The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015
01/01/1970

Adware.BetterInternet

Type:  Adware
Discovered:  01.01.1970
Updated:  13.02.2007
Affected systems:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
AV Vendor:  Symantec

Description:


Depending on the version of the adware, Adware.BetterInternet performs some of the following actions when it is executed:
  • Creates some of the following files:

    • %CurrentFolder%\Belt.ini
    • %CurrentFolder%\Belt.inf
    • %CurrentFolder%\Susp.ini
    • %CurrentFolder%\Susp.in
    • %CurrentFolder%\BTGrab.inf
    • %Temp%\bho_prob.exe
    • %Temp%\bik.inf
    • %Temp%\bi.dll
    • %Temp%\bik.cab
    • %Temp%\biprep.exe
    • %Temp%\dummy.htm
    • %Temp%\morphrec.exe
    • %Temp%\thnall1s.exe
    • %Temp%\DrTemp\ceres.cab
    • %Temp%\DrTemp\ceres.dll
    • %Temp%\DrTemp\ceres.inf
    • %Temp%\DrTemp\thnall1b.exe
    • %Temp%\DrTemp\thnall1p.exe
    • %Temp%\DrTemp\thnall2r.exe
    • %Temp%\DrTemp\polall1b.exe
    • %Temp%\THI[????].tmp\adrmimg.cab
    • %Temp%\THI[????].tmp\imGiant.cab
    • %Temp%\THI[????].tmp\adrmimg.inf
    • %Temp%\THI[????].tmp\imgiant.inf
    • %Temp%\THI[????].tmp\IMGUninst.exe
    • %Temp%\THI[????].tmp\imGiant.dll
    • %System%\ezxiiyv.exe
    • %System%\bdle4012.exe
    • %System%\bik.exe
    • %System%\imgiant.dll
    • %System%\ln_reco.exe
    • %System%\laziqn.exe
    • %System%\nnmzoq.exe
    • %System%\randreco.exe
    • %System%\susp_reco.exe
    • %System%stmtreco.exe
    • %System%\xxvyaj.exe
    • %System%\wbtvsffd.exe
    • %Windir%\banner.dll
    • %Windir%\Bi.dll
    • %Windir%\Biprep.exe
    • %Windir%\BTGrab.dll
    • %Windir%\Buddy.exe
    • %Windir%\ceres.dll
    • %Windir%\dlmax.dll
    • %Windir%\farmmext.exe
    • %Windir%\imgiant.dll
    • %Windir%\morphacl.dll
    • %Windir%\Mxtarget.dll
    • %Windir%\Pynix.dll
    • %Windir%\speer2.dll
    • %Windir%\speeryox.dll
    • %Windir%\VoiceIP.dll
    • %Windir%\zserv.dll
    • %Windir%\BBIIEHPL.ini
    • %Windir%\BIILJLLM.ini
    • %Windir%\BICJNF.ini
    • %Windir%\CCEJHONM.ini
    • %Windir%\FCIJLFMN.ini
    • %Windir%\FFGDEGOJ.ini
    • %Windir%\IDDJHJM.ini
    • %Windir%\morphstb.ini
    • %Windir%\abiuninst.htm
    • %Windir%\IMGUninst.exe
    • %Windir%\DrUninst.exe
    • %Windir%\inf\adrmcer.inf
    • %Windir%\inf\adrmimg.inf
    • %Windir%\inf\bik.inf
    • %Windir%\inf\ceres.inf
    • %Windir%\inf\farmmext.inf
    • %Windir%\farmmext.ini
    • %Windir%\inf\imgiant.inf
    • %Windir%\inf\morphstb.inf
    • %Windir%\inf\payload.inf
    • %Windir%\inf\payload2.inf
    • %Windir%\inf\Pynix.inf
    • %Windir%\inf\Pynix.pnf
    • %Windir%\inf\sprnopol.inf
    • %Windir%\inf\topmins2.inf
    • %Windir%\Wininit.ini
    • %Windir%\inf\zserv.inf
    • %Windir%\LastGood\BICJNF.ini
    • %Windir%\LastGood\INF\adrmimg.inf
    • %Windir%\LastGood\INF\adrmimg.PNF
    • %Windir%\LastGood\INF\bik.inf
    • %Windir%\LastGood\INF\bik.pnf
    • %Windir%\LastGood\INF\ceres.inf
    • %Windir%\LastGood\INF\ceres.pnf
    • %Windir%\LastGood\farmmext.ini
    • %Windir%\LastGood\INF\farmmext.inf
    • %Windir%\LastGood\INF\farmmext.pnf
    • %Windir%\LastGood\INF\imgiant.inf
    • %Windir%\LastGood\INF\imgiant.PNF
    • %Windir%\LastGood\INF\morphstb.PNF
    • %Windir%\LastGood\INF\morphstb.inf
    • %Windir%\LastGood\INF\payload.PNF
    • %Windir%\LastGood\INF\payload.inf
    • %Windir%\LastGood\INF\Pynix.inf
    • %Windir%\LastGood\INF\Pynix.PNF
    • %Windir%\LastGood\INF\zserv.inf
    • %Windir%\LastGood\INF\zserv.pnf
    • %Windir%\LastGood\DrUninst.exe
    • %Windir%\Downloaded Program Files\thin.inf
    • %Windir%\LastGood\Downloaded Program Files\thin.inf
    • XXVYAJ.exe

