Fix for new CWS infection

[groovicus]

The newest CWS infection is nasty, and since people here may directly be affected, this may be relevant:

There are a few things to look for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yzlpr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yzlpr.dll/index.html#96676

The RO entries and R! entries will look similar to what I have shown above. The .dll involved will have a random name, and will be different for every reboot. It will end with a 4 or 5 digit number.

O2 - BHO: (no name) - {B1D3DC92-F445-F8C6-A5E2-BC0A8A2E2A41} - C:\WINDOWS\sysgn.dll

There will be a BHO with an unidentifiable .dll, randomly named.

O4 - HKLM\..\Run: [javaor32.exe] C:\WINDOWS\javaor32.exe
O4 - HKLM\..\Run: [apiyq.exe] C:\WINDOWS\system32\apiyq.exe

There will be a random named .exe, ending with a 32.exe, and usually close by, another randomly named .exe. These two files 'watch out' for each other.

In addition, there may be many other 04 entries with a run once key, and randomly named .exe's and .dll's, and the .exe's and .dll's will be named in pairs.

**************************************************

What it does:

It hijacks your homepage, it deletes control.exe, it rewrites your host file, and removes a needed .dll from spybot.

***************************************************

Many, many people have been cramming the past few days, trying to come up with a fix for this thing, and if I do say so myself, it is a nasty peice of s**t. Members from Tom Coyote, SWI, SFDC, Computer Cops, and countless others contributed in one way or another, and currently, this is the best fix available. I, however, am not taking any credit for this fix, I am merely presenting it to you.

It can be found at Subratam.org

***************************************************

This is for Win2K and Win XP only.
There are usually 2 exes with this, the R* entry dll and a BHO dll. One exe is a service and apparently they both watch each other. Both exe's should show in the HJT running process list.

=== Remove Exploit ===

1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "<insert bad .exe process>" & "<insert bad .exe process>". If you find the files, click on them, and then click End Process => Exit the Task Manager.
3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
4. Scroll down and find the service called "Network Security Service".
5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
   
   <insert R* entries>
   <insert BHO entry>
   <O4 entries for exe's>
   
7. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:
   
   <insert R* entry dll>
   <insert BHO dll>
   <insert listed exes>
   
8. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
9. One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
   If __NS_Service_3 exists , right click on it and choose delete from the menu.
10. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
11. Exit regedit and reboot in Normal Mode.
12. Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
13. Run HiJackThis again and post a new log in this thread.

[The Grunt]

Thanks for posting this! I will probably start seeing these soon.. I usually find computers with new stuff about a week after it comes out.