Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Home Search Assistant / Cws_ns3 Analysis

  • Please log in to reply
No replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,675 posts
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 29 September 2004 - 08:54 PM

Home Search Assistant / CWS_NS3 Analysis

The symptoms of this infection would appear in a logfile like the contents of the quote below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
O2 - BHO: (no name) - {151159EF-C5FE-DEA7-6C94-33A3EC6A9C14} - C:\WINDOWS\winlc32.dll
O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

This infection will always contain the following entries in a HijackThis log:
  • Processes - You will generally find 2 processes listed in the HijackThis process list

  • R1 & R0 Entries - They contain a res:// followed by a dll always in the %windir% or %windir%\system32 directory, finally followed by the sp.html#number.

  • O2 Entry (BHO) - This is always a dll found in %windir% or %windir%\system32

  • O4 Entries - Here you will find one or more entries that point to .exe files. If the log is for 98/ME one of the entries will be a RunServices entry.
When the infection installs itself on a computer it does the following:
  • For XP/NT/2000 it installs a service that has a display name of one of three random choices:
    • Workstation NetLogon Service
    • Network Security Service
    • Remote Procedure Call (RPC) Helper
    These services will have a service name of garbage (Something like this: O.#ž‚„�´)

  • For Windows 98/ME it adds a O4 RunServices entry for the service file as 98/ME do not have services like XP or 2000.

  • Adds a O4 entry that contains a random file name and matching keyname.

  • Adds a BHO that contains a random dll filename.

  • Creates a dll to act as the search/start page as seen in the R0/R1 entries.

  • Searches the computer for about 120 different files and if it finds them, deletes them. A common file you will find people have problems with after cleaning the infection is the shell.dll file on XP. This file should be found in both %%windir%\system and %windir%\system32. You may also be able to find a copy in %windir%\system32\dllcache.
How the infection works:
  • The service and O4 entries monitor each other. At a specific interval the processes will check for the existance of the other process and back itself and the other process up as a .dat file. If the O4 finds that the service is turned off, it will start the service again. If the service see's that the O4 is missing or stopped it will start it and spawn another O4 entry.

  • This infection also installs itself as Alternate Data Streams. There is no standard command to remove these types of files, but we instead have to use custom tools such as Merijn's ADS Spy. What the infection does is find a standard, and sometimes critical windows file, and attaches the infection to it as an ADS. You can stop the process normally but will not be able to delete the ADS portion without using a tool like Merijns above. About:Buster should clean most of these ADS for you though which will your life easier but you can use the tool above if there are problems.

    Note: ADS will only exist if the file system is NTFS. Therefore only XP, NT, and 2000 will be affected with ADS files. If a user is XP with a Fat32 filesystem then they wont have ads files.

  • The BHO entry is the actual entry that installs the R0/R1's. This happens when IE is launched for the first time with this BHO installed.

  • If you shut the service, and reopen an infected IE (still has R1/RO entries or has the BHO) then the service will be started again.

  • This malware can get overzealous when protecting itself and install many extra helper programs in the O4 entries. These do not appear to ever be running in the processes though and can be easily removed.
How to remove for 2000/XP:

If you see entries in a log that point towards this type of infection you would need to follow these generalized steps to remove the infection:
  • First identify the service that is part of the infection.

  • Then download about:buster for use later.

  • Then print out these instructions as you do not have to enter IE when in safe mode.

  • Boot into safe mode

  • Shutdown the service

  • Make sure the two processes that are listed in the hijackthis log process list are not running. If they are, end them.

  • Fix the hijackthis entries using hijackthis.

  • Delete the dll found in the R1/RO entry, delete the dll associated with the BHO, delete the service file (Only if it is not an ADS file)

  • Delete the O4 files (Only if it is not an ADS file)

  • Run About:buster

  • Run Trend Micro online scan

  • Reboot your computer

  • Replace deleted files.

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users