CWS Variants

Discussion in 'news, general information and FAQs' started by Unzy, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Lately a new strain of cws variants are following eachother very rapidly.

    They are becoming harder and harder to clean because they are using all sorts of tricks to prevent scanning tools from detection or proper removal (like re-infection).

    It's getting more difficult now for Merijn to update CWShredder both because of the more complex coding and the amount of new types/variants that appear on a very regulary basis.

    Bare in mind that experts are working around the clock looking for successfull removal tips and prevention fixes.

    This means however, that as long as the shredder is not updated, victims will be advised to clean their infection manually. Although experts and more savy computer people are used working in the registry, and all sorts of tools which involves editing in windows it will be more and more difficult for the normal computer user to clean up once he/she is infected. Advise given by expert people may look rather complex, when having any doubts whatsoever, don't hesitate to ask for more advise.

    Expertised people in this area (on this board) who are more closely involved in analysing and know the latest details are :

    Pieter Arntz (aka Metallica on other numerous boards)
    dvk01
    shadowwar


    Feel free to contact one of the mod's if any questions. They are all very knowledgable and will at least be able to point you in the correct direction :

    dave38, puff-m-d, wizard, Technodrome, JacK, Dan Perez, MickeyTheMan, Detox, Unzy, snowbound, snapdragin, rodsoto, bigc73542

    Below follows a summation of those new strains of more complex CWS variants, beginning with the drxcount one,which seems to be the first one to introduce a whole new set of invisible CWS hijacks and tricky coding. I will try to give the most common instructions summed by experts. Some of them work very well, other are a bit complex. Some work for user X, while user Y complains of a re-infection, after following the exact same instrucions.

    Note :

    After cleaning a CWS infection always check your 'Favorites' folder for added porn links***

    A list of all known CWS domains can be found here :

    http://users.skynet.be/bk136527/CWS/CWSdomains.htm
     
    Last edited: May 27, 2004
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    drxcount.biz / real-yellow-page.com

    A very great place to start, where we gathered all info together with infected users is a topic started by Pieter Arntz (Metallica). It shows investigation of expert people nicely evolving from sleepless nights to succesfull removal instructions! If you are interested in reading the developments you can check it here :

    Click Me

    Usually, the following instructions are given now :

     
    Last edited: Apr 22, 2004
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    CWS.Systeminit variant - (hijacks to your-search.info, in some cases to another CWS domain)

    Note* : CWShredder takes care of this successfully so far

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://www.your-search.info/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.your-search.info/start.html

    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe

    O4 - Global Startup: sytem32.exe (note the spelling!)

    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

    Log examples :

    HERE
    HERE
     
    Last edited: Apr 20, 2004
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    About:blank / linklist.cc

    This is a very complex hijack to solve for now, as only manual instructions are given. Please only follow instructions when you are guided by an Advanced or Expert member!

    Responsible entries in a HijackThis log :

    R0 and R1 entries pointing to the following similar looking location : res://C:\WINDOWS\System32\kfiokk.dll/sp.html

    O2 - BHO: (no name) - {54DDBEA0-AAE2-43A1-9076-3F064D0DEA55} - C:\WINDOWS\System32\kfiokk.dll*

    * the dll is randomly named for each victim, and is showed as a 02 - BHO in a HijackThis log.

    Although the entries in a HijackThis log are pretty obvious, the tricky part of this variant is a cleverly disguised re-infection method, after a certain amount of time when the victim connects again to the internet.

    The methods so far all failed to give a 100% clean result, even with an updated shredder for this particular variant, so I'm not gonna bother to list them here, as experts are now in the middle of looking for answers, as we speak. As soon as we have a successfull removal method, this topic will be updated.

    For those interested I can inform what we gathered so far :

    It all comes down to these two files :

    The key is :

    Trying to make this superhidden dll visible so it's removable! Lately, it seems best to start with the removal of this dll, before following other instructions!

    *UPDATE!

    Shadowwar has pulled dllfix, too many bugs and variants within the hijack itself are making it impossible to work properly.

    It's best to post your problem at the corresponding forums, and wait untill you get a responce from an expert, for further guidance.

    Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it, after doing so post your HijackThis log.

