Description

CoolWebSearch is an umbrella term for a wide range of disparate browser hijackers not otherwise sorted into separate parasite families. The actual code of the different variants is generally differs wildly, and there are multiple competing groups writing and distributing the CoolWebSearch hijackers, many of whom operate in Russia and the Eastern European countries. CoolWebSearch variants are united by their methods of installation and their target search engines, which are affiliates of coolwebsearch.com.

CoolWebSearch hijackers are invariably installed by exploitation of a wide variety of web browser security holes, the vast majority (but not all) of which target Internet Explorer and its MS Java virtual machine. Since the appearance of the first variant mid-2003, CoolWebSearch exploits have become extremely common, going from hiding on blind links in isolated porn pages, to typosquatting domains, to infesting site message boards, to spawning from pop-up adverts on mainstream web pages. Exploits are often chained through traffic redirectors, making multiple infections of different variants at once very likely.

Around October 2004, many mainstream web servers, including major advertising networks, were hacked by a CoolWebSearch affiliate (apparently using security holes in old versions of PHP and/or OpenSSL via Apache). Visitors to these sites were served with exploits that installed CoolWebSearch variants along with other parasites such as BargainBuddy/BullsEye and /Cashback, BookedSpace, HuntBar/WinTools, FavoriteMan/ATPartners, Look2Me/V3, InternetOptimizer, ISTbar/XXXToolbar, /SideFind, /ActiveX and /YSB, nCase, NeoToolbar, PowerScan, SaveNow/VVSN, SearchMiracle, TIBS (dialler), TopConverting, TopMoxie/WebRebates, WildMedia/WMService and WindUpdates/WinAdTools. Previous CoolWebSearch exploits had also installed some of these, as well as Tubby and OnlineDialer/Ole, zombie botnet clients and even internet banking password-stealing trojans.

Other parasites related to CoolWebSearch and often considered part of the same family include Winshow, SuperSpider, SCAgent, SRE and FreshBar.

The script at this site cannot detect some but not all of the variants listed here; further, this is not a complete list of all CWS-related parasites. Some further variants are detailed in the CWS Chronicles.

Variants

CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes embedded JavaScript code which tries to guess when the user is viewing porn sites.

CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating.

CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com.

CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries’ versions of Google) are set in the Hosts file to point to ‘localhost’ (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com.

CoolWebSearch/PnP: a search hijacker that hides inside the ‘inf’ folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections ‘RunOnce’, ‘AudioPnP’, ‘VideoPnp’, ‘IdePnP’ and ‘SysPnP’, though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ‘Safe Sites’ list, for unknown purpose (this is not the same as the Trusted Sites Zone).

CoolWebSearch/KeyMgr: a new version of PnP with different names.

CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc.

CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ‘http://’ or ‘www’ will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com.

CoolWebSearch/ASTCtl: a new version of DNSRelay with different names.

CoolWebSearch/WinUpd: simple persistent homepage and search hijacker pointed at subdomains of directwebsearch.net, eg. weba.directwebsearch.net, dinamo.directwebsearch.net. Stored as winupd.exe and run at startup. Note that winupd.exe is a fairly generic name which does not necessarily indicate CoolWebSearch/WinUpd is installed; the Enterprise trojan and Bagle worm are also known to use the same filename.

CoolWebSearch/XPlugin: acts as a filter for web pages, detecting when search engines are used, then changing some of the links on their results page to point to its own (unrelated) ‘search results’ instead of the expected page.

CoolWebSearch/BlankFilter: an HTML/text filter and Browser Helper Filter (BHO) in the Windows folder. Known names include madopew.dll, mindep.dll and openwin.dll. Acts as a search hijacker aimed at the file sp.html in the Temp folder, and a homepage hijacker aimed at a built-in web page with links and popups from oz.msie.tv (though the address bar still says ‘about:blank’).

CoolWebSearch/RndFilter: as BlankFilter, but with a completely random filename.

CoolWebSearch/ResFilter: an Internet Explorer BHO and HTML filter that acts as a homepage hijacker using a page built into its DLL program file, appearing in the address bar as about:blank, with searches from this page going to snugweb.com, and a search hijacker built into the DLL referenced through an obfuscated res:// URL, targeted at fastsearchweb.com. Stored in the System32 folder, the filenames may vary; protect32.dll, mcicdb.dll and cdae.dll have been seen so far. Class IDs are random.