      Notes:
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • [????] is a variable that refers to a random sequence of characters which make up part of the folder name.

  • Attempts to create some of the following registry keys:


    HKEY_CLASSES_ROOT\CLSID\{00000000-59D4-4008-9058-080011001200}
    HKEY_CLASSES_ROOT\CLSID\{00000000-C1EC-0345-6EC2-4D0300000000}
    HKEY_CLASSES_ROOT\CLSID\{00000000-DD60-0064-6EC2-6E0100000000}
    HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-AD0300000000}
    HKEY_CLASSES_ROOT\CLSID\{00000026-8735-428D-B81F-DD098223B25F}
    HKEY_CLASSES_ROOT\CLSID\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
    HKEY_CLASSES_ROOT\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}
    HKEY_CLASSES_ROOT\CLSID\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
    HKEY_CLASSES_ROOT\CLSID\{00000062-2E5F-4AF7-986E-5B64E0951A96}
    HKEY_CLASSES_ROOT\CLSID\{00000097-7C67-4BA6-8B42-05128941688A}
    HKEY_CLASSES_ROOT\CLSID\{00000250-0320-4DD4-BE4F-7566D2314352}
    HKEY_CLASSES_ROOT\CLSID\{000006B1-19B5-414A-849F-2A3C64AE6939}
    HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
    HKEY_CLASSES_ROOT\CLSID\{0000607D-D204-42C7-8E46-216055BF9918}
    HKEY_CLASSES_ROOT\CLSID\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
    HKEY_CLASSES_ROOT\CLSID\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
    HKEY_CLASSES_ROOT\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
    HKEY_CLASSES_ROOT\CLSID\{D5E06663-DE78-4A48-BB81-7C9AFF2E49E4}
    HKEY_CLASSES_ROOT\Interface\{237CB7A2-E26E-443B-B16E-5DA66584B05B}
    HKEY_CLASSES_ROOT\Interface\{C45C774D-5ECC-4D9E-94E1-AC57189C4435}
    HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
    HKEY_CLASSES_ROOT\Interface\{C08175C6-B2B2-47FC-AF1A-32F77A6CB673}
    HKEY_CLASSES_ROOT\Interface\{59EBB576-CEB0-42FA-9917-DA6254A275AD}
    HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}
    HKEY_CLASSES_ROOT\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD}
    HKEY_CLASSES_ROOT\Interface\{72322CE2-D1C1-423E-9748-FF7E7F1E47C3}
    HKEY_CLASSES_ROOT\Interface\{19C8E563-D989-47CE-BED8-EA72B5EB62D6}
    HKEY_CLASSES_ROOT\Interface\{A93B84C6-5278-473A-8027-F6304A291A7A}
    HKEY_CLASSES_ROOT\Interface\{50F646B1-1C3E-4B01-B818-437E1276E5BE}
    HKEY_CLASSES_ROOT\TypeLib\{09049E4F-8D9E-4C8A-A952-5BAF1A115C59}
    HKEY_CLASSES_ROOT\TypeLib\{230C3786-1C2C-45BD-9D2D-9D277FCE6289}
    HKEY_CLASSES_ROOT\TypeLib\{2390AAA5-E65C-4404-BD3B-3A9EAC22C0A5}
    HKEY_CLASSES_ROOT\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
    HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}
    HKEY_CLASSES_ROOT\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490}
    HKEY_CLASSES_ROOT\TypeLib\{8E0D8965-B97B-468D-8306-A05929E439C1}
    HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}
    HKEY_CLASSES_ROOT\TypeLib\{BBE6D461-41FC-4100-A629-B9D2162BEFAA}
    HKEY_CLASSES_ROOT\TypeLib\{C0168E40-6211-4113-9202-B9B852CB12FC}
    HKEY_CLASSES_ROOT\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776}
    HKEY_CLASSES_ROOT\AppID\{4D980B0A-C3EF-4965-A58F-7F64F3B42E79}