    Old fix : (keeping this here, just in case)

    As we are drawing near a successfull removal method, this is the canned fix of procedures to follow :

    (Note that at this time only manual instructions are given and they can be somewhat complex)

    © freeatlast :

    *for win2k / XP (win98 is at bottom)

    *WIN98

    Tools :

    Win98Fix
    StartDreck

    It should be located in C:\WINDOWS\SYSTEM\XXXXX.dll


    Note* Please follow instructions carefully, doublecheck before you delete and make sure you have a backup of your registry : HERE's How
     
    Last edited: Jun 20, 2004
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    enjoysearch

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.enjoysearch.info/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.enjoysearch.info

    O4 - HKLM\..\Run: [jushed32] C:\WINDOWS\jushed32.exe <- win9x/ME
    O4 - HKLM\..\Run: [jushed32] C:\WINDOWS\system32\jushed32.exe <- win2k/XP

    Other variants have also been spotted, responsible for the enjoysearch hijack :

    O4 - HKLM\..\Run: [xvwiz32] C:\WINNT\system32\xvwizard32.hta
    O4 - HKCU\..\Run: [xvwiz32] C:\Documents and Settings\{user's name}\{folder name}\xvwizard32.hta

    O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32\xxxvideo.hta
    O4 - HKCU\..\Run: [xxxvid] C:\Documents and Settings\{user's name}\{folder name}\xxxvideo.hta

    Shredder should take care of this when updated

    Log examples :

    HERE
    HERE
    HERE
    HERE


    Edit by DVK01: main problem with this one is that the O4 entry doesn't show in the HJT log.
    The jushed32.exe does show in running processes and once you have stopped it running and deleted it then the O4 appears so it can also be fixed
     
    Last edited by a moderator: Apr 20, 2004
  6. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    wholeworldmarket (CWS.Systeminit.2)

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.wholeworldmarket.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.wholeworldmarket.com/search/top/

    O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe

    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

    Note* : CWShredder tackles this one as of version 1.56.3

    Log examples :

    HERE
    HERE
     
    Last edited: Apr 22, 2004
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Freednshost

    Responsible entries in a HijackThis log :


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = hxxp://freednshost.info/page/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://213.159.118.226/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://freednshost.info
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://213.159.118.226/sp.php

    O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\Help\svchost.exe -sr -0
    O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\Help\svchost.exe -sr -0

    O8 - Extra context menu item: Debt Solutions - hxxp://213.159.118.226/tools.php?qq=Debt+Solutions
    O8 - Extra context menu item: Party Poker - hxxp://213.159.118.226/tools.php?qq=Party+Poker
    O8 - Extra context menu item: Party Poker.com - hxxp://213.159.118.226/tools.php?qq=Party+Poker.com

    O13 - DefaultPrefix: hxxp://freednshost.info/page/
    O13 - WWW Prefix: hxxp://freednshost.info/page/

    O19 - User stylesheet: C:\WINDOWS\system32\g02q.l24


    Not always shown in a Hijackthis log is a hosts file redirect to various porn sites. Some logs do show this hosts file (/edit Unzy) -> example HERE


    Log examples :

    HERE
     
    Last edited by a moderator: Apr 24, 2004
  8. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    e-finder.cc, tadstore.cc and rightfinder.net (CWS.Addclass.2)

    Note* : The shredder is updated to deal with this particular variant

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://homepage.com%00@www.e-finder.cc[B]**[/B]/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hxxp://homepage.com@www.e-finder.cc[B]**[/B]/search/ (obfuscated)

    etc...

    (I've put ** in the url to disable it)

    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe

    O13 - DefaultPrefix: hxxp://%65%68%74%74%70%2E%63%63/?
    O13 - WWW Prefix: hxxp://%65%68%74%74%70%2E%63%63/?

    Log example : (It's on a dutch forum, but log shows in english with a few dutch words, like : 'links' = 'koppelingen' etc)

    HERE
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    start.chm / MSITStore (MasterSearch)

    A new type of CWS variant that uses an exploit to reset a user's homepage.

    More info HERE

    Responsible entries in a HijackThis log :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    A workaround for this exploit is provided HERE

    There should be an official microsoft patch soon, please keep an eye for updated patches at windowsupdate.com

    NOTE* : There is offered a removal tool (remove.exe) on their site which seems legit and does work, however it is believed it creates a GUID (Global Unique IDentifier) which can always 'distinguish' a user, meaning : they can track you down and follow your actions on the net, kinda like WMP.

    NOTE 2*: CWShredder removes start.chm and start.html as of version 1.56.3 It does not always cure the Hijack (yet).

