Friday
2008-11-30, 14:31
The following instructions have been created to help you to get rid of "Caishow" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
This adware product is part of an adware bundle installed by Win32.Agent.se. There are several .exe files and BHOs installed into an extra program directory.
Supposed Functionality:
n.a.
Privacy Statement:
n.a.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "caishowmanage" and pointing to "<$PROGRAMFILES>\CaiShow Tech\CaiShow\UpdateManager.EXE".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\BrowerHelper.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\CaiShow.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\caishow.ini".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\defaultrec.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\dfmmssendrec.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\Download.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\dsf3.ico".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\gdiplus.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\madlldlib.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\MMSFactory.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\SendMMS.htm".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\SendShell.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\ssoaddionalindical.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\Update.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\update.ini".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\UpdateManager.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\wavdest.dll".
The file at "<$PROGRAMFILES>\kusxmast\DIYNETSetupUni.exe".
The file at "<$PROGRAMFILES>\kusxmast\setup.exe".
The file at "<$SYSDIR>\wuwebex.dll".
Make sure you set your file manager to display hidden and system files. If Caishow uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\CaiShow Tech\CaiShow".
The directory at "<$PROGRAMFILES>\CaiShow Tech\".
The directory at "<$PROGRAMFILES>\kusxmast".
Make sure you set your file manager to display hidden and system files. If Caishow uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{0C7C23EF-A848-485B-873C-0ED954731014}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{18E8C855-FF2E-4BEB-B9D2-E7B25AF92A48}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{22A36E6E-07CB-4851-AA84-5FC1CA73A1DE}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{37BC804E-E26B-4D09-836F-AC15FC0C253E}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{88ABD365-12AE-44E7-8450-DA5C3653325B}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{F375F726-23D3-4179-9CA2-54FE6E490879}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{FBB4D7BA-CCD3-457D-BEFF-F3B1757BD6B1}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "BrowerHelperMFC.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "Download.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MMSFactory.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MMSSend.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "My.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "ssoaddionalindical.DLL" at "HKEY_CLASSES_ROOT\AppID\".
A key in HKEY_CLASSES_ROOT\ named "BrowerHelperMFC.CaiShowBH", plus associated values.
Delete the registry key "{0E6E0B51-0300-4AE2-B6C4-F4EFE33A33B2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{32F64094-A155-4554-8753-E5E267A8C002}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5673A7C0-95CC-4646-BB07-3BD71234CEF9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6ABB6C58-FEB7-43AE-946A-AF05D074F493}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{DD6C4862-4BF9-48CE-BD27-9838E30D3DD5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\emffile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\giffile\shell\".
Delete the registry key "{315420B2-E5C8-4E7B-B812-6676BA4F30CE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CE98AD53-16F1-48D3-9208-1203AA19F77E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D32D8A55-A21A-4237-B8BB-5A5EBEE6746D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DBD14208-5F2F-40B8-8D97-6DE44C1D2E3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F6CE85C8-99E7-49F5-A1A2-03FFC4FF09A5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\jpegfile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\MIDFile\shell\".
A key in HKEY_CLASSES_ROOT\ named "MMSFactory.Send", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "MMSSend.Send", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\mp3file\shell\".
A key in HKEY_CLASSES_ROOT\ named "My.NetAccelerate", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\Paint.Picture\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\pngfile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\SoundRec\shell\".
A key in HKEY_CLASSES_ROOT\ named "ssoaddionalindical.Identify", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\TIFImage.Document\shell\".
Delete the registry key "{1F805A43-0E95-4245-8EAF-9271D520722A}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{73D53D7B-66DF-419B-9B44-CF3F42ADF5C9}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{864F198D-6568-4686-B4F5-4A970B85E58B}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{89A99589-82B0-4983-A882-E8D8DB3DA5C7}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{CEBE027D-5423-41B8-AF51-9F1C22557CC6}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{D0581D47-E3CB-402D-B8A6-5F8561B2A36C}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "Update2.Update2", plus associated values.
Delete the registry key "CaiShow" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{5673A7C0-95CC-4646-BB07-3BD71234CEF9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
If Caishow uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
adware
Description:
This adware product is part of an adware bundle installed by Win32.Agent.se. There are several .exe files and BHOs installed into an extra program directory.
Supposed Functionality:
n.a.
Privacy Statement:
n.a.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "caishowmanage" and pointing to "<$PROGRAMFILES>\CaiShow Tech\CaiShow\UpdateManager.EXE".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\BrowerHelper.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\CaiShow.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\caishow.ini".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\defaultrec.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\dfmmssendrec.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\Download.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\dsf3.ico".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\gdiplus.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\madlldlib.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\MMSFactory.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\SendMMS.htm".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\SendShell.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\ssoaddionalindical.dll".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\Update.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\update.ini".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\UpdateManager.exe".
The file at "<$PROGRAMFILES>\CaiShow Tech\CaiShow\wavdest.dll".
The file at "<$PROGRAMFILES>\kusxmast\DIYNETSetupUni.exe".
The file at "<$PROGRAMFILES>\kusxmast\setup.exe".
The file at "<$SYSDIR>\wuwebex.dll".
Make sure you set your file manager to display hidden and system files. If Caishow uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMFILES>\CaiShow Tech\CaiShow".
The directory at "<$PROGRAMFILES>\CaiShow Tech\".
The directory at "<$PROGRAMFILES>\kusxmast".
Make sure you set your file manager to display hidden and system files. If Caishow uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{0C7C23EF-A848-485B-873C-0ED954731014}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{18E8C855-FF2E-4BEB-B9D2-E7B25AF92A48}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{22A36E6E-07CB-4851-AA84-5FC1CA73A1DE}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{37BC804E-E26B-4D09-836F-AC15FC0C253E}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{88ABD365-12AE-44E7-8450-DA5C3653325B}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{F375F726-23D3-4179-9CA2-54FE6E490879}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{FBB4D7BA-CCD3-457D-BEFF-F3B1757BD6B1}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "BrowerHelperMFC.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "Download.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MMSFactory.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "MMSSend.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "My.DLL" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "ssoaddionalindical.DLL" at "HKEY_CLASSES_ROOT\AppID\".
A key in HKEY_CLASSES_ROOT\ named "BrowerHelperMFC.CaiShowBH", plus associated values.
Delete the registry key "{0E6E0B51-0300-4AE2-B6C4-F4EFE33A33B2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{32F64094-A155-4554-8753-E5E267A8C002}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5673A7C0-95CC-4646-BB07-3BD71234CEF9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6ABB6C58-FEB7-43AE-946A-AF05D074F493}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{DD6C4862-4BF9-48CE-BD27-9838E30D3DD5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\emffile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\giffile\shell\".
Delete the registry key "{315420B2-E5C8-4E7B-B812-6676BA4F30CE}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CE98AD53-16F1-48D3-9208-1203AA19F77E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D32D8A55-A21A-4237-B8BB-5A5EBEE6746D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DBD14208-5F2F-40B8-8D97-6DE44C1D2E3D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F6CE85C8-99E7-49F5-A1A2-03FFC4FF09A5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\jpegfile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\MIDFile\shell\".
A key in HKEY_CLASSES_ROOT\ named "MMSFactory.Send", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "MMSSend.Send", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\mp3file\shell\".
A key in HKEY_CLASSES_ROOT\ named "My.NetAccelerate", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\Paint.Picture\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\pngfile\shell\".
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\SoundRec\shell\".
A key in HKEY_CLASSES_ROOT\ named "ssoaddionalindical.Identify", plus associated values.
Delete the registry key "发送到手机" at "HKEY_CLASSES_ROOT\TIFImage.Document\shell\".
Delete the registry key "{1F805A43-0E95-4245-8EAF-9271D520722A}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{73D53D7B-66DF-419B-9B44-CF3F42ADF5C9}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{864F198D-6568-4686-B4F5-4A970B85E58B}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{89A99589-82B0-4983-A882-E8D8DB3DA5C7}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{CEBE027D-5423-41B8-AF51-9F1C22557CC6}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{D0581D47-E3CB-402D-B8A6-5F8561B2A36C}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "Update2.Update2", plus associated values.
Delete the registry key "CaiShow" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{5673A7C0-95CC-4646-BB07-3BD71234CEF9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
If Caishow uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.