    HKEY_CLASSES_ROOT\AppID\XParam.DLL
    HKEY_CLASSES_ROOT\BiDll.BiDllObj
    HKEY_CLASSES_ROOT\BiDll.BiDllObj.1
    HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj
    HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj.1
    HKEY_CLASSES_ROOT\CeresDll.CeresDllObj
    HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1
    HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj
    HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj.1
    HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj
    HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj.1
    HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj
    HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj.1
    HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj
    HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj.1
    HKEY_CLASSES_ROOT\MxTarget.MxTargetDllObj.1
    HKEY_CLASSES_ROOT\PynixDll.PynixDllObj
    HKEY_CLASSES_ROOT\PynixDll.PynixDllObj.1
    HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj
    HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj.1
    HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj
    HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj.1
    HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj
    HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1
    HKEY_CLASSES_ROOT\VoiceIPDll.VoiceIPDllObj.1
    HKEY_CLASSES_ROOT\VX2.VX20BJ
    HKEY_CLASSES_ROOT\XParam.XParamObj
    HKEY_CLASSES_ROOT\XParam.XParamObj.1
    HKEY_CLASSES_ROOT\ZServDll.ZServDllObj
    HKEY_CLASSES_ROOT\ZServDll.ZServDllObj.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-59D4-4008-9058-080011001200}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000097-7C67-4BA6-8B42-05128941688A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000250-0320-4DD4-BE4F-7566D2314352}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{0000607D-D204-42C7-8E46-216055BF9918}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
    HKEY_CURRENT_USER\Software\AHExe
    HKEY_CURRENT_USER\Software\BTGrab
    HKEY_CURRENT_USER\Software\ceres
    HKEY_CURRENT_USER\Software\DLMax
    HKEY_CURRENT_USER\Software\BTGrab
    HKEY_CURRENT_USER\Software\Ceres
    HKEY_CURRENT_USER\Software\imGiant
    HKEY_CURRENT_USER\Software\morphacl
    HKEY_CURRENT_USER\Software\MultiMPP
    HKEY_CURRENT_USER\Software\MxTarget
    HKEY_CURRENT_USER\Software\sPeer
    HKEY_CURRENT_USER\Software\sPeer2
    HKEY_CURRENT_USER\Software\morphacl
    HKEY_CURRENT_USER\Software\VoiceIP
    HKEY_CURRENT_USER\Software\pynix
    HKEY_CURRENT_USER\Software\VoiceIP
    HKEY_CURRENT_USER\Software\ZServ
    HKEY_CURRENT_USER\Software\AHExe
    HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
    HKEY_LOCAL_MACHINE\Software\Dbi
    HKEY_LOCAL_MACHINE\Software\twaintec
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ceres
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMGiant

  • Adds the value:

    "BLLid20fslnst" = "{688DE333-FB9A-4E16-B6B7-D81D266E0009}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\DBi

  • Adds some of the values:

    "INF/ceres.inf" = "0x00000001"
    "INF/ceres.pnf" = "0x00000001"
    "INF/adrmimg.inf" = "0x00000001"
    "INF/adrmimg.PNF" = "0x00000001"
    "INF/farmmext.inf" = "0x00000001"
    "INF/farmmext.pnf" = "0x00000001"
    "INF/imgiant.inf" = "0x00000001"
    "INF/imgiant.PNF" = "0x00000001"
    "INF/payload.inf" = "0x00000001"
    "INF/payload.pnf" = "0x00000001"
    "INF/Pynix.PNF = "0x00000001"
    "INF/Pynix.inf = "0x00000001"
    "INF/morphstb.PNF" = "0x00000001"
    "INF/morphstb.inf" = "0x00000001"
    "INF/zserv.inf" = "0x00000001"
    "INF/zserv.pnf" = "0x00000001"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood

  • Adds the value:

    "[File name of adware]" = "[File path to adware]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  • Attempts to connect to one of the following domains to check for updated versions of the adware:

    • abetterinternet.com
    • stop-popup-ads-now.com

  • Attempts to perform some of the following actions:

    • Display advertisements.
    • Display links to related Web sites, and advertisements for related Web sites, based on the Web sites visited on the infected computer.
    • Log the Web sites visited by the infected computer.
    • Redirect certain URLs, including the Web browser default 404-error page, to or through the Web page used by the threat.
    • Automatically update the adware and install added features or functionality. This action is performed without input from, or interaction with the user.
    • Install desktop icons, installation files, and other publisher's software.

    Some samples that Security Response has received of Belt.exe will not install successfully, as the CAB package it attempts to download is no longer available. In these instances, as well as those when an Internet connection is not available, the adware will add the registry key specified in step 4, and then exit cleanly.

    Note: Virus definitions dated prior to November 19, 2003 may detect this as Adware.Ipinsight or Download.Trojan.


    Removal instructions from Symantec Security Response Team


    Removal using the Adware.BetterInternet Removal Tool
    Naked Security has developed a removal tool for Adware.BetterInternet. Use this removal tool first, as it is the easiest way to remove this threat.

    The tool can be found here: http://securityresponse.symantec.com/avcenter/FixBinet.exe

    The current version of the tool is 1.1.3 and will have a digital signature timestamp equivalent to 06/09/2005 03:06 PM PST

    Note: The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

    It has been reported that a computer with Adware.BetterInternet on it may also have other security risks installed. Symantec recommends that the following steps be carried out:

  • Apply the Adware.BetterInternet Removal Tool.
  • Update the definitions by starting the Symantec program and running LiveUpdate.
  • Run a full system scan to detect any other security risks on the computer.
  • If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html.
  • If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the threat report.

    Manual Removal
    Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.
  • Update the definitions.
  • Run a full system scan and delete all the files detected as Adware.BetterInternet.
  • Delete the keys that were added to the registry.
  • Delete Belt.ini and Belt.inf, if found.
  • Delete the detected .cab files, if necessary.
    For specific details on each of these steps, read the following instructions.

    1. To update the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


    2. To scan for and delete the files
    • Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
    • Run a full system scan.
    • If any files are detected as Adware.BetterInternet, write down the path and file names, and then click Delete.

      Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file. If you cannot delete the file in Windows Explorer, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

    • Using Windows Explorer, navigate to the following files and delete them, if present:
      • %Temp%\bik.inf
      • %Temp%\dummy.htm
      • %Temp%\DrTemp\ceres.inf
      • %Temp%\THI[????].tmp\adrmimg.inf
      • %Temp%\THI[????].tmp\imgiant.inf
      • %Windir%\BBIIEHPL.ini
      • %Windir%\BIILJLLM.ini
      • %Windir%\BICJNF.ini
      • %Windir%\CCEJHONM.ini
      • %Windir%\FCIJLFMN.ini
      • %Windir%\FFGDEGOJ.ini
      • %Windir%\IDDJHJM.ini
      • %Windir%\morphstb.ini
      • %Windir%\abiuninst.htm
      • %Windir%\inf\adrmcer.inf
      • %Windir%\inf\adrmimg.inf
      • %Windir%\inf\bik.inf
      • %Windir%\inf\ceres.inf
      • %Windir%\inf\farmmext.inf
      • %Windir%\farmmext.ini
      • %Windir%\inf\imgiant.inf
      • %Windir%\inf\morphstb.inf
      • %Windir%\inf\payload.inf
      • %Windir%\inf\payload2.inf
      • %Windir%\inf\Pynix.inf
      • %Windir%\inf\Pynix.pnf
      • %Windir%\inf\sprnopol.inf
      • %Windir%\inf\topmins2.inf
      • %Windir%\Wininit.ini
      • %Windir%\inf\zserv.inf
      • %Windir%\LastGood\BICJNF.ini
      • %Windir%\LastGood\INF\adrmimg.inf
      • %Windir%\LastGood\INF\adrmimg.PNF
      • %Windir%\LastGood\INF\bik.inf
      • %Windir%\LastGood\INF\bik.pnf
      • %Windir%\LastGood\INF\ceres.inf
      • %Windir%\LastGood\INF\ceres.pnf
      • %Windir%\LastGood\farmmext.ini
      • %Windir%\LastGood\INF\farmmext.inf
      • %Windir%\LastGood\INF\farmmext.pnf
      • %Windir%\LastGood\INF\imgiant.inf
      • %Windir%\LastGood\INF\imgiant.PNF
      • %Windir%\LastGood\INF\morphstb.PNF
      • %Windir%\LastGood\INF\morphstb.inf
      • %Windir%\LastGood\INF\payload.PNF
      • %Windir%\LastGood\INF\payload.inf
      • %Windir%\LastGood\INF\Pynix.inf
      • %Windir%\LastGood\INF\Pynix.PNF
      • %Windir%\LastGood\INF\zserv.inf
      • %Windir%\LastGood\INF\zserv.pnf
      • %Windir%\Downloaded Program Files\thin.inf
      • %Windir%\LastGood\Downloaded Program Files\thin.inf


    3. To delete the keys from the registry
    Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    • On the Windows taskbar, click Start > Run.
    • In the Run dialog box, type regedit and then click OK.
    • In the Register Editor, navigate to and delete the keys:

      HKEY_CLASSES_ROOT\CLSID\{00000000-59D4-4008-9058-080011001200}
      HKEY_CLASSES_ROOT\CLSID\{00000000-C1EC-0345-6EC2-4D0300000000}
      HKEY_CLASSES_ROOT\CLSID\{00000000-DD60-0064-6EC2-6E0100000000}
      HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-AD0300000000}
      HKEY_CLASSES_ROOT\CLSID\{00000026-8735-428D-B81F-DD098223B25F}
      HKEY_CLASSES_ROOT\CLSID\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
      HKEY_CLASSES_ROOT\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}
      HKEY_CLASSES_ROOT\CLSID\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
      HKEY_CLASSES_ROOT\CLSID\{00000062-2E5F-4AF7-986E-5B64E0951A96}
      HKEY_CLASSES_ROOT\CLSID\{00000097-7C67-4BA6-8B42-05128941688A}
      HKEY_CLASSES_ROOT\CLSID\{00000250-0320-4DD4-BE4F-7566D2314352}
      HKEY_CLASSES_ROOT\CLSID\{000006B1-19B5-414A-849F-2A3C64AE6939}
      HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
      HKEY_CLASSES_ROOT\CLSID\{0000607D-D204-42C7-8E46-216055BF9918}
      HKEY_CLASSES_ROOT\CLSID\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
      HKEY_CLASSES_ROOT\CLSID\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
      HKEY_CLASSES_ROOT\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
      HKEY_CLASSES_ROOT\CLSID\{D5E06663-DE78-4A48-BB81-7C9AFF2E49E4}
      HKEY_CLASSES_ROOT\Interface\{237CB7A2-E26E-443B-B16E-5DA66584B05B}
      HKEY_CLASSES_ROOT\Interface\{C45C774D-5ECC-4D9E-94E1-AC57189C4435}
      HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
      HKEY_CLASSES_ROOT\Interface\{C08175C6-B2B2-47FC-AF1A-32F77A6CB673}
      HKEY_CLASSES_ROOT\Interface\{59EBB576-CEB0-42FA-9917-DA6254A275AD}
      HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}
      HKEY_CLASSES_ROOT\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD}
      HKEY_CLASSES_ROOT\Interface\{72322CE2-D1C1-423E-9748-FF7E7F1E47C3}
      HKEY_CLASSES_ROOT\Interface\{19C8E563-D989-47CE-BED8-EA72B5EB62D6}
      HKEY_CLASSES_ROOT\Interface\{A93B84C6-5278-473A-8027-F6304A291A7A}
      HKEY_CLASSES_ROOT\Interface\{50F646B1-1C3E-4B01-B818-437E1276E5BE}
      HKEY_CLASSES_ROOT\TypeLib\{09049E4F-8D9E-4C8A-A952-5BAF1A115C59}
      HKEY_CLASSES_ROOT\TypeLib\{230C3786-1C2C-45BD-9D2D-9D277FCE6289}
      HKEY_CLASSES_ROOT\TypeLib\{2390AAA5-E65C-4404-BD3B-3A9EAC22C0A5}
      HKEY_CLASSES_ROOT\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
      HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}
      HKEY_CLASSES_ROOT\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490}
      HKEY_CLASSES_ROOT\TypeLib\{8E0D8965-B97B-468D-8306-A05929E439C1}
      HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}
      HKEY_CLASSES_ROOT\TypeLib\{BBE6D461-41FC-4100-A629-B9D2162BEFAA}
      HKEY_CLASSES_ROOT\TypeLib\{C0168E40-6211-4113-9202-B9B852CB12FC}
      HKEY_CLASSES_ROOT\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776}
      HKEY_CLASSES_ROOT\AppID\{4D980B0A-C3EF-4965-A58F-7F64F3B42E79}
      HKEY_CLASSES_ROOT\AppID\XParam.DLL
      HKEY_CLASSES_ROOT\BiDll.BiDllObj
      HKEY_CLASSES_ROOT\BiDll.BiDllObj.1
      HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj
      HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj.1
      HKEY_CLASSES_ROOT\CeresDll.CeresDllObj
      HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1
      HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj
      HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj.1
      HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj
      HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj.1
      HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj
      HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj.1
      HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj
      HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj.1
      HKEY_CLASSES_ROOT\MxTarget.MxTargetDllObj.1
      HKEY_CLASSES_ROOT\PynixDll.PynixDllObj
      HKEY_CLASSES_ROOT\PynixDll.PynixDllObj.1
      HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj
      HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj.1
      HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj
      HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj.1
      HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj
      HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1
      HKEY_CLASSES_ROOT\VoiceIPDll.VoiceIPDllObj.1
      HKEY_CLASSES_ROOT\VX2.VX20BJ
      HKEY_CLASSES_ROOT\XParam.XParamObj
      HKEY_CLASSES_ROOT\XParam.XParamObj.1
      HKEY_CLASSES_ROOT\ZServDll.ZServDllObj
      HKEY_CLASSES_ROOT\ZServDll.ZServDllObj.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000000-59D4-4008-9058-080011001200}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000097-7C67-4BA6-8B42-05128941688A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00000250-0320-4DD4-BE4F-7566D2314352}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{0000607D-D204-42C7-8E46-216055BF9918}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      \Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
      HKEY_CURRENT_USER\Software\AHExe
      HKEY_CURRENT_USER\Software\BTGrab
      HKEY_CURRENT_USER\Software\ceres
      HKEY_CURRENT_USER\Software\DLMax
      HKEY_CURRENT_USER\Software\BTGrab
      HKEY_CURRENT_USER\Software\Ceres
      HKEY_CURRENT_USER\Software\imGiant
      HKEY_CURRENT_USER\Software\morphacl
      HKEY_CURRENT_USER\Software\MultiMPP
      HKEY_CURRENT_USER\Software\MxTarget
      HKEY_CURRENT_USER\Software\sPeer
      HKEY_CURRENT_USER\Software\sPeer2
      HKEY_CURRENT_USER\Software\morphacl
      HKEY_CURRENT_USER\Software\VoiceIP
      HKEY_CURRENT_USER\Software\pynix
      HKEY_CURRENT_USER\Software\VoiceIP
      HKEY_CURRENT_USER\Software\ZServ
      HKEY_CURRENT_USER\Software\AHExe
      HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
      HKEY_LOCAL_MACHINE\Software\Dbi
      HKEY_LOCAL_MACHINE\Software\twaintec
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ceres
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer2
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMGiant

    • Navigate to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • In the right pane, delete the value:

      "[File name of adware] = [File path to adware]"

    • Navigate to the registry key:

      HKEY_LOCAL_MACHINE\Software\DBi

    • In the right pane, delete the value:

      "BLLid20fslnst" = "{688DE333-FB9A-4E16-B6B7-D81D266E0009}"

    • Navigate to the registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood

    • In the right pane, delete the values:

      "INF/ceres.inf" = "0x00000001"
      "INF/ceres.pnf" = "0x00000001"
      "INF/adrmimg.inf" = "0x00000001"
      "INF/adrmimg.PNF" = "0x00000001"
      "INF/farmmext.inf" = "0x00000001"
      "INF/farmmext.pnf" = "0x00000001"
      "INF/imgiant.inf" = "0x00000001"
      "INF/imgiant.PNF" = "0x00000001"
      "INF/payload.inf" = "0x00000001"
      "INF/payload.pnf" = "0x00000001"
      "INF/Pynix.PNF = "0x00000001"
      "INF/Pynix.inf = "0x00000001"
      "INF/morphstb.PNF" = "0x00000001"
      "INF/morphstb.inf" = "0x00000001"
      "INF/zserv.inf" = "0x00000001"
      "INF/zserv.pnf" = "0x00000001"

    • Exit the Registry Editor.
    4. To delete the .ini and .inf files
    Search the system for Belt.ini/Susp.ini/FFGDEGOJ.ini and Belt.inf/Susp.inf/BTGrab.inf, deleting them if found.

    Follow the instructions for your operating system:
      • Windows 95/98/Me/NT/2000
      • On the Windows taskbar, click Start > Find or Search > Files or Folders.
      • Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
      • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

        FFGDEGOJ.ini Belt.ini Belt.inf
        or
        Susp.ini Susp.inf BTGrab.inf
        or
        adrmsper.inf sprnopol.inf
        or
        adrmimg.inf imgiant.inf IDDJHJM.ini
      • Click Find Now or Search Now.
      • Delete the displayed files.
      • Windows XP
      • On the Windows taskbar, click Start > Search.
      • Click All files and folders.
      • In the "All or part of the file name" box, type, or copy and paste, the file names:

        FFGDEGOJ.ini Belt.ini Belt.inf
        or
        Susp.ini Susp.inf BTGrab.inf
        or
        adrmsper.inf sprnopol.inf
        or
        adrmimg.inf imgiant.inf IDDJHJM.ini
      • Verify that "Look in" is set to "Local Hard Drives" or to (C:).
      • Click More advanced options.
      • Check Search system folders.
      • Check Search subfolders.
      • Click Search.
      • Delete the displayed files.


    5. To delete the .cab files detected
    If this threat was detected in a .cab file that is in the Windows Temp folder, your Symantec antivirus program may report that it cannot delete it. If this happens, manually delete it.
    • On the Windows taskbar, click Start > Run.
    • Type the following and then click OK:

      %temp%

    • Click the Edit menu > Select All.
    • Press Delete and then click Yes to confirm. If you see a message that Windows cannot delete the files, restart the computer and repeat steps 1 to 3. If you still see the message, select and delete files that have the .cab extensions.



  • Security Advisories Database

    Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

    A remote attacker can execute arbitrary code on the target system.

    07/21/2015

    SQL Injection Vulnerability in Piwigo

    SQL inection vulnerability has been discovered in Piwigo.

    02/05/2015

    Cross-site Scripting Vulnerability in DotNetNuke

    A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

    02/05/2015

    Cross-site Scripting Vulnerability in Hitachi Command Suite

    A cross-site scripting vulnerability was found in Hitachi Command Suite.

    02/02/2015

    Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"

    An attacker can perform a denial of service attack.

    01/30/2015

    Denial of service vulnerability in Linux Kernel splice

    An attacker can perform a denial of service attack.

    01/29/2015

    Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

    An attacker can perform a denial of service attack.

    01/20/2015