# CWS Variants



## Flrman1 (Jul 26, 2002)

With the many new CWS varaints that have been showing up lately, it has become virtually impossible for Merijn to keep up and add them all to CWShredder's database. These different variants are becoming more and more difficult to remove as they are using evry trick in the book to avoid detection and to hook the infection deep into the registry etc.

Merijn has said that CWShredder will not be updated again for a while and possibly not at all. To help us all keep up with the latest CWS variants, I am sticking this thread to the top so we'll all have easy access to it. I will do my best to add as much info as I can on each of the known variants that are not currenly removed by CWShredder and update the info as it changes.

It may take me a few days to get them all posted here in this thread as I will be doing this in between helping fix the damage these scumbags cause! 

I am closing this thread. If you feel that you have any pertinent info that should be added, please pm me or one of the other mods.

A list of all known CWS domains can be found here :

http://users.skynet.be/bk136527/CWS/CWSdomains.htm

Also Merijn has a lot of info on CWS here:

http://www.spywareinfo.com/~merijn/cwschronicles.html


----------



## Flrman1 (Jul 26, 2002)

This variant has changed since this was posted so I am updating the info here.

*!ATTENTION!:* AboutBuster alone will not remove this hijack. It must be used in conjunction with the rest of the steps listed here.

What it looks like:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iutom.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iutom.dll/index.html#96676

O2 - BHO: (no name) - {26602A67-A7FE-F231-649E-9BF9B404E0CF} - C:\WINDOWS\system32\javahm.dll

O4 - HKLM\..\Run: [apiwz32.exe] C:\WINDOWS\apiwz32.exe*

Occassionally it is accompanied by one or multiple O4 RunOnce ehtries

*O4 - HKLM\..\RunOnce: [iprd.exe] C:\WINDOWS\iprd.exe*

The dlls, exes and the #96676 are all random. The identifying factor is res://random.dll/index.html#***** in RO and res://C:\WINDOWS\random.dll/sp.html#***** in R1

There is a Log example here that shows the current method of removal for XP/2K only. For 9x Os's use the second set of directions in this post.

This one will now install a rogue service with any of the four following names:

*Network Security Service

Network Security Service (NSS)

Workstation Netlogon Service

Remote Procedure Call (RPC) Helper*

Have the victim do the following:

First use this tool to get the name of the sevice that has been installed:

Click here to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservices.bat file. A notepad will open up with a long list of Services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.

Here is what each service looks like in the services list:

1: SERVICE_NAME: O?rtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\addfz.exe /s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Network Security Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

2: SERVICE_NAME: O?rtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\crsz.exe /s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Network Security Service (NSS)
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

3: SERVICE_NAME: O?rtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\appid.exe /s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Workstation NetLogon Service
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

4: SERVICE_NAME: O?rtñåÈ²$Ó
(null)
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINNT\rowslj.dat /s
LOAD_ORDER_GROUP : 
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Helper
DEPENDENCIES : 
SERVICE_START_NAME: LocalSystem

Once you have the name of the service have the victim do the following:

First Click here to download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later.
___________________________________________________________________________

Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

______________________________________________________________________

*Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.
______________________________________________________________________

Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find * Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

*All R1 and RO's with res://random.dll/index.html#***** and res://C:\WINDOWS\random.dll/sp.html#*****

All O4 Run and RunOnce entries with random.exe files*

Find and delete these files:

*All the random .exes from O4 entries and the .dll file from the O2 entry

The files from the running processes and the file listed in the services list.*

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. 
Find shell.dll and right click on it. Choose Copy from the menu. 
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

**Note:* The above method works for 2K/XP only. This example shows all the specifics for XP. The differences in this in 2K would only be in the Folder Options settings and there is no System Restore in 2K.

*Removal directions for ME:*

*Note:* For Windows 98 changes to the folder options for showing hidden files must be made and there is no System Restore in 98 so that part is not relevant for 98.

First copy the contents of the quotebox to notepad. Go to File > Save As and name it *Fix.reg* (save as type: 'all files' )



> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
> 
> ...


___________________________________________________________________________

Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Click on My Computer. 
Select the Tools menu and click Folder Options. 
Select the View Tab. 
Under the Hidden files and folders heading select Show hidden files and folders. 
Uncheck the Hide protected operating system files (recommended) option. 
Click Apply then OK. Click Yes to confirm.