CoolWebSearch/msbho: an Internet Explorer BHO that acts as a backdoor. Stored in the System32 folder under the name ‘msXXX.dll’ where XXX is three random lower-case letters; uses a random class ID. When a new IE window is open, it contacts its controlling server which directs it to install further software including sp2chk.exe (a rootkit-like hook that makes other CWS files invisible to the Windows file Explorer), tlntadmnx.exe (which puts the site 63.219.181.7 in the IE Trusted Sites Zone, then calls it to install the OnlineDialer/Ole parasite, which loads Richfind/Q) and tcpsvcss.exe (which hijacks the DNS server settings of all internet connections to 69.50.188.180 and 195.225.176.31, allowing these servers to redirect access to any site to an attacker). It can also load the CoolWebSearch/WinProtect, Freshbar and WareOut parasites.

CoolWebSearch/DOMPeek: an Internet Explorer Browser Helper Object (BHO) stored as dpe.dll. Hijacks homepage and search settings to e-finder.cc (though the homepage appears to be ‘about:blank’). Opens pop-ups. Redirects usage of google.com to its own results at 69.93.145.180 (which uses Google’s graphics and the Internet Explorer address-bar-spoofing bug to make it look as though the page is coming from Google). Removes all entries from the Hosts file.

CoolWebSearch/InetDoor: a homepage- and search hijacker and backdoor controlled and distributed by crdrcr.com, currently targeted at the related domains findtop.net, redtr.com and find-it-easy.org. Stored as a DLL in the System folder with a name of the form msNNNNNN.dll, where NNNNNN is a hexadecimal number which varies; so far, ms0b920b.dll and ms9b1d3f.dll have been seen. InetDoor ‘infects’ legitimate executable files by adding its DLL to their built-in ‘import tables’ of dependencies, ensuring that the DLL will be loaded whenever they are run. InetDoor targets programs that are set to run on Windows startup, so that it will be run on startup too. Removal is tricky; deleting just the DLL will leave the ‘infected’ programs unable to run.

CoolWebSearch/mshelp: a backdoor trojan controlled by ultimately-yours.com. Opens two ports listening for remote commands, and calls its owner server to inform it of the of the available zombie. Stored as mshelp32.exe in the System32 folder. (Does not, in itself actually behave as a browser hijacker.)

CoolWebSearch/svnhost: a backdoor trojan controlled by webnomey.net. Opens ports listening for remote commands including, calls its owner server to inform it of the of the available zombie, and sends mail to its creator. Comprises a DLL dx80vb.dll set to run on shell startup, which recreates and runs the main executable svñhost.exe. (On a Russian Windows 95/98/Me installation (code page 1251), the ñ character would look identical to a ‘c’, spoofing the legitimate system process svchost.exe. But this fails for other languages; in Latin-1 or Unicode installations it results in n-tilde.) To allow incoming traffic on the open ports, it seems to try to reconfigure the Windows XP firewall. However as it uses a fixed ControlSet number this may often fail in practice.

CoolWebSearch/InternetMgr: a backdoor trojan operated by the awm-dream.com group. Hijacks the homepage to find-on-the-net.com, then opens two ports listening for remote commands, and calls its owner servers at sc-cash.com or greatdialer.com to inform them of the available zombie. Stored as internetmgr.exe and internetdef.dll in the System32 folder, but uses Windows hooks to hide these files (and any file beginning with ‘internet’ in lower-case, anywhere on the filesystem) from Windows applications including the file explorer, and to hide the running internetmgr.exe process from process listing programs such as the Task Manager. Also crashes some debugging applications such as HijackThis and ProcessExplorer.

CoolWebSearch/DownCom: an Internet Explorer Browser Helper Object (BHO) named ipreg32.dll, downloaded from qck.cc. Acts as a backdoor to load other parasites. The distribution files are digitally signed by an ‘IMPRO CORPORATION’; this is not improcorp.com, but an impostor under impro.cc.

CoolWebSearch/WinProtect: a background process that periodically appears in the system tray and pops up a warning balloon about spyware. If clicked, this opens a Windows Help file that redirects to winprotect.net, where altered versions of Microsoft’s spyware pages advertise rogue anti-spyware products.

Also known as

CoolWWWSearch, CWS.

