Read this if you get a nasty pop-up trojan....

May 12th, 2004, 2:16 pm

Hi all

Firstly apologies for the massive post, but thought i'd list all the steps I went through to get rid of this:

So I managed to contract a purely *hellish* popup trojan this morning. Thought I'd document my cronicles for any other unsespecting victims! I'd got the Cool Web Search trojan on a previous occasion, but that was a kitten compared to this thing! It may actually be a more advanced version though....

Symptoms & overview:
Home page set to: http://aifind.info/ & casino popups all the time. Local (LAN) proxy gets set to localhost address (127.0.0.1). Notepad.exe gets repointed to c:\windows\system32\actmovie.exe. Couple of entries in the registry run directory that point to runwin32.exe & wininet32.exe. Google toobar disapears (if you use it). Trend Housecall crashes. Various other fun things....

Steps taken:
Ran Ad-Aware 6 (did an update to ensure I had latest signatures) this seemed to do nothing even though it found and removed several entries for cool web search.

Found my internet access was blocked, so went to C:\WINDOWS\system32\drivers\etc and checked my hosts file. Sure enough there was an entry for '213.159.117.235 auto.search.msn.com' that seems to block all internet access (I later found out the reason was that it had changed my proxy settings - will come to that in a minute). Removed the offending line (you only need '127.0.0.1 localhost' unless your doing anything freaky! and went to hit save, then noticed the sneaky 'tards had changed my hosts file to read only! Grrrrr removed that and saved it.

Once I had internet access again, downloaded the latest version of CWShredder from http://www.spywareinfo.com/~merijn/cwschronicles.html. This seemed to find and fix about 3 spyware programs but the problem still persisted.

Checked MSConfig and