PDA

View Full Version : Manual Removal Guide for CashDeluxe



Friday
2008-11-28, 18:14
The following instructions have been created to help you to get rid of "CashDeluxe" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
It downloads malware from its website, and installs a browser helper object (BHO) which loads on every Internet Explorer startup. Addtionally it creates many bad files in the system directory.
Additinal removal information: Start your computer in safe mode and scan with Spybot - Search & Destroy.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "DWC" and pointing to "*\cashdeluxe\dwc.exe".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "DWC".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

A file with an unknown location named "reger.exe".
The file at "<$WINDIR>\adw.htm".
The file at "<$SYSDIR>\exuc32.tmp".
The file at "<$SYSDIR>\intxt.exe".
The file at "<$SYSDIR>\mswinup32.dll".
The file at "<$SYSDIR>\mswinxml.dll".
The file at "<$SYSDIR>\shellgui32.dll".
The file at "<$SYSDIR>\winapi32.dll".
The file at "<$SYSDIR>\winsrv32.exe".
The file at "<$SYSDIR>\its.txt".
The file at "<$SYSDIR>\winbl32.dll".
The file at "<$SYSDIR>\repigsp.exe".
A file with an unknown location named "repigsp.exe".
The file at "<$WINDIR>\Downloaded Program Files\loader.exe".
A file with an unknown location named "loader.exe".
The file at "<$SYSDIR>\cuid32.bin".
The file at "<$SYSDIR>\updf1.dll".
A file with an unknown location named "updf1.dll".
The file at "<$WINDIR>\yod.htm".
The file at "<$SYSDIR>\shell386.exe".
A file with an unknown location named "shell386.exe".
A file with an unknown location named "cat_data.ini".
A file with an unknown location named "dwc.exe.MANIFEST".
A file with an unknown location named "lastupdate.dat".
A file with an unknown location named "most_hot_offers.ini".
A file with an unknown location named "srvname.ini".
A file with an unknown location named "user_settings.ini".
A file with an unknown location named "walls_collection.ini".
The file at "<$PROFILE>\Recent\cashdeluxe.lnk".
The file at "<$PROFILE>\Recent\winword32.ini.lnk".
The file at "<$SYSDIR>\its.txt".
Make sure you set your file manager to display hidden and system files. If CashDeluxe uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "c:\program files\DWC".
Make sure you set your file manager to display hidden and system files. If CashDeluxe uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "{41DD58D5-6692-433F-AE6C-64E157A496C4}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{0017A6E3-3DC7-4459-9C72-807B558198AB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3F8CEAEE-2798-4800-9F7B-D3FCAB739265}" at "HKEY_CLASSES_ROOT\TypeLib\".
Remove "%SystemRoot%\adw.htm" from registry value "Wallpaper" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\".
Delete the registry key "{3F9AA1EB-80D0-483F-964D-B257700F76FD}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{67E08E06-0D9E-4AD9-A11C-FD09F601E089}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{81F45473-C33C-4C63-AC30-711766CC1CFB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A776D67B-F624-4217-83C9-16810A5A8457}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B7FA6355-91E2-47E1-9CCB-4A77BD13B990}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CFE4B6AC-5CE3-4432-A7A1-0FE11110C3B6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9260A4E8-FF03-47FB-B9C7-F2511B54B419}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{D00648AC-D6CA-463B-BF40-3292BBBA31FD}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "winapi32.MyBHO", plus associated values.
Delete the registry value "DeluxeNetwork" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\".
Delete the registry key "{5D0F16E4-47DF-11DA-8802-00024493948B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5D0F16E6-47DF-11DA-8802-00024493948B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5D0F16E3-47DF-11DA-8802-00024493948B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5D0F16E5-47DF-11DA-8802-00024493948B}" at "HKEY_CLASSES_ROOT\Interface\".
A key in HKEY_CLASSES_ROOT\ named "sxpdr32.Intelinks", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "sxpdr32.MyBHO", plus associated values.
Delete the registry key "{5D0F16E2-47DF-11DA-8802-00024493948B}" at "HKEY_CLASSES_ROOT\TypeLib\".
If CashDeluxe uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.