The InetDoor variant is identified as Win32.Holax.A by eTrust anti-virus, the exploit that installs it as Virus.Win32.Implinker.a by Kaspersky anti-virus.

Distribution

Installed by exploitation of web browser security holes. A wide variety of exploits have been used, mostly of well-known long-unpatched bugs in the Microsoft Java VM and Internet Explorer, but also since November 2004 one bug in the Sun Java VM.

What it does

Advertising

Yes. In DataNotary and BootConf variants, the script embedded in the style sheet may open mostly porn pop-ups if it thinks the page being viewed is porn-related.

The MSSPI variant will pop up ad links in a window after every few pages viewed on a targeted search engine.

In the XPlugin variant, links are rewritten to point to promotional pages at what appears to be lender-search.com or hot-searches.com; however, a Hosts file hijacker is used to redirect these domains to 82.179.166.164 and .165. (The Hosts file is also moved to a folder called ‘nsdb’ in the Windows folder.) The pages you end up at when following a hijacked link may come from buysearch.cc, home-search.cc, search-space.cc, best-search.cc, my-search.cc or search-network.cc.

The DOMPeek variant opens pop-up adverts from locator.cc when targeted keywords are seen in the URL being browsed.

Privacy violation

Yes, in the svnhost variant. Leaks system information and passwords from the infected computer to pinch2po@mail.ru.

Security issues

Yes, in the BootConf variant. Adding coolwebsearch.com to IE’s Trusted Sites Zone means pages there are allowed to download and install any code they like.

Yes, in the XPlugin variant. Can silently download and execute arbitrary code from its controlling server 82.179.166.162.

Yes, in the DOMPeek variant. Can silently download and execute arbitrary code from its controlling server 69.50.188.34.

Yes, in the InetDoor variant. Can silently download and execute arbitrary code from its controlling server crdrcr.com.

Yes, in the mshelp, svnhost and InternetMgr variants. Can be silently remotely controlled.

Yes, in the DownCom variant. Can silently download and execute arbitrary code from its controlling server www.iehelp.net.

Yes, in the msbho variant. Can silently download and execute arbitrary code from its controlling server 69.50.190.131.

Stability problems

The DataNotary, BootConf and MSInfo variants may cause significant slowdown when typing in a browser window on some systems. The SvcHost variant also prevents you from reaching Google or the search services of MSN or Yahoo completely.

Removal

Merijn Bellekom and Intermute supply a tool called CWShredder which can remove many CoolWebSearch variants.

The DOMPeek variant may supply an entry for ‘Search Assistant Utility’ in the Control Panel’s Add/Remove Programs list. This should remove most of the software, but leaves the entry itself and the search page settings intact (see ‘All variants’ below).

The InetDoor variant adds an entry for ‘InetDoor’ in the Control Panel’s Add/Remove Programs list, but it does not work. Some anti-virus programs can remove CoolWebSearch/InetDoor properly, but any naïve anti-parasite program that simply deletes the main files will leave the infected applications broken. See below for a workaround.

Manual removal

DataNotary, BootConf, MSInfo variants

For these variants, start by opening Tools->Internet Options->Accessibility and make sure the ‘user style sheet’ option is turned off.

You should then be able to delete the user stylesheet from the Windows folder. With DataNotary it is called ‘default.css’; with MSInfo it is called ‘oslogo.bmp’; with Bootconf it may be either.

MSInfo variant only

Next, open the file ‘win.ini’ from the Windows folder in a text editor. Delete the line “run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe” and save. (This line may change a little on different systems, but will always point to msinfo.exe.) Open the ‘Common Files’ folder inside ‘Program Files’, and delete the ‘MSInfo’ folder directly inside here (not the one in the ‘Microsoft Shared’ folder, which is a valid system folder).

BootConf, SvcHost variants

Next, open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete the bootconf.exe or svchost.exe entry. You can then delete the bootconf.exe or svchost32.exe file from the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP)

BootConf, SvcHost, MSInfo variants

From the System folder, open the drivers->etc folders and find the file named ‘HOSTS’, with no extension. Either edit it to remove the hijacker entries, or simply delete the file.

PnP variant

Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘SysPnP’ entry, and the ‘oemsyspnp.inf’ file from the ‘inf’ folder (which is inside the Windows folder).

KeyMgr variant

Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘keymgrldr’ entry, and the ‘keymgr3.inf’ file from the ‘inf’ folder (which is inside the Windows folder).

