|
Description:
Threat Type: Adware
Systems Affected: Windows 95, 98, ME, NT, 2000, XP
This adware program can be downloaded from a certain Web site. It displays advertising banners and contains spyware functionalities that lets it know what advertisements to display, based on the users preference.
Solution:
TREND MICRO SOLUTION
- Minimum scan engine version needed: 7.100
TMAPTN version needed: 224.10
MANUAL REMOVAL INSTRUCTIONS
Restarting in Safe Mode
» On Windows 95
- Restart your computer.
- Press F8 at the Starting Windows 95 message.
- Choose Safe Mode from the Windows 95 Startup Menu then press Enter.
» On Windows 98 and ME
- Restart your computer.
- Press the CTRL key until the startup menu appears.
- Choose the Safe Mode option then press Enter.
» On Windows NT (VGA mode)
- Click Start>Settings>Control Panel.
- Double-click the System icon.
- Click the Startup/Shutdown tab.
- Set the Show List field to 10 seconds and click OK to save this change.
- Shut down and restart your computer.
- Select VGA mode from the startup menu.
» On Windows 2000
- Restart your computer.
- Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
- Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
» On Windows XP
- Restart your computer.
- Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
- Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the entry:
xhrmy = "%Windows%\Xhrmy.exe"
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
Removing Other Malware Registry Entries
- Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software
- Again in the left panel, right-click the following key(s) and choose Delete:
Xhrmy
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT
- Again in the left panel, right-click the following key(s) and choose Delete:
LinkMaker.LinkMakerFilter
LinkMaker.LinkMakerFilter.1
LinkMaker.LinkTracker
LinkMaker.LinkTracker.1
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT>CLSID
- Again in the left panel, right-click the following key(s) and choose Delete:
{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT>Interface
- Again in the left panel, right-click the following key(s) and choose Delete:
{43B32A8D-3C3D-4969-B44E-CDCF0D233881}
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT>TypeLib
- Again in the left panel, right-click the following key(s) and choose Delete:
{423550E9-2F83-4678-9929-C1774088B180}
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software
- Again in the left panel, right-click the following key(s) and choose Delete:
LM
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Classes
- Again in the left panel, right-click the following key(s) and choose Delete:
LinkMaker.LinkMakerFilter
LinkMaker.LinkMakerFilter.1
LinkMaker.LinkTracker
LinkMaker.LinkTracker.1
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>
Classes>CLSID
- Again in the left panel, right-click the following key(s) and choose Delete:
{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>
Classes>CLSID
- Again in the left panel, right-click the following key(s) and choose Delete:
{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>
Classes>Interface
- Again in the left panel, right-click the following key(s) and choose Delete:
{43B32A8D-3C3D-4969-B44E-CDCF0D233881}
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>
Classes>TypeLib
- Again in the left panel, right-click the following key(s) and choose Delete:
{423550E9-2F83-4678-9929-C1774088B180}
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Uninstall
- Again in the left panel, right-click the following key(s) and choose Delete:
HyperLinker
- In the left panel, double-click the following:
HKEY_CLASSES_ROOT>PROTOCOLS>Filter
- Again in the left panel, right-click the following key(s) and choose Delete:
text/html
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Classes>
PROTOCOLS>Filter
- Again in the left panel, right-click the following key(s) and choose Delete:
text/html
- Close Registry Editor.
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Download the latest spyware pattern file and scan your system. Then, delete all files detected as ADW_HYPLINKER.A.
Details:
Upon execution, this memory-resident adware program drops the following files:
- %Windows%\Xhrmy.exe adware program responsible for downloading advertisements on the affected system
- %System%\lmdv.bin data file
- %System%\lmf32v.dll .DLL file used by the main program
- %System%\PreUninstall.exe un-installation program
- %System%\uninst.exe un-installation program
- %System%\Uninst.log event log
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
It adds the following registry entry to enable its automatic execution upon Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
xhrmy = "%Windows%\Xhrmy.exe"
It adds the following registry keys as part of installation process:
HKEY_LOCAL_MACHINE\SOFTWARE\Xhrmy
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter.1
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker.1
HKEY_CLASSES_ROOT\CLSID\{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
HKEY_CLASSES_ROOT\Interface\{43B32A8D-3C3D-4969-B44E-CDCF0D233881}
HKEY_CLASSES_ROOT\TypeLib\{423550E9-2F83-4678-9929-C1774088B180}
HKEY_LOCAL_MACHINE\SOFTWARE\LM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkMakerFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkMakerFilter.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkTracker
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkTracker.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{DFAA31C8-A356-4313-9D95-5EDAB46C5070}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{43B32A8D-3C3D-4969-B44E-CDCF0D233881}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{423550E9-2F83-4678-9929-C1774088B180}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\HyperLinker
It also adds the following registry entry to associate itself to .TXT and .HTML files:
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
Analysis by: Ian Starr Esguerra
|
Save & Share
