Technical details:
Categories: BHO,Hijacker,Toolbar
[Panda]Trojan Horse WebSearch Folders:
[%COMMON_PROGRAMS%]\Web Search Tools
[%PROGRAM_FILES_COMMON%]\wintools
[%PROGRAM_FILES%]\toolbar
[%PROFILE%]\start menu\web search tools
[%PROGRAMS%]\web search tools
[%PROGRAM_FILES%]\common files\wintools
[%PROGRAM_FILES%]\websearch toolbar
WebSearch Files:
[%PROFILE_TEMP%]\iexploreskins.exe
[%PROFILE_TEMP%]\CAB41633\zwipvbh.wzg
[%PROFILE_TEMP%]\CAB70283\zwipvbh.wzg
[%PROFILE_TEMP%]\CAB94510\zwipvbh.wzg
[%PROFILE_TEMP%]\hotfix.exe
[%PROFILE_TEMP%]\IExploreSkins.exe
[%PROFILE_TEMP%]\msiein\CAB38140.6678994792\IExploreSkins.exe
[%PROFILE_TEMP%]\tbps.exe
[%PROFILE_TEMP%]\temp.fr????
[%PROFILE_TEMP%]\temp.fr????\WToolsC.cfg
[%PROFILE_TEMP%]\temp.fr????\WToolsT.dll
[%PROFILE_TEMP%]\toolbar.dll
[%PROFILE_TEMP%]\WToolsB.dll
[%PROGRAM_FILES%]\Crawler\Toolbar\CTConf.dat
[%PROGRAM_FILES%]\MySearch\bar\1.bin\S4BAR.DLL
[%PROGRAM_FILES%]\MySearch\bar\2.bin\S4BAR.DLL
[%PROGRAM_FILES_COMMON%]\WinTools\WSup.exe
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsA.exe
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsC.cfg
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsD.cfg
[%SYSTEM%]\1lfc8c5t.dat
[%SYSTEM%]\5kc716be.dat
[%SYSTEM%]\5s72altp.dat
[%SYSTEM%]\6v77fbg9.dat
[%SYSTEM%]\ap2nqrd4.dat
[%SYSTEM%]\Cache\EDow_AS2_r.exe
[%SYSTEM%]\gl9kghup.dat
[%SYSTEM%]\gpg4dpeh.dat
[%SYSTEM%]\kqbu0obd.dat
[%SYSTEM%]\m3205dvn.dat
[%SYSTEM%]\na66t24r.dat
[%SYSTEM%]\nl5b8i3l.dat
[%SYSTEM%]\pplogo48x48.ico
[%SYSTEM%]\q10pvbrv.dat
[%SYSTEM%]\rp7oakvm.dat
[%SYSTEM%]\tbps.ini
[%SYSTEM%]\tm97pj39.dat
[%SYSTEM%]\v2kgiq720.dat
[%SYSTEM%]\vnocnh0c.dat
[%SYSTEM%]\WinTools.exe
[%WINDOWS%]\eMusicSetup.exe
[%WINDOWS%]\partypocker.ico
[%WINDOWS%]\partypocker4.ico
[%WINDOWS%]\partypocker6.ico
[%WINDOWS%]\Temp\baAjAGE8.exe
[%WINDOWS%]\Temp\eyDsN5tC.exe
[%WINDOWS%]\Temp\gz0OcFAV.exe
[%WINDOWS%]\Temp\MRobeF0H.exe
[%WINDOWS%]\Temp\muwLPrdj.exe
[%WINDOWS%]\Temp\wTDBBlxh.exe
[%WINDOWS%]\Temp\X2CrBD4t.exe
[%WINDOWS%]\Temp\zemTaXIx.exe
[%PROFILE%]\locals~1\temp\iexploreskins.exe
[%PROFILE_TEMP%]\mso9cbcb.ppt
[%PROFILE_TEMP%]\wintools.exe
[%SYSTEM%]\aaaamon0.exe
[%SYSTEM%]\appmgr00.exe
[%SYSTEM%]\browseui.exe
[%SYSTEM%]\certcli8.exe
[%SYSTEM%]\comcat94.exe
[%SYSTEM%]\msnycl.exe
[%SYSTEM%]\msrolfn.exe
[%SYSTEM%]\spotonbh.dll
[%WINDOWS%]\fash.exe
[%WINDOWS%]\system\spotonbh.dll
[%WINDOWS%]\winmem32.exe
[%PROFILE_TEMP%]\iexploreskins.exe
[%PROFILE_TEMP%]\CAB41633\zwipvbh.wzg
[%PROFILE_TEMP%]\CAB70283\zwipvbh.wzg
[%PROFILE_TEMP%]\CAB94510\zwipvbh.wzg
[%PROFILE_TEMP%]\hotfix.exe
[%PROFILE_TEMP%]\IExploreSkins.exe
[%PROFILE_TEMP%]\msiein\CAB38140.6678994792\IExploreSkins.exe
[%PROFILE_TEMP%]\tbps.exe
[%PROFILE_TEMP%]\temp.fr????