MSSPI variant

Removing a Layered Service Provider by hand is tricky and if you get it wrong you’ll lose your internet connection. If you really want to try, open the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries, delete the subkeys starting with the path of msspi.dll, renumber the remaining subkeys, and set the Num_Catalog_Entries value in the Protocol_Catalog9 key to match the highest numbered subkey left.

Normally it is better to get a program (eg. CWShredder, HijackThis or LSPFix to remove an LSP for you.

Having done that, open the registry and check the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for an ‘msupdate’ entry; delete it if you find it. Restart the computer and you should be to delete msspi.dll in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP), along with msupdate.exe if you have it.

DNSRelay variant

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u dnsrelay.dll

Restart and you should be able to delete the file ‘dnsrelay.dll’ in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP).

ASTCtl variant

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u astctl32.dll

Restart and you should be able to delete the file ‘dnsrelay.dll’ in the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT/2000/XP).

WinUpd variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry on the right called ‘winupd’ pointing to winupd.exe. Restart the computer and you should be able to delete the file winupd.exe from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me).

XPlugin variant

Open a command prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u xplugin.dll

For Windows NT/2000/XP/2003, open the registry and select the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Right-click the ‘DataBasePath’ entry on the right and choose ‘Delete’. The right-click again to create a ‘New’ ‘String Value’. Call it ‘DataBasePath’ then double-click it to edit. Set the value to ‘%SystemRoot%\System32\drivers\etc’.

Restart the machine and you should be able to delete the files ‘xplugin.dll’, ‘tksrv99.exe’ and ‘tmksrvu.exe’ from the System32 folder (inside the Windows folder; called just System on Windows 95/98/Me). tmksrvu is likely to be hidden, so make sure your Folder Options are set to ‘Show hidden files and folders’.

If you use a web proxy, you should also open Internet Options->Connections and remove the domains lender-search.com and hot-searches.com from the ‘Exceptions’ list for each internet connection.

BlankFilter variant

Open a Command Prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands, for when the filename used is madopew.dll:

cd "%WinDir%\System"
regsvr32 /u "..\madopew.dll"

Or, for mindep.dll:

cd "%WinDir%\System"
regsvr32 /u "..\mindep.dll"

Or, for openwin.dll:

cd "%WinDir%\System"
regsvr32 /u "..\mindep.dll"

You should get an error message, but the software should be stopped nonetheless. Reboot the computer and you should be able to delete the relevant file from the Windows folder.

ResFilter, RndFilter variants

Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CLASSES_ROOT\Protocols\Filter\text/plain. Note down the value given in the ‘CLSID’ entry on the right, then delete the text/plain and text/html subkeys.

Open the HKEY_CLASSES_ROOT\CLSID key and its subkey with the same number as above. Select the InprocServer32 key and note down the (Default) value given on the right. This is the filter filename. For the ResFilter variant this might be protect32.dll, mcicdb.dll or cdae.dll; for the RndFilter variant it will be completely random. Now delete the long number subkey you selected.

Select the My Computer root at the top of the registry and press ctrl-F to open the search box. Search the registry for the filter filename you found above. You should find one more subkey of HKEY_CLASSES_Root\CLSID whose InprocServer32 corresponds to the same file. Again, note down the long number then delete the numbered subkey.

Finally, open the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. Find the last number in the list of subkeys and delete it.

Reboot the computer and you should be able to delete the file whose name you found above from the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me).

msbho variant

Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and open the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. For each {long-hex-number} subkey, open the subkey of the same name inside the key HKEY_CLASSES_ROOT\CLSID, and select the InprocServer32 subkey. On the right, check the filename pointed to by the ‘(Default)’ entry; for one of the class IDs, the filename will be msXXX.dll.

Open a Command Prompt window (from the Accessories submenu in [All] Programs on the Start menu) and enter the following commands:

cd %WinDir%\System
regsvr32 /u msXXX.dll

replacing the XXX in the filename with the filename you found in the InprocServer32 key. Restart the computer and you should be able to delete this file from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me).

Open the registry and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the entry sp2chk.exe pointing to the file sp2chk.exe. Restart the computer and two files should become visible in the System32 folder, sp2chk.exe and hdXXX.dll (where XXX is another three random lower-case letters). Delete these files. You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\hdXXX and the entries emanger, emanelif and emandislc inside the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion to clean up.