______________________________________________________________________

*Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

*All R1 and RO's with res://random.dll/index.html#***** and res://C:\WINDOWS\random.dll/sp.html#*****

All O4 Run and RunOnce entries with random.exe files*

Find and delete these files:

*All the random .exes from O4 entries and the .dll file from the O2 entry

The files from the running processes and the file listed in the services list.*

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Turn off System Restore:

Click Start, Settings, and then click Control Panel.
Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

Click the Performance tab, and then click File System.
Click the Troubleshooting tab, and then check Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here to download control_me.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

When you are sure you are clean, reenable System Restore by following these directions

To enable Windows Me System Restore:

Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.


----------



## Flrman1 (Jul 26, 2002)

What it looks like in XP/2K:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\a\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FD90346B-9BF1-4018-A409-6F86439A7333} - C:\WINDOWS\System32\jbpoe.dll*

What it looks like in 9x:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\rvnwkgdi.dll*

CWShredder will fix this one temporarily but, this hijacker is reloaded on reboot. This is because it is almost always accompanied by a hidden file in the Appinit_DLL key in the registry just like the first about:blank variant was.

*I have removed the fix for this one at freeatlast's request (creator of FindNFix). The fix for this one in XP/2K should not be attempted by unqualified users or helpers*



freeatlast said:


> Feel free to direct users with it but don't
> advertise it in a canned speech, as it is likely to
> cause damage by unqualified victims or helpers, thanks


 *If you have been infected by this hijacker please request help in the forum. One of our qualified techs will be happy to assist you.*

_____________________________________________________________________

Removal procedure for 9x:

Identify the file by doing this:

Download StartDreck from: http://www.niksoft.at/_data/startdreck.zip

UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe' 
First click on the config button. 
Now click the Unmark all button 
Put a check by these boxes only: 
*Registry->run keys 
*Registry->Browser helper objects 
*System/drivers> Running processes 
hit >ok.

Now click the Save button to save that log.

Copy and Paste the contents of that log back here and await further instructions.

The file can be identified by this entry in the StartDreck log:

»RunServicesOnce
**ay=rundll32 C:\WINDOWS\SYSTEM\*CTL.DLL*,StreamingDeviceSetup

The random dll will always be followed by *,StreamingDeviceSetup*

After identifying the file, remove the hijack thusly:

First Click here to download CWShredder. *Do Not* run it yet. Unzip it to the desktop and have it ready to run later.

Now download the Win98Fix.zip from here:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

You *must* UnZip it first. Open the Win98Fix folder that you just extracted and doubleclick on the *RunFix.reg* file inside. Answer "Yes" when aked if you want to add it's contents to the registry.

*Restart your computer*

Now restart again into safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\SYSTEM\*CTL.DLL* file

Finally, run CWShredder. Just click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

Boot back to normal and run StartDreck again as you did before and post another log from it and another Hijack This log.


----------



## Flrman1 (Jul 26, 2002)

Here is a new one that I have only seen once so far.

What it looks like:

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html

O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe*

Log example here

To fix simply have HJT fix the R1 and RO entries and the O4 entries with the tss.exe file.

Restart to safe mode and delete the C:\WINDOWS\System32\*tss.exe* file


----------



## Flrman1 (Jul 26, 2002)

runwin32.exe, wininet32.exe (write-up by Pieter Arntz) I added some info.

Hijacks to a CWS domain (searchmeup, easy-search.biz etc)

Responsible entries in a HijackThis log :

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.searchmeup.com/search.php?aid=1057 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchmeup.com/search.php?aid=1057 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.searchmeup.com/search.php?aid=1057

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

O4 - HKCU\..\Run: [wininet32] C:\WINDOWS.000\wininet32.exe 
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS.000\runwin32.exe*

To fix this one remove the R1 and RO entries that link to searchmeup or easysearch.bix and the O4 entries loading runwin32.exe and wininet32.exe.

Boot to safe mode and delete the runwin32.exe and wininet32.exe files.

The tricky part here is, that it overides your proxy settings! :

After removing the files you have to uncheck the proxy to get your internet connection back by going to Control Panel > Internet Options and click on the "Connections" Tab. Click on the "Settings" button under your Dialup connection or on the "LAN Settings" for broadband. Remove the check by "Use a proxy server for this connection" for dialup or for broadband remove the check by "Use a proxy server for your LAN". Click Apply then OK .

