>>>>>>>>>>>>>>>>>>>>>>>>>>
    *Click the red-and-white "Delete File" button.
    *Your taskbar will disappear for a short while 
    
    *In the killbox program, select the [b]Delete on Reboot[/b] option.
    *Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    
    [b]C:\WINDOWS\system32\bootpd.exe
    C:\WINDOWS\system32\scrsvc.exe[/b]
    
    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
    
    After the reboot run HijackThis and put checkmarks in front of he following items.
    Close [b]all[/b] windows except HijackThis and click Fix checked:
    
    O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Pieter\LOCALS~1\Temp\gjuhmzuhyzm.dll
    
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\system32\scrsvc.exe
    O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\system32\bootpd.exe
    
    
    Download, install, and run [url=http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe][b]CleanUp![/b][/url]
    
    Download and unzip the hosts file from [url]http://www.mvps.org/winhelp2002/hosts.htm[/url] to the folder that is right for your Windows version.
    Acknowledge that you want to overwrite the hosts file that is present [b]except[/b] if you were using the hosts file for sonmething usefull before this happened.
    This often is true in corporate newtworks, if you are not sure ask the System Administrator.
    
    If you do not have the Google Toolbar installed, you can delete this folder:
    c:\program files\google
    
    If you are running Windows XP SP2, copy the part in bold below into Notepad and save it as AUenabled.reg
    [b]
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoUpdate"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\scrsvc.exe"=-
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremiumSearch Startpage]
    [/b]
    To re-enable Automatic Windows Updates, reset the Security Center settings to default and remove PremiumSearch Startpage from Add/Remove Software, doubleclick that file and confirm you want to merge it with the registry.
    
    To remove PremiumSearch StartPage from Add/Remove Software if you are running a different version of Windows you can use HijackThis.
    Click Config > Misc Tools > Open Uninstall Manager > Select PremiumSearch Startpage and click Delete this entry.
    Tested on XP SP2 only. That worked.
    It is now being tested on win2k and XP SP1
    That shouldn't result in any surprises.
Thread Status:
Not open for further replies.