Drexinit is a highly dangerous spyware program.  It was first released on March 18 in 2004.  It is a Trojan Dialer program that tries to exploit your modem to dial expensive long-distance telephone numbers.  It is often bundled with other malware programs, such as the exploitative searchterror.com and WebSiteViewer.

Drexinit should be removed as soon as you notice that you’re infected.  Due to the complexity and danger to your computer, you should not try to manually remove it.  We recommend that you remove it with SpyZooka.

Associated Files:
tibs5.exe,
%ProgramFiles%WebSiteViewer[a six digit file name].exe,
%Windir%drexinit.dll, %Windir%cerbmod.dll, %System%dload.exe,
%SystemRoot%misb.exe, %SystemRoot%12*.exe,
%ProgramFiles%WebSiteViewer[a six digit file name].exe,
%ProgramFiles%WebSiteViewer[a six digit file name].ico,
%ProgramFiles%WebSiteViewer[a six digit file name].dlr,
%ProgramFiles%WebSiteViewer[a six digit file name].dd,
%ProgramFiles%WebSiteViewer[a six digit file name].ban,
%ProgramFiles%WebSiteViewerlDE.txt %ProgramFiles%WebSiteViewerlPT.txt,
%UserProfile%DesktopBest Sex.lnk,
%UserProfile%Start MenuBest Sex.lnk,
%UserProfile%Desktopkanpane.lnk,
%UserProfile%Start Menukanpane.lnk,
%UserProfile%Desktoperotica-planet.lnk,
%UserProfile%Start Menuerotica-planet.lnk,
%UserProfile%Desktopa-sexgirls.lnk,
%UserProfile%Start Menua-sexgirls.lnk,
%UserProfile%DesktopFree Pics.lnk,
%UserProfile%Start MenuFree Pics.lnk,
%UserProfile%DesktopXXX-files.lnk,
%UserProfile%Start MenuXXX-files.lnk,
%System%tibs[a random number].exe,
[TIBS41], [TIBS42], [TIBS43]

HKEY_LOCAL_MACHINESOFTWAREWebSiteViewer
HKEY_ALL_USERSSoftwareWebSiteViewer
HKEY_CLASSES_ROOTCLSID{C1C2AC28-5E4B-4228-B7A0-05E986FFCE14}
HKEY_CLASSES_ROOTCLSID{A0269420-A638-4509-889C-8FC3CC85DA7E}
HKEY_CLASSES_ROOTCLSID{C1C2AC28-5E4B-4228-B7A0-05E986FFCE13}
HKEY_CLASSES_ROOTCLSID{25720328-5F2D-4B90-920C-2C244165CFF3}
HKEY_CLASSES_ROOTInterface{5FF31463-6856-4604-BEE9-D84C92F60BA4}
HKEY_CLASSES_ROOTInterface{DB767162-0D30-4181-9ED6-8019F6452FFF}
HKEY_CLASSES_ROOTInterface{0B454D9A-29BB-4930-A0C7-C87F21F82882}
HKEY_CLASSES_ROOTTypeLib{D88DA98D-48BA-4116-96AB-77C38EAE487F}
HKEY_CLASSES_ROOTTypeLib{C4855F24-2FEE-4253-AF26-24D539508AB1}
HKEY_CLASSES_ROOTTypeLib{9C1AB637-F5E9-4C5D-BD2F-0EB389905301}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objects{A0269420-A638-4509-889C-8FC3CC85DA7E}
HKEY_CLASSES_ROOTTIBSLoaderAXDLL.TIBSLoader
HKEY_CLASSES_ROOTTIBSLoaderAXDLL.TIBSLoader.4
HKEY_CLASSES_ROOTTIBSLoaderAXDLL.TIBSLoader.1
HKEY_CLASSES_ROOTSBIT6LOADER.SBITPlugin
HKEY_CLASSES_ROOTSBIT6LOADER.SBITPlugin.1HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{0F9561D0-03B2-44a3-89A6-E95E417CBA25}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{491BE5B7-A7F8-40EC-AAD4-CBA11FDFD814}
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{29358AA6-679D-44EA-8A51-59A3C6E6F811}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer
Browser Helper Objects{0F9561D0-03B2-44a3-89A6-E95E417CBA25}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “tibs[RANDOM NUMBER]” = “%System%tibs[RANDOM NUMBER].exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “tibs[RANDOM NUMBER]” = “%System%tibs[RANDOM NUMBER].exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Service” = “”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Service” = “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “lbs” = “”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “lbs” = “”
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCards
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCards
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard0
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard1
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard10
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard11
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard12
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard13
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard14
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard15
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard16
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard17
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard18
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard19
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard2
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard20
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard21
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard22
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard3
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard4
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard5
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard6
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard7
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard8
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionTelephonyCardsCard9
HKEY_USERSS-1-5-21-448539723-413027322-839522115-1003SoftwareMicrosoftMessengerServicePassportBalloon
HKEY_USERSS-1-5-21-448539723-413027322-839522115-1003SoftwareMicrosoftMessengerServicePassportBalloon