Troj/CWS-M

Please follow the instructions for removing Trojans.

Troj/CWS-M is a Trojan for the Windows platform.

When first run Troj/CWS-M copies itself to:
<Windows>\explorer32dbg.exe
<Windows>\iexplore_dbg.exe
<System>\msimn32.exe
<System>\taskmgru.exe

and creates the file <Windows>\bhoass.dll, detected as Troj/CWS-C.

The following registry entries are created to run explorer32dbg.exe, iexplore_dbg.exe, msimn32.exe and taskmgru.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TASKMGRU
<System>\TASKMGRU.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSIMN32
<System>\MSIMN32.EXE

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Windows>\explorer32dbg.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Debugger
<Windows>\iexplore_dbg.exe

The file bhoass.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(1A1488CB-8028-49ba-AD19-18D13CDC650F)
HKCR\BHOASS.BHDP\
HKCR\BHOASS.BHDP.1\
HKCR\CLSID\(1A1488CB-8028-49ba-AD19-18D13CDC650F)
HKCR\Interface\(0B6EF17E-18E5-4449-86EA-64C82D596EAE)
HKCR\Interface\(B1E68D42-02C4-465B-8368-5ED9B732E22D)
HKCR\TypeLib\(236F257D-A248-4F38-BAED-829D3EF8AE79)

Troj/CWS-M changes settings for Microsoft Internet Explorer by modifying values under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp\

Troj/CWS-M attempts to terminate processes called systime.exe, toolbar.exe, izxczxcr.exe, loadclean.exe, istsvc.exe and optimize.exe.