BehaviorAdware.Affilred.B redirects certain URLs in Internet Explorer to other Web sites.
Note: Users of Windows XP that have Adware.Affilred.B installed on their computers must follow the removal instructions to clean the computer before turning off/restarting the computer. If this is not carried out, it would not be possible to login into the computer again.SymptomsThe files are detected as Adware.Affilred.B.
TransmissionThis adware is installed manually.
technical detailsWhen Adware.Affilred.B is executed, it performs the following actions:
1. Copies itself as %System%\comnt32.dll and loads this dll into explorer.
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates the following files:
* C:\cab.exe
* C:\winsecure.exe
* %Windir%\msupdate.exe
* %System%\security32.exe
* %System%\iProtect.exe
* %System%\axe.exe
* %System%\memorymanager.pif
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
3. Copies itself to the start menu folder as:
* highspeed-cable.exe
* default.scr
4. Adds the value:
"WinTask" = "c:\wintask.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that the adware runs every time Windows starts.
5. Adds the values:
"Microsoft Cab Manager" = "c:\exec.exe"
"Windows Security Manager" = "c:\winsecure.exe"
"Windows Security Update" = "%Windir%\security32.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows starts.
6. Adds the value:
"Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that the adware runs every time Windows starts.
7. Adds the value:
"Memory Manager" = "%System%\memorymanager.pif"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
so that the adware runs every time Windows starts.
8. Creates the registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}
HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
9. Registers itself as a service called ASecurity32.
10. Redirects Internet Explorer traffic intended for certain Web sites to the URLs associated with their affiliates.
11. Overwrites the hosts file with the following text:
127.0.0.1
www.1-online-coupons.com 127.0.0.1
www.smartqpon.com 127.0.0.1
www.jumpondeals.com 127.0.0.1
www.1-coupon.com 127.0.0.1
www.ahugedeal.com 127.0.0.1
www.1st-in-mens-clothing.com 127.0.0.1
www.discounts-coupons.com 127.0.0.1
www.shoppersresource.com 127.0.0.1
www.1-free-coupons.com 127.0.0.1
www.coupon-coupon.com 127.0.0.1
www.online-coupons-discounts.com 127.0.0.1
www.ebates.com 127.0.0.1
www.247coupon.com 127.0.0.1
www.couponmountain.com 127.0.0.1
www.coupon-deals.com 127.0.0.1
www.coupon-codes.us 127.0.0.1
www.coupons-coupon-codes.com 127.0.0.1
www.coupons-coupons-codes.com 127.0.0.1
www.ahugedeal.com 127.0.0.1
www.findsavings.com 127.0.0.1
www.xpcoupons.com 127.0.0.1
www.xpbargains.com 127.0.0.1
www.best-cards.com 127.0.0.1
www.voucherfreebies.co.uk 127.0.0.1
www.ukshops.co.uk 127.0.0.1
www.247ukshopping.com 127.0.0.1
www.somucheasier.co.uk 127.0.0.1
www.uk-online-store.co.uk 127.0.0.1
www.deals-coupons.com 127.0.0.1
www.shopping.net 127.0.0.1
www.eshops.co.uk 127.0.0.1
www.247ukshopping.com 127.0.0.1
www.ukfrenzy.co.uk 127.0.0.1
www.asmartshop.com 127.0.0.1
www.couponmountain.co.uk 127.0.0.1
www.redtagdeals.com 127.0.0.1
www.freecoupons.co.uk 127.0.0.1
www.shop-uk-online.co.uk 127.0.0.1
www.best-online-coupons.com 127.0.0.1
www.rather-be-shopping.com 127.0.0.1
www.clothes-coupons.com 127.0.0.1
www.online-coupons-coupons.com 127.0.0.1
www.momsview.com 127.0.0.1
www.pricezilla.com 127.0.0.1
www.mygo.com 127.0.0.1
www.ultimatecoupons.com 127.0.0.1
www.specialoffers.com 127.0.0.1
www.galacticgalaxy.com 127.0.0.1
www.thewinnersclub.netTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the values:
"Microsoft Cab Manager" = "c:\exec.exe"
"Windows Security Manager" = "c:\winsecure.exe"
"Windows Security Update" = "%Windir%\security32.exe"
5. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
6. In the right pane, delete the subkey:
"WinTask" = "c:\wintask.exe"
7. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
8. In the right pane, delete the value:
"Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe"
9. Add the value:
"Userinit" = "%System%\userinit.exe,"
10. Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
11. In the right pane, delete the value:
"Memory Manager" = "%System%\memorymanager.pif"
12. Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}
HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
13. Exit the Registry Editor.
4. To restart the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
* For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
* For Windows NT 4 users, restart the computer in VGA mode.
To manually edit the Hosts file and remove all the entries that the worm addedNote: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.
Follow the instructions for your operating system:
* Windows 95/98/Me/NT/2000
1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type:
hosts
4. Click Find Now or Search Now.
5. For each Hosts file that you find, right-click the file, and then click Open With.
6. Deselect the "Always use this program to open this program" check box.
7. Scroll through the list of programs and double-click Notepad.
8. When the file opens, delete all the entries in step eleven of the "Technical Details" section.
9. Close Notepad and save your changes when prompted.
* Windows XP
1. Click Start > Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type:
hosts
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click More advanced options.
6. Check Search system folders.
7. Check Search subfolders.
8. Click Search.
9. Click Find Now or Search Now.
10. For each Hosts file that you find, right-click the file, and then click Open With.
11. Deselect the Always use this program to open this program check box.
12. Scroll through the list of programs and double-click Notepad.
13. When the file opens, delete all the entries in step eleven of the "Technical Details" section.
14. Close Notepad and save your changes when prompted.
AlphaOne Technology Support Forums
Author
Logged