    Log example :

    HERE
    HERE

    EDIT: It seems that there is normally a file in the temp directory that has something to do with this one as well so also clear out the temp folder
    on W2K & XP it will be C:\Documents and Settings\user name \Local Settings\Temp

    on 9x/ME systems c:\windows\temp

    on XP/W2k select and delete eveything in the folder
    on 9x systems select everything except temporary internet files folder and cookies folder


    You will need to do the cleaning for every account holder on the computer

    Update** :

    Shadowwar has come up with a fix for this particular hijack :

    Notepad will open at the end with a message and the bad file listing at the end. Ask the user to post the contents of that notepad box.
     
    Last edited: May 1, 2004
  10. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    runwin32.exe, wininet32.exe (write-up by Pieter Arntz)

    Hijacks to a CWS domain (searchmeup, easy-search.biz etc)

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchmeup.com/search.php?aid=1057
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchmeup.com/search.php?aid=1057
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.searchmeup.com/search.php?aid=1057

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

    O4 - HKCU\..\Run: [wininet32] C:\WINDOWS.000\wininet32.exe
    O4 - HKCU\..\Run: [runwin32] C:\WINDOWS.000\runwin32.exe

    The tricky part here is, that it overides your proxy settings! :

    Note* : The shredder should be updated for this soon

    Log example :

    HERE
     
    Last edited: May 20, 2004
  11. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    OsbornTech Popup Blocker

    This is a fake entry created by CWS mainly to try and trick HijackThis analysers to not have fix this entry, so re-infection could be easier or clean-up wouldn't be proper

    Responsible entry in a HijackThis log :

    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    (Notice the mshelper.dll to identify it)

    Note* : The shredder is updated and should take care of this entry.

    Log example :

    HERE
    HERE
     
    Last edited: Apr 23, 2004
  12. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    nkvd.us

    A classic one that is spreading around now again with some more tricky coding added to it, more specificly the mtwirl.dll / mtwirl32.dll file (use killbox to clean that one up).

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://nkvd.us/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nkvd.us/

    etc...

    O13 - DefaultPrefix: hxxp://www.nkvd.us/
    O13 - WWW Prefix: hxxp://www.nkvd.us/
    O13 - Home Prefix: hxxp://www.nkvd.us/
    O13 - Mosaic Prefix: hxxp://www.nkvd.us/

    O19 - User stylesheet: c:\windows\my.css

    Fix these entries with HijackThis, restart PC in Safe Mode and manually remove mtwirl.dll / mtwirl32.dll (in system/system32 folder)

    Use this registry fix after clean-up :

    Log examples :

    HERE
    HERE
     
    Last edited: May 2, 2004
  13. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    msole.dll

    Hijacks to a CWSdomain (R0 and R1 entries in a HijackThis log), using a 02 BHO

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.payfortraffic.net**/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.payfortraffic.net**/mainsearch.htm

    (added ** to disable URL)

    O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msole.dll

    Log example :

    HERE
     
  14. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    searchpage.html

    Another variant that has been spotted which looks like a combo of nkvd.us and master-search.

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1504
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1504
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1504

    etc...

    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=

    Those are the only visible entries in that log.

    Still awaiting how shredder deals with this and for more info about the possible culprit of this hijack (dll).

    Update* :

    The fake OsbornTech has been spotted with this one as well :

    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    Log examples :

    HERE
    HERE
     
    Last edited: May 1, 2004
  15. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    CHP.DLL

    Symptoms :

    -Explorer has caused an error in CHP.DLL, which causes Internet Explorer to crash. (Thnx to bad coding probably :) )

    -Messes with Windows media Player (WMP) (not working properly anymore)

    Stripping the UPX packed file revealed the following link : lookingfor.cc/search.php, which is a cws domain

    Removal :

    Unregister the dll

    Visible entries in a HijackThis log :

    None

    Update* : It's not a random named dll, other people were experiencing the error message as well refering to this dll. Most likely a result of bad coding from one of the variants.

    Log Example :

    HERE
     
    Last edited: May 10, 2004
  16. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    IEengine.exe (hijacks to a CWS domain)

    Drops the exe in the Internet Explorer folder in Program Files to make it look as legit as possible

    Responsible entries in a Hijackthis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://your-searcher.com/index.htm

    etc.

    O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

    *Shredder should be updated soon for this

    For those who are interested, a disassembly report after unpacking the exe(done by Mo) can be downloaded HERE

    Log example :

    HERE

    Also spotted with (not always present though):

    O4 - Global Startup: winlogin.exe

    CWShredder normally finds and deletes those 2 in XP/W2K but it needs manually fixing in ME/9X
     
    Last edited: Jun 1, 2004
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    mrhop.dll

    Although it looks very similar to the variant described in post 4, it works differently.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {33B13F77-E06C-4C6F-B347-EBF7CE2BC08F} - C:\WINDOWS\mrhop.dll

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm
    In the upper window select explorer.exe
    In the lower window find and rightclick mrhop.dll
    Select Unload DLL and click OK on the prompts that follow.

    Close all windows except HijackThis and fix the lines above.
    Reboot and scan with AdAware.
     
    Last edited by a moderator: May 19, 2004
  18. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    system32.dll (jksearch.biz , greatsearch.biz)


    Responsible entries in a Hijackthis log :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://jksearch.biz/redir.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://jksearch.biz/redir.php

    etc.

    *NOTE :


    As of HijackThis version 1.98.1 a line similar to this will show:
    O21 - SSODL: System - {1F0B125B-7C1F-4B45-BAE9-20FEEF841480} - C:\WINDOWS\system32\system32.dll
    Fixing that will have the same effect as the first line in the clear.reg fix.


    c:\windows\system32\system32.dll (win2k / XP)
    c:\windows\system\system32.dll (win9x / ME)

    Do watch out for other 04 entries related to CWS

    *NOTE 2 :

    We are still waiting if this one uses random CLSID tags (for CWShredder), it looks like it uses random

    *NOTE 3 Regfile available as attached txt file: https://www.wilderssecurity.com/attachment.php?attachmentid=137126

    Log example :

    HERE
    HERE
     
    Last edited by a moderator: Aug 6, 2004
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    CWS related BHO's : (please edit in all cws related BHO's here)

    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINNT\System32\msxmlfilt.dll

    Also seen, but only once sofar:
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\msxslab.dll

    Log example: here

    I've seen it as well Pieter, looks like they are not random

    Accompanied with these :

    O1 - Hosts: 213.159.117.235 auto.search.msn.com
    O2 - BHO: (no name) - {12D02C08-218F-4A11-BDE1-6611ADB7B81F} - C:\WINDOWS\SYS32_~1.DLL

    Log example : here
     
    Last edited by a moderator: May 24, 2004
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    dpe.dll

    A new BHO

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINNT\dpe.dll
    O13 - DefaultPrefix: www
    O13 - WWW Prefix:

    dpe.dll also comes in these shapes:

    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll

    O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\IETLBASS32.DLL

    CLSID is fixed, original filename is dpe.dll

    Log example :

    Here
     
    Last edited: Dec 25, 2004
  21. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    {root dir}:/spad/start.html | myexexex.com

    Responsible entries in a HijackThis log :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

    etc.

    Culprit dll :

    HPCMDTY.DLL

    Most likely in :

    C:\WINNT\system32\HPCMDTY.DLL (win2k/xp)
    C:\windows\system (win9x/me)

    Also been spotted in the temp folder, so watch out for that as well!

    C:\DOCUME~1\.....\LOCAL~1\Temp\HPCMDTY.DLL

    Fix the entries in HijackThis log (R0 and R1)

    Restart PC in Safe mode and remove :

    c:/spad/ <- this folder

    HPCMDTY.DLL <- this dll

    Also do additional search for this file, and remove if present :

    c_10230.dll

    On win2k / XP systems dropped in the system32 folder!

    Use this reg file:


    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
    [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]



    Save it in notepad, save it as spad.reg and doubleclick it.
    Confirm to merge with the registry.
    You can also download this file and rename it to spad.reg

    Log examples :

    Here
     
    Last edited: May 30, 2004
  22. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    sysstartup.exe (hijacks to a cwsdomain)

    -drops sysstartup.exe in the system/system32 folder

    -accompanied with a randomly named BHO dll but STATIC clsid! :

    {A9A674BF-771F-42E5-A440-D20DDA85A862}

    -hijacks startpage

    -can be spotted with a 016 entry

    Responsible entries in a hijackthis log :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9

    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\uubztmiy7mnslh.dll

    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

    Log examples :

    Here
    Here
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Some BHO's that deliver pornographic content are presumed to be exploited by the CWS crew.

    O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS.000\SR.DLL

    LOG examples
    HERE
    HERE
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Protocol hijack

    Shows in log as:

    O1 - Hosts: 213.159.117.235 auto.search.msn.com

    O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

    Related file:

    MSXSLAB.DLL

    Example log: HERE
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    This one is pretty straightforward as far as I can tell:

    Shows in log as:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.find-online.net/index.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-online.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm

    O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe

    Log example: HERE
     
Thread Status:
Not open for further replies.