[%PROFILE_TEMP%]\temp.fr????\WToolsC.cfg
[%PROFILE_TEMP%]\temp.fr????\WToolsT.dll
[%PROFILE_TEMP%]\toolbar.dll
[%PROFILE_TEMP%]\WToolsB.dll
[%PROGRAM_FILES%]\Crawler\Toolbar\CTConf.dat
[%PROGRAM_FILES%]\MySearch\bar\1.bin\S4BAR.DLL
[%PROGRAM_FILES%]\MySearch\bar\2.bin\S4BAR.DLL
[%PROGRAM_FILES_COMMON%]\WinTools\WSup.exe
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsA.exe
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsC.cfg
[%PROGRAM_FILES_COMMON%]\WinTools\WToolsD.cfg
[%SYSTEM%]\1lfc8c5t.dat
[%SYSTEM%]\5kc716be.dat
[%SYSTEM%]\5s72altp.dat
[%SYSTEM%]\6v77fbg9.dat
[%SYSTEM%]\ap2nqrd4.dat
[%SYSTEM%]\Cache\EDow_AS2_r.exe
[%SYSTEM%]\gl9kghup.dat
[%SYSTEM%]\gpg4dpeh.dat
[%SYSTEM%]\kqbu0obd.dat
[%SYSTEM%]\m3205dvn.dat
[%SYSTEM%]\na66t24r.dat
[%SYSTEM%]\nl5b8i3l.dat
[%SYSTEM%]\pplogo48x48.ico
[%SYSTEM%]\q10pvbrv.dat
[%SYSTEM%]\rp7oakvm.dat
[%SYSTEM%]\tbps.ini
[%SYSTEM%]\tm97pj39.dat
[%SYSTEM%]\v2kgiq720.dat
[%SYSTEM%]\vnocnh0c.dat
[%SYSTEM%]\WinTools.exe
[%WINDOWS%]\eMusicSetup.exe
[%WINDOWS%]\partypocker.ico
[%WINDOWS%]\partypocker4.ico
[%WINDOWS%]\partypocker6.ico
[%WINDOWS%]\Temp\baAjAGE8.exe
[%WINDOWS%]\Temp\eyDsN5tC.exe
[%WINDOWS%]\Temp\gz0OcFAV.exe
[%WINDOWS%]\Temp\MRobeF0H.exe
[%WINDOWS%]\Temp\muwLPrdj.exe
[%WINDOWS%]\Temp\wTDBBlxh.exe
[%WINDOWS%]\Temp\X2CrBD4t.exe
[%WINDOWS%]\Temp\zemTaXIx.exe
[%PROFILE%]\locals~1\temp\iexploreskins.exe
[%PROFILE_TEMP%]\mso9cbcb.ppt
[%PROFILE_TEMP%]\wintools.exe
[%SYSTEM%]\aaaamon0.exe
[%SYSTEM%]\appmgr00.exe
[%SYSTEM%]\browseui.exe
[%SYSTEM%]\certcli8.exe
[%SYSTEM%]\comcat94.exe
[%SYSTEM%]\msnycl.exe
[%SYSTEM%]\msrolfn.exe
[%SYSTEM%]\spotonbh.dll
[%WINDOWS%]\fash.exe
[%WINDOWS%]\system\spotonbh.dll
[%WINDOWS%]\winmem32.exe
WebSearch Registry Keys:
HKEY_CLASSES_ROOT\btlink.relatedlinksprotocol
HKEY_CLASSES_ROOT\btlink.resprotocol
HKEY_CLASSES_ROOT\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
HKEY_CLASSES_ROOT\clsid\{2c4e6d22-b71f-491f-aad3-b6972a650d50}
HKEY_CLASSES_ROOT\clsid\{310cc549-4541-46a9-940f-52b342a6e682}
HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}
HKEY_CLASSES_ROOT\clsid\{3c53010d-97ba-4650-84c5-1a6faa31055e}
HKEY_CLASSES_ROOT\clsid\{69357d4e-bf4d-4651-91e9-52ecd45a0128}
HKEY_CLASSES_ROOT\clsid\{6e21f428-5617-47f7-aed8-b2e1d8fba711}
HKEY_CLASSES_ROOT\clsid\{708be496-e202-497b-bc31-9cf47e3bf8d6}
HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_CLASSES_ROOT\clsid\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}
HKEY_CLASSES_ROOT\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}
HKEY_CLASSES_ROOT\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}
HKEY_CLASSES_ROOT\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}
HKEY_CLASSES_ROOT\clsid\{cae0999f-78c5-49dc-9f30-13142aaaaba4}
HKEY_CLASSES_ROOT\clsid\{cd8d1caa-fe4a-45df-a06c-028aaf1821de}
HKEY_CLASSES_ROOT\CLSID\{D6DFF6D8-B94B-4720-B730-1C38C7065C3B}
HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}
HKEY_CLASSES_ROOT\common.buttons