To remove the Trusted Site backdoor, open the Control Panel’s Internet Options and, on the Security tab, choose Trusted Sites Zone and click the Sites button. Remove the entry http://*.63.219.181.7/ from the sites list. To remove the DNS hijack, open the Control Panel’s Network Connections list, and open the Properties of each connection in turn. Select Internet Protocol (TCP/IP) and click Properties. Set the addresses of your usual DNS servers to replace the hijack. Unfortunately the hijacker does not save the original addresses. If you don’t know what they should be, try using ‘Obtain DNS server address automatically’ which will work for many typical internet providers. If you have a router try using its IP address.

DOMPeek variant

Open the Task Manager (press ctrl-alt-delete). On the ‘Processes’ list, select ‘MSMSGSVC.exe’ and click ‘End process’.

Next, open a command prompt window (from Start->Programs->Accessories; called DOS Prompt under Windows 95/98/Me) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\dpe.dll"

Restart the computer and you should be able to delete the dpe.dll and msmsgsui.exe files in the Windows folder, along with MSMSGSVC.exe in the System folder (inside the Windows folder, called System32 in Windows NT/2000/XP/2003).

InetDoor variant

Unless you have an anti-virus program that specifically knows how to remove the import table entries from startup programs affected by InetDoor, removal is difficult. You can delete the file, but then any of the affected programs will refuse to run.

A short term workaround is to replace the InetDoor DLL with a dummy version that does nothing. You can then uninstall and reinstall each program with a component set to run on startup.

To do this, download InetDummy.dll and restart the computer in Safe Mode. To get the menu for Safe Mode, press F8 just as Windows starts to boot — on the NT boot loader menu if you have one, else just hammer it as the computer starts up.

Open the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me) and find the InetDoor file. It will be called msNNNNNN.dll, where NNNNNN is a six-digit hexadecimal number. There will also be .cfg and .da0 files with the same name.

Rename msNNNNNN.dll to msNNNNN.bak, then drop the InetDummy.dll file into this folder and rename it msNNNNNN.dll (the same name as the original DLL). Reboot the computer and if all goes well you can delete msNNNNNN.bak, .cfg and .da0.

mshelp variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the entry ‘mshelp32’ or ‘Microsoft Help System’ pointing at mshelp32.exe.

Restart the computer and you should be able to delete the file mshelp32.exe inside the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me).

svnhost variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad. On the right, delete the entry ‘System’ pointing at dx90vb.dll. You can also delete the key HKEY_CLASSES_ROOT\CLSID\{AC1ED322-946E-478A-8FF2-55EE5A0861CD}.

Restart the computer and you should be able to delete the files dx90vb.dll and svñhost.exe inside the System32 folder (inside the Windows folder; called just ‘System’ under Windows 95/98/Me).

InternetMgr variant

The internetmgr.exe file normally cannot be found to delete in the System32 folder, or found to kill in the process list, and it constantly monitors its registry startup entry to stop it being deleted. However, if you open a Command Prompt window (Start->Programs->Accessories) and issue the command cd %WinDir%\System32 (or just ‘System’ on Windows 95/98/Me) and then dir internet* you can see the missing files.

To stop it running, boot the computer in Safe Mode by pressing F8 as Windows begins to run (at the boot menu if you have one, otherwise just hit F8 as the computer boots up) and choosing Safe Mode from the menu.

You can then delete the internetmgr.exe and internetdef.dll files from the System32 folder (inside the Windows folder; jsut ‘System’ on Windows 95/98/Me), and remove the startup entry by opening the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), selecting the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and, on the right, deleting the entry ‘SystemRequired’ pointing at internetmgr.exe.

DownCom variant

Open a Command Prompt window (from the Accessories submenu in [All] Programs on the Start menu) and enter the following commands:

cd %WinDir%\System
regsvr32 /u "..\Downloaded Program Files\ipreg32.dll"

Restart the computer, open the Downloaded Program Files folder (inside the Windows folder) and remove the ‘CDownCom Class’ entry.

WinProtect variant

Restart the computer and delete the file winmsdc.exe from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me). You can also delete balloon.wav from the Windows folder.

All variants

After having removed the software, use Internet Options->Programs->Reset Web Settings to remove the bogus home page and search settings.

Database index...
Parasite home...

CC