SpySubtract - Spyware Research Center

Site Map

Privacy

Products

Support

InterMute : Support : Spyware Research Center

Search Spyware Database:

Home

Description

123Mania is a sidebar search hijacker, address bar search hijacker and adware from Matrix Technology Network, targeted at 123mania.com. It consists of one advertising DLL set to run at Windows start time, and one search hijacker DLL (providing an explorer bar and URLSearchHook). Both DLLs are also Internet Explorer Browser Helper Objects.

Variants

MatrixDialer/HTML: uses the filenames msapasrc.dll and mshtmpre.dll.

MatrixDialer/SIPS: uses the filenames GIDCAI32.dll and SIPSPI32.dll.

Distribution

Installed by ActiveX drive-by-download, suspected to be triggered by pop-up ads. Also bundled with Matrix's NTP client at internet-time.com.

What it does

Advertising

Yes. Opens up an HTML application (mshta.exe) that spawns untargeted pop-ups from 123mania.com mirrors kidsmk.com, rgwuio.com, semcmm.com, dcfgsd.com and prsdvb.com.

Privacy violation

No.

Security issues

Yes. 123Mania compromises the Windows code-signing system so that its manufacturers are considered 'Trusted publishers' and can install further software from any web page even after MatrixDialer is removed.

This facility has been used on pages pointed to be 123Mania to install the MatrixDialer parasite.

Stability problems

None known.

Removal

Manual removal

Open a command prompt window (from Start->Programs->Accessories) and enter for following commands. For the HTML variant:

cd "%WinDir%\System" 

                      regsvr32 /u mshtmpre.dll 

                      regsvr32 /u msapasrc.dll

Or, for the SIPS variant:

cd "%WinDir%\System" 

                      regsvr32 /u SIPSPI32.dll 

                      regsvr32 /u GIDCAI32.dll

Next, open Internet Options (form the Control Panel or Tools->Options in IE) and click the 'Publishers' button on the 'Content' tab. Remove any entries in the 'Trusted Publishers' list that refer to 'Matrix Technology Network SA', 'Futurpago SA', 'Desarrollos Huella Digital, S.L.' or 'MSN Technologies, S.L.'. (Normally, it is a good idea to keep this list completely empty.)

Next, open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Select this key and delete the entry on the right called 'LoadHTML' (for the HTML variant) or 'LoadSIPS' (SIPS variant).

Finally, reboot the computer and you should be able to delete the files 'msapasrc.dll' and 'mshtmpre.dll' (HTML variant) or 'GIDCAI32.dll' and 'SIPSPI32.dll' (SIPS variant) in the System folder. (Which can be found inside the Windows folder; on Windows NT/2000/XP/2003 it is called 'System32'.)