HKEY_CLASSES_ROOT\interface\{234f09fb-fe89-4c6d-9203-31832fc051c3}
HKEY_CLASSES_ROOT\interface\{365b9a54-e613-46e5-9db1-4f91a9de80bd}
HKEY_CLASSES_ROOT\interface\{618be527-b7f5-417c-bc51-98fdc2d6de61}
HKEY_CLASSES_ROOT\interface\{66c22569-f05c-4a70-a142-763b337e1002}
HKEY_CLASSES_ROOT\interface\{6f59d850-a155-4930-98ae-689a2bc7b8e8}
HKEY_CLASSES_ROOT\interface\{7b8bd940-b1ef-460c-85a2-9acaaf7f9303}
HKEY_CLASSES_ROOT\interface\{99aa88d1-d9d3-410a-be9e-044f94c183da}
HKEY_CLASSES_ROOT\interface\{c380566d-f343-42ab-987b-6b38a1a35747}
HKEY_CLASSES_ROOT\interface\{d1951679-1d52-43fc-9585-0737143585f5}
HKEY_CLASSES_ROOT\interface\{f273d4ea-2025-4410-8408-251a0cd46be7}
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro
HKEY_CLASSES_ROOT\protocols\name-space handler\res
HKEY_CLASSES_ROOT\radio.radioplayer
HKEY_CLASSES_ROOT\tbps.plugincfgobj
HKEY_CLASSES_ROOT\tbps.pluginconfig
HKEY_CLASSES_ROOT\tbps.plugindown
HKEY_CLASSES_ROOT\tbps.plugindownadd
HKEY_CLASSES_ROOT\tbps.pluginevents
HKEY_CLASSES_ROOT\tbps.plugininst
HKEY_CLASSES_ROOT\tbps.pluginserver
HKEY_CLASSES_ROOT\tbps.toolbarscript
HKEY_CLASSES_ROOT\toolbar.itoolbarscriptclass
HKEY_CLASSES_ROOT\toolbar.resprotocol
HKEY_CLASSES_ROOT\typelib\{37ac49e3-e906-4bd8-ae83-d0f7fb48fd17}
HKEY_CLASSES_ROOT\typelib\{b23b3add-84b1-414a-92b9-0cabe5a781f4}
HKEY_CURRENT_USER\software\btiein
HKEY_CURRENT_USER\software\btlink
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\toolbar
HKEY_LOCAL_MACHINE\software\btiein
HKEY_LOCAL_MACHINE\software\btlink
HKEY_LOCAL_MACHINE\software\classes\clsid\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb}
HKEY_LOCAL_MACHINE\software\classes\interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb}
HKEY_LOCAL_MACHINE\software\classes\interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb}
HKEY_LOCAL_MACHINE\software\classes\interface\{bd6f129a-08db-4cc5-a75a-f2ab79e55b6e}
HKEY_LOCAL_MACHINE\software\classes\toolbar.itoolbarscriptclass
HKEY_LOCAL_MACHINE\software\classes\typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb}
HKEY_LOCAL_MACHINE\software\classes\typelib\{8992b6ca-b8c9-4aed-bf89-0a17f6296a06}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{26E8361F-BCE7-4F75-A347-98C88B418322}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D6DFF6D8-B94B-4720-B730-1C38C7065C3B}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\installer\userdata\sto
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:\windows\downloaded program files\qdow_as2.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hauto_uninstall
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ttool_uninstall
HKEY_LOCAL_MACHINE\software\toolbar
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tbpssvc
HKEY_USERS\.default\software\toolbar
HKEY_CLASSES_ROOT\btieinscriptconfigproj.btieinscriptc
HKEY_CLASSES_ROOT\btieinscriptconfigproj.btieinscriptconfig
HKEY_CLASSES_ROOT\clsid\{001dae60-95c0-11d3-924e-009027950886}
