Hijacker . CWS.Exploit (Summary)
Software Name: CWS.Exploit
Company Name:
Product Name: CWS.Exploit
Classification: Hijacker
Website:
Brief:
Hijacks browsers homepage and search settings. Installs a toolbar and downloads other executables in the background. **You may need to run a Deep Scan while in Safe Mode.**
IMPORTANT!
Some of the Hijacker.CWS.Exploit components
are listed below. The list is compiled as a reference. The list might
not be complete and it doesn't represent instructions for manual removal.
We DO NOT recommend manual removal. Incorrect removal
of certain software might make your computer unstable or even unusable.
Removal of adware component might affect the related ad-supported software.
If you suspect that you have an unwanted instance of CWS.Exploit
installed on your computer we recommend a free
audit of your system with INAC Anti Spyware.
CWS.Exploit might create following folders (and inject its files inside
the folders):
n/a
CWS.Exploit might create following files (some of the files might be
loaded in memory while the software is running):
- %FAVORITES%\Block Popups.url
- %FAVORITES%\Free Online Dating.url
- %FAVORITES%\Phentermine.url
- %FAVORITES%\Play With Girls.url
- %FAVORITES%\SPYWARE.url
- %FAVORITES%\Viagra.url
- %FAVORITES%\Work at Home.url
- %FAVORITES%\Xanax Online.url
- %FAVORITES%\XXX personal photos.url
- %COMMON_FAVORITES%\Block Popups.url
- %COMMON_FAVORITES%\Free Online Dating.url
- %COMMON_FAVORITES%\Phentermine.url
- %COMMON_FAVORITES%\Play With Girls.url
- %COMMON_FAVORITES%\SPYWARE.url
- %COMMON_FAVORITES%\Viagra.url
- %COMMON_FAVORITES%\Work at Home.url
- %COMMON_FAVORITES%\Xanax Online.url
- %COMMON_FAVORITES%\XXX personal photos.url
- %SYSTEM%\date.dat
- %SYSTEM%\exploit.exe
- %SYSTEM%\iesp1.dll
- %SYSTEM%\menu.txt
- %SYSTEM%\nbtrstat.exe
- %SYSTEM%\netupd32.exe
- %SYSTEM%\od.exe
- %SYSTEM%\protect32.dll
- %SYSTEM%\sethcd.exe
- %SYSTEM%\smbdins.exe
- %SYSTEM%\sprestrst.exe
- %SYSTEM%\tsmsetup.exe
- %SYSTEM%\upncont.exe
- %SYSTEM%\wowdbe.exe
- %SYSTEM%\rdspclips.exe
- %SYSTEM%\run_dos.dll
- %WINDOWS%\system\msthl.dll
- %FAVORITES%\AdultGambling.url
- %FAVORITES%\FUCK Real Girls.url
- %FAVORITES%\Kill Annoying Popups.url
- %FAVORITES%\Online Sex Poker Rooms.url
- %FAVORITES%\Play Adult-Poker.url
- %FAVORITES%\Remove Toolbars.url
- %FAVORITES%\Spyware Uninstall.url
- %COMMON_FAVORITES%\AdultGambling.url
- %COMMON_FAVORITES%\FUCK Real Girls.url
- %COMMON_FAVORITES%\Kill Annoying Popups.url
- %COMMON_FAVORITES%\Online Sex Poker Rooms.url
- %COMMON_FAVORITES%\Play Adult-Poker.url
- %COMMON_FAVORITES%\Remove Toolbars.url
- %COMMON_FAVORITES%\Spyware Uninstall.url
- %system%\sysobj.exe
CWS.Exploit is often accompanied by the following tracking cookies:
n/a
CWS.Exploit might create following registry keys (and inject subkeys
and values):
- HKEY_CLASSES_ROOT\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
- HKEY_CLASSES_ROOT\CLSID\{49909A9C-4D27-4465-A4C0-D85BE5572032}
- HKEY_CLASSES_ROOT\CLSID\{776A61AE-0B96-441F-A153-89804931596C}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{776A61AE-0B96-441F-A153-89804931596C}
- HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains.219.181.7
- HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\nur
- HKEY_CLASSES_ROOT\CLSID\{ACA7A27F-EDCF-45EC-A0E0-00B844B91289}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACA7A27F-EDCF-45EC-A0E0-00B844B91289}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\hdjfv
CWS.Exploit might create following registry values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion|emanger
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion|emandislc
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion|emanelif
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion|emanexe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
- HKEY_USERS\*\Software\Microsoft\Internet Explorer|emandislc
- HKEY_USERS\*\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sysobj.exe
CWS.Exploit might create registry values with following data:
- HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html|*|{49909A9C-4D27-4465-A4C0-D85BE5572032}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main|*|res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%70%72%6f%74%65%63%74%33%32%2e%64%6c%6c*
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search|*|res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%70%72%6f%74%65%63%74%33%32%2e%64%6c%6c*
- HKEY_USERS\*\Software\Microsoft\Internet Explorer|(default)|http://clearsurfing.net*
- HKEY_USERS\*\Software\Microsoft\Internet Explorer\Main|*|res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%70%72%6f%74%65%63%74%33%32%2e%64%6c%6c*
- HKEY_USERS\*\Software\Microsoft\Internet Explorer\Search|*|res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%70%72%6f%74%65%63%74%33%32%2e%64%6c%6c*
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{39741DD1-2AAF-4FE0-84AA-A52CF5A07DA0}|NameServer|69.50.184.84,195.225.176.37
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E19B8267-57DD-4C51-A3ED-555D71B863FA}|NameServer|69.50.184.84,195.225.176.37
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{39741DD1-2AAF-4FE0-84AA-A52CF5A07DA0}|NameServer|69.50.184.84,195.225.176.37
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E19B8267-57DD-4C51-A3ED-555D71B863FA}|NameServer|69.50.184.84,195.225.176.37
CWS.Exploit might insert following entries in the HOSTS file:
n/a
Click
here to scan your computer for CWS.Exploit free of charge
|
