allentech.net

Home > Browser Parasites > Parasite Database > 123Mania

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: 123Mania

This record last updated Tue Sep 20 2005 00:34:14

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

123Mania is a sidebar search hijacker, address bar search hijacker and adware from Matrix Technology Network, targeted at 123mania.com. It consists of one advertising DLL set to run at Windows start time, and one search hijacker DLL (providing an explorer bar and URLSearchHook). Both DLLs are also Internet Explorer Browser Helper Objects.

Variants

123Mania/HTML: uses the filenames msapasrc.dll and mshtmpre.dll.

123Mania/SIPS: uses the filenames GIDCAI32.dll and SIPSPI32.dll.

Distribution

Installed by ActiveX drive-by-download, suspected to be triggered by pop-up ads. Also bundled with Matrix’s NTP client at internet-time.com.

What it does

Advertising

Yes. Opens up an HTML application (mshta.exe) that spawns untargeted pop-ups from 123mania.com mirrors kidsmk.com, rgwuio.com, semcmm.com, dcfgsd.com and prsdvb.com.

Privacy violation

No.

Security issues

Yes. 123Mania compromises the Windows code-signing system so that its manufacturers are considered ‘Trusted publishers’ and can install further software from any web page even after 123Mania is removed.

This facility has been used on pages pointed to be 123Mania to install the MatrixDialer parasite.

Stability problems

None known.

Removal

Open a command prompt window (from Start->Programs->Accessories) and enter for following commands. For the HTML variant:

cd "%WinDir%\System"
regsvr32 /u mshtmpre.dll
regsvr32 /u msapasrc.dll

Or, for the SIPS variant:

cd "%WinDir%\System"
regsvr32 /u SIPSPI32.dll
regsvr32 /u GIDCAI32.dll

Next, open Internet Options (form the Control Panel or Tools->Options in IE) and click the ‘Publishers’ button on the ‘Content’ tab. Remove any entries in the ‘Trusted Publishers’ list that refer to ‘Matrix Technology Network SA’, ‘Futurpago SA’, ‘Desarrollos Huella Digital, S.L.’ or ‘MSN Technologies, S.L.’. (Normally, it is a good idea to keep this list completely empty.)

Next, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Select this key and delete the entry on the right called ‘LoadHTML’ (for the HTML variant) or ‘LoadSIPS’ (SIPS variant).

Finally, reboot the computer and you should be able to delete the files ‘msapasrc.dll’ and ‘mshtmpre.dll’ (HTML variant) or ‘GIDCAI32.dll’ and ‘SIPSPI32.dll’ (SIPS variant) in the System folder. (Which can be found inside the Windows folder; on Windows NT/2000/XP/2003 it is called ‘System32’.)

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top