Home Search Assistant / Cws

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Spyware and Malware Removal Guides and Reading Room

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

Home Search Assistant / Cws_ns3 Analysis, Hijacker Analysis

Options

Grinler View Member Profile	Sep 29 2004, 08:54 PM Post #1
Bleep Bleep! Group: Admin Posts: 31,509 Joined: 24-January 04 From: USA Member No.: 3	Home Search Assistant / CWS_NS3 Analysis The symptoms of this infection would appear in a logfile like the contents of the quote below: QUOTE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pmyqy.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676 O2 - BHO: (no name) - {151159EF-C5FE-DEA7-6C94-33A3EC6A9C14} - C:\WINDOWS\winlc32.dll O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe This infection will always contain the following entries in a HijackThis log: Processes - You will generally find 2 processes listed in the HijackThis process list R1 & R0 Entries - They contain a res:// followed by a dll always in the %windir% or %windir%\system32 directory, finally followed by the sp.html#number. O2 Entry (BHO) - This is always a dll found in %windir% or %windir%\system32 O4 Entries - Here you will find one or more entries that point to .exe files. If the log is for 98/ME one of the entries will be a RunServices entry. When the infection installs itself on a computer it does the following: For XP/NT/2000 it installs a service that has a display name of one of three random choices: Workstation NetLogon Service Network Security Service Remote Procedure Call (RPC) Helper These services will have a service name of garbage (Something like this: ½O.#Å¾â€šâ€žõØÂ´â) For Windows 98/ME it adds a O4 RunServices entry for the service file as 98/ME do not have services like XP or 2000. Adds a O4 entry that contains a random file name and matching keyname. Adds a BHO that contains a random dll filename. Creates a dll to act as the search/start page as seen in the R0/R1 entries. Searches the computer for about 120 different files and if it finds them, deletes them. A common file you will find people have problems with after cleaning the infection is the shell.dll file on XP. This file should be found in both %%windir%\system and %windir%\system32. You may also be able to find a copy in %windir%\system32\dllcache. How the infection works: The service and O4 entries monitor each other. At a specific interval the processes will check for the existance of the other process and back itself and the other process up as a .dat file. If the O4 finds that the service is turned off, it will start the service again. If the service see's that the O4 is missing or stopped it will start it and spawn another O4 entry. This infection also installs itself as Alternate Data Streams. There is no standard command to remove these types of files, but we instead have to use custom tools such as Merijn's ADS Spy. What the infection does is find a standard, and sometimes critical windows file, and attaches the infection to it as an ADS. You can stop the process normally but will not be able to delete the ADS portion without using a tool like Merijns above. about:Buster should clean most of these ADS for you though which will your life easier but you can use the tool above if there are problems. Note: ADS will only exist if the file system is NTFS. Therefore only XP, NT, and 2000 will be affected with ADS files. If a user is XP with a Fat32 filesystem then they wont have ads files. The BHO entry is the actual entry that installs the R0/R1's. This happens when IE is launched for the first time with this BHO installed. If you shut the service, and reopen an infected IE (still has R1/RO entries or has the BHO) then the service will be started again. This malware can get overzealous when protecting itself and install many extra helper programs in the O4 entries. These do not appear to ever be running in the processes though and can be easily removed. How to remove for 2000/XP: If you see entries in a log that point towards this type of infection you would need to follow these generalized steps to remove the infection: First identify the service that is part of the infection. Then download about:buster for use later. Then print out these instructions as you do not have to enter IE when in safe mode. Boot into safe mode Shutdown the service Make sure the two processes that are listed in the hijackthis log process list are not running. If they are, end them. Fix the hijackthis entries using hijackthis. Delete the dll found in the R1/RO entry, delete the dll associated with the BHO, delete the service file (Only if it is not an ADS file) Delete the O4 files (Only if it is not an ADS file) Run about:buster Run Trend Micro online scan Reboot your computer Replace deleted files. This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence Become a BleepingComputer fan: Facebook Follow us on Twitter!

« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 7th November 2009 - 11:10 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides