ADW_HYPLINKER.A

Download the latest scan engine

In the wild: No

Reported detections:

Low
 

Description:

Threat Type: Adware

Systems Affected: Windows 95, 98, ME, NT, 2000, XP

This adware program can be downloaded from a certain Web site. It displays advertising banners and contains spyware functionalities that lets it know what advertisements to display, based on the users preference.



Solution:

TREND MICRO SOLUTION

  • Minimum scan engine version needed: 7.100
      TMAPTN version needed: 224.10

MANUAL REMOVAL INSTRUCTIONS

Restarting in Safe Mode

On Windows 95

  1. Restart your computer.
  2. Press F8 at the Starting Windows 95 message.
  3. Choose Safe Mode from the Windows 95 Startup Menu then press Enter.

On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    xhrmy = "%Windows%\Xhrmy.exe"

  4. (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Removing Other Malware Registry Entries

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software
  2. Again in the left panel, right-click the following key(s) and choose Delete:
    Xhrmy
  3. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT
  4. Again in the left panel, right-click the following key(s) and choose Delete:
    LinkMaker.LinkMakerFilter
    LinkMaker.LinkMakerFilter.1
    LinkMaker.LinkTracker
    LinkMaker.LinkTracker.1
  5. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>CLSID
  6. Again in the left panel, right-click the following key(s) and choose Delete:
    {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
    {DFAA31C8-A356-4313-9D95-5EDAB46C5070}
  7. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>Interface
  8. Again in the left panel, right-click the following key(s) and choose Delete:
    {43B32A8D-3C3D-4969-B44E-CDCF0D233881}
  9. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>TypeLib
  10. Again in the left panel, right-click the following key(s) and choose Delete:
    {423550E9-2F83-4678-9929-C1774088B180}
  11. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software
  12. Again in the left panel, right-click the following key(s) and choose Delete:
    LM
  13. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Classes
  14. Again in the left panel, right-click the following key(s) and choose Delete:
    LinkMaker.LinkMakerFilter
    LinkMaker.LinkMakerFilter.1
    LinkMaker.LinkTracker
    LinkMaker.LinkTracker.1
  15. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>
    Classes>CLSID
  16. Again in the left panel, right-click the following key(s) and choose Delete:
    {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}
  17. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>
    Classes>CLSID
  18. Again in the left panel, right-click the following key(s) and choose Delete:
    {DFAA31C8-A356-4313-9D95-5EDAB46C5070}
  19. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>
    Classes>Interface
  20. Again in the left panel, right-click the following key(s) and choose Delete:
    {43B32A8D-3C3D-4969-B44E-CDCF0D233881}
  21. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>
    Classes>TypeLib
  22. Again in the left panel, right-click the following key(s) and choose Delete:
    {423550E9-2F83-4678-9929-C1774088B180}
  23. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Uninstall
  24. Again in the left panel, right-click the following key(s) and choose Delete:
    HyperLinker
  25. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>PROTOCOLS>Filter
  26. Again in the left panel, right-click the following key(s) and choose Delete:
    text/html
  27. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Classes>
    PROTOCOLS>Filter
  28. Again in the left panel, right-click the following key(s) and choose Delete:
    text/html
  29. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as ADW_HYPLINKER.A.



Details:

Upon execution, this memory-resident adware program drops the following files:

  • %Windows%\Xhrmy.exe adware program responsible for downloading advertisements on the affected system
  • %System%\lmdv.bin data file
  • %System%\lmf32v.dll .DLL file used by the main program
  • %System%\PreUninstall.exe un-installation program
  • %System%\uninst.exe un-installation program
  • %System%\Uninst.log event log

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

It adds the following registry entry to enable its automatic execution upon Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
xhrmy = "%Windows%\Xhrmy.exe"

It adds the following registry keys as part of installation process:

HKEY_LOCAL_MACHINE\SOFTWARE\Xhrmy

HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter

HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter.1

HKEY_CLASSES_ROOT\LinkMaker.LinkTracker

HKEY_CLASSES_ROOT\LinkMaker.LinkTracker.1

HKEY_CLASSES_ROOT\CLSID\{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}

HKEY_CLASSES_ROOT\CLSID\{DFAA31C8-A356-4313-9D95-5EDAB46C5070}

HKEY_CLASSES_ROOT\Interface\{43B32A8D-3C3D-4969-B44E-CDCF0D233881}

HKEY_CLASSES_ROOT\TypeLib\{423550E9-2F83-4678-9929-C1774088B180}

HKEY_LOCAL_MACHINE\SOFTWARE\LM

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkMakerFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkMakerFilter.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkTracker

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LinkMaker.LinkTracker.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{DFAA31C8-A356-4313-9D95-5EDAB46C5070}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{43B32A8D-3C3D-4969-B44E-CDCF0D233881}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{423550E9-2F83-4678-9929-C1774088B180}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\HyperLinker

It also adds the following registry entry to associate itself to .TXT and .HTML files:

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html




Analysis by: Ian Starr Esguerra

Description created:  Feb 10, 2005



TECHNICAL DETAILS



Initial samples received on:  Jan 31, 2005



SOLUTION


Spyware pattern version needed : 0.619.00

Pattern release date:  Mar 18, 2008