Variant 38: CWS.Searchx - about_:blank seems popular lately
Approx date first sighted:
April 6, 2004
Log reference:
http://forums.techguy.org/t217853.html
Symptoms:
IE pages changed to about_:blank (which is changed to a search portal linking to searchx.cc) and a search page inside a DLL on the system, hijack returning on system reboot
Cleverness:
8/10
Manual removal difficulty:
Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// C: /WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0- 12C36350039D} - C: /WINDOWS\System32\gfmnaaa.dll
This variant is not very hard to spot, but slightly harder to troubleshoot since its symptoms look a lot like those of
CWS.Xmlmimefilter. It drops a randomly named DLL in the system folder and sets the IE homepage/search pages to it. A BHO is also added pointing to the same DLL. The about_:blank page is modified by creating two new protocol filters for
text/html and
text/plain which allows the DLL to control most of the content flowing through the IE browser as web pages. The trojan keeps a record of all actions in a log file at
c: /filter.log. Removing the two filters in the Registry, deleting the BHO, the DLL and the logfile and restoring the IE pages fixes this hijack.
Note: The
CWS.Realyellowpage has been sighted together with this variant sometimes, causing CWShredder to not be able to remove this one. Refer to the manual removal method for that variant to delete the offending dll, then run CWShredder again to remove CWS.Searchx.
Bookmarks