This one does have R1 and RO entries that redirect to other CWS doamains, but right now I don't recall those. I'll edit this post when I get that info. Just be on the look out for this entry to identify this one:

*R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 *

Log example here


----------



## Flrman1 (Jul 26, 2002)

*{root dir}:/spad/start.html | myexexex.com*

Responsible entries in a HijackThis log :

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.myexexex.com/search.php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

etc*

Culprit dll :

*HPCMDTY.DLL*

Most likely in :

C:\WINNT\system32\HPCMDTY.DLL (win2k/xp)
C:\windows\system (win9x/me)

Also been spotted in the temp folder, so watch out for that as well!

C:\DOCUME~1\.....\LOCAL~1\Temp\HPCMDTY.DLL

Fix the entries in HijackThis log (R0 and R1)

Restart PC in Safe mode and remove :

c:/*spad* <- this folder

*HPCMDTY.DLL* <- this dll

Also do additional search for this file, and remove if present :

*c_10230.dll*

On win2k / XP systems dropped in the system32 folder!

Use this reg file:

REGEDIT4



> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
> [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
> [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
> ...


Save it in notepad and go to File > Save As and name it *fix.reg*. Save as type "All Files" and save it to the desktop.

Doubleclick on fix.reg and answer Yes when asked if you want to add it's contents to the registry.

Log example here


----------



## $teve (Oct 9, 2001)

Well done Mark,very informative:up:
Ill just add this.

Re: the *res://*****.dll/index.html#96676*
Its VERY important with this version or any in which the startpage ends in the numbers(there is about 4 versions) *DO NOT RE-BOOT* or scan with Adaware,SSD or anything....this only agravates the infection into "Breading" more rogue .exe`s.
Im attaching a HijackThis log from a poster (Akasha)last week that was a 23 page print out  
Log *Here* 
It looks like this one was [Solved] using *"About-Buster"*
Fingers crossed.


----------



## Flrman1 (Jul 26, 2002)

This one was previously fixed by CWShredder, but this latest variant is not.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoisk.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoisk.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoisk.com/index.htm

O4 - Global Startup: winlgn.exe*

Fix all *R1* and *R0* entries that link to http://mypoisk.com/index.htm and the *O4 - Global Startup* entry.

The O4 entry has been seen with different files like winlogin.exe, winlogon.exe etc...

Restart to safe mode and delete:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*winlgn.exe*

Log example here


----------



## Flrman1 (Jul 26, 2002)

I've seen this one a few times. I copied this info from Pieter Arntz post here:

http://www.wilderssecurity.com/showthread.php?p=229285#post229285

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/hp.htm?id=9 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\j4rc9cgvcr5pkc.dll

O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe

O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe 
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O20 - AppInit_DLLs: (C:\WINDOWS\system32)aroc94t1s8.tlb

Log example: HERE (http://spywarewarrior.com/viewtopic.php?t=4337)

NOTE: This variant adds pornsites to your favorites, kills off all your other BHO's and adds a lot of 0 byte files.

Still doing some tests for removal, but sofar it looks like fixing the items in the log and removing the files in the log plus
%Windir%\bad3074.exe takes care of the hijack.
Use AdAware's smart system scan to remove some unpleasant additions to your favorites and some registry keys.

Still working on the effects of bad3074.exe


----------



## Flrman1 (Jul 26, 2002)

New start.chm / MSITStore (MasterSearch)

Log example here

HJT entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {99FD4047-E18B-42FA-834C-F27B8D0D8E0C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {99FD4047-E18B-42FA-834C-F27B8D0D8E0C} - (no file) (HKCU)

O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=9&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=9&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=9&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=9&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=9&q=*

The file that loads the hijack is not visible in the HJT log. It is *remove_me.dll*. There will be two copies of the remove_me.dll file in both the %systemroot% directory and in the C:\Documents and Settings\Username\Local Settings\Temp folder that must be deleted.

Delete the C:\*spe* folder too.

Also the Temporary Internet Files must be deleted.


----------



## Flrman1 (Jul 26, 2002)

Just to let everyone know, I have updated the removal info for the About:Blank res://iutom.dll/index.html#96676 variant.


----------

