Contact us
Limited Time!
Totally FREE Web Design!
Click here!
Parasite: Winshow
This record last updated Tue Sep 20 2005 00:34:15
PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)
Description
Winshow is a pop-up opener and homepage/search hijacker implemented as an Internet Explorer Browser Helper Object, controlled by 00hq.com. Winshow is strongly related to the CoolWebSearch family of parasites.
Variants
Winshow/Win: filename winshow.dll, stored in the Windows folder.
Winshow/Show: filename winshow.dll, stored in a Winshow folder in Application Data.
Winshow/Link: filename winlink.dll, stored in a Winlink folder in Application Data.
Distribution
Installed by CoolWebSearch IE security hole exploits.
What it does
Advertising
Yes. When a targeted word or phrase is spotted in a web site you are viewing in Internet Explorer, Winshow may open a pop-up advert. So far adverts have been served from 00hq.com and 8ad.com.
Privacy violation
No.
Security issues
Yes. Winshow can download and execute arbitrary unsigned code from its controlling server, as a self-updating feature.
Stability problems
None known.
Removal
No uninstall feature has been seen.
Manual removal
Win variant
Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\winshow.dll"
Restart the computer and you should be able to delete the files winshow.dll, winshow.cfg and dict.dat from the Windows folder. You can also open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\winshow to clean up.
Show variant
Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands, on Windows 95/98/Me:
cd "%WinDir%\System"
regsvr32 /u "..\Application Data\winshow\winshow.dll"
Or, on Windows NT/2000/XP/2003:
regsvr32 /u "%AppData%\winshow\winshow.dll"
Restart the computer and you should be able to delete the folder winshow from Application Data. (You can find Application Data in the Windows folder under Windows 95/98/Me, or in your user’s folder in Profiles in the Windows folder under Windows NT, or in your user’s folder in Documents and Settings under Windows 2000/XP/2003). You can also open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\winshow to clean up.
Link variant
Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands, on Windows 95/98/Me:
cd "%WinDir%\System"
regsvr32 /u "..\Application Data\winlink\winlink.dll"
Or, on Windows NT/2000/XP/2003:
regsvr32 /u "%AppData%\winlink\winlink.dll"
Restart the computer and you should be able to delete the folder winlink from Application Data. (You can find Application Data in the Windows folder under Windows 95/98/Me, or in your user’s folder in Profiles in the Windows folder under Windows NT, or in your user’s folder in Documents and Settings under Windows 2000/XP/2003). You can also open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\winlink to clean up.
* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.
For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.
Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!
