Variant 19: CWS.Alfasearch - Child's Play
Approx date first sighted:
November 5, 2003
Symptoms: IE pages changed to alfa-search.com, possibly porn sites
being redirected to 184.108.40.206 (alfa-search.com), error message about a 'runtime
error' at startup, 4 porn bookmarks added to favorites (one possible child porn).
Manual removal difficulty: Involves a little Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html|
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe
Possibly the most simple CWS variant since CWS.Datanotary, this
hijack only does the basic stuff: changes your IE homepage and search pages, adds porn
bookmarks, and pops up a bogus error message at startup.
Deleting MSupdate.exe from the All Users Startup group, deleting
the porn bookmarks and resetting the IE homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing a hosts file hijack
as well, but doesn't seem to do this.
A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks
in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as well
as bogus runtime errors at system startup. It drops a fake Winlogon.exe
file in the 'All Users' Startup group of the Start Menu, or in the Startup group of the current
user. The file is always running, and hard to remove. If CWShredder repeatedly reports removing
this variant, it cannot remove winlogon.exe. To remove this file
manually, move it out of the Startup folder, restart, and then delete the file.
A mutation of this variant exists, that hijacks IE to www.alfa-search.com, and reinstalls by
running an encryped VBS script from three places in the Registry, named rundll32.vbe
using the name Windows Security Assistant. It also installs a
custom stylesheet named readme.txt in the Windows sytem folder, drops
9 porn bookmarks in the IE Favorites and 6 on the desktop, and installs a hosts file hijack of
8 major search engines and one porn site to 220.127.116.11 (alfa-search.com).