HKEY_CLASSES_ROOT\clsid\{26e8361f-bce7-4f75-a347-98c88b418322}
HKEY_CLASSES_ROOT\clsid\{339bb23f-a864-48c0-a59f-29ea915965ec}
HKEY_CLASSES_ROOT\clsid\{356639aa-e878-40ff-b2f8-e22fa87df389}
HKEY_CLASSES_ROOT\clsid\{63b78bc1-a711-4d46-ad2f-c581ac420d41}
HKEY_CLASSES_ROOT\clsid\{8952a998-1e7e-4716-b23d-3dbe03910972}
HKEY_CLASSES_ROOT\clsid\{8da5457f-a8aa-4ccf-a842-70e6fd274094}
HKEY_CLASSES_ROOT\clsid\{cabcf5e7-0c79-4f1c-909d-b9cf68fed746}
HKEY_CLASSES_ROOT\clsid\{d6dff6d8-b94b-4720-b730-1c38c7065c3b}
HKEY_CLASSES_ROOT\clsid\{f1616b86-9288-489d-b71a-0ccf2f1a89da}
HKEY_CLASSES_ROOT\clsid\{fb45c451-b0e9-4407-bb6a-9361013f3e9a}
HKEY_CLASSES_ROOT\clsid\{ff76a5da-6158-4439-99ff-edc1b3fe100c}
HKEY_CLASSES_ROOT\interface\{26e8361f-bce7-4f75-a347-98c88b418321}
HKEY_CLASSES_ROOT\protocols\handler\relatedlinks
HKEY_CLASSES_ROOT\protocols\handler\tpro
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{001dae60-95c0-11d3-924e-009027950886}
HKEY_CLASSES_ROOT\ssaver.saverobj
HKEY_CLASSES_ROOT\typelib\{5cf68a06-673d-4619-a805-c8fc9ac611dd}
HKEY_CLASSES_ROOT\typelib\{db9a4e78-35df-4a54-b6c5-c5190ceaf949}
HKEY_LOCAL_MACHINE\software\classes\clsid\{001dae60-95c0-11d3-924e-009027950886}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{26e8361f-bce7-4f75-a347-98c88b418322}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{87067f04-de4c-4688-bc3c-4fcf39d609e7}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{001dae60-95c0-11d3-924e-009027950886}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{63b78bc1-a711-4d46-ad2f-c581ac420d41}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{87766247-311c-43b4-8499-3d5fec94a183}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8952a998-1e7e-4716-b23d-3dbe03910972}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8da5457f-a8aa-4ccf-a842-70e6fd274094}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{d6dff6d8-b94b-4720-b730-1c38c7065c3b}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\[%WINDOWS%]\downloaded program files\qdow_as2.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\btlink_dll
WebSearch Registry Values:
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.default\software\microsoft\internet explorer\urlsearchhooks
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooks
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\0001
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
WebSearch indications of infection
This symptoms of WebSearch detection are the files, registry, and network communication referenced in the technical details section.Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Buy Exterminate-It antivirus software and perform a full scan of the computer.
You can also Download Free Trial Version of ExterminateIt! to check your your computer just NOW.
Also Be Aware of the Following Threats:
Delf.rc Trojan Removal instruction
Wincontrol Trojan Cleaner
Posts
No comments:
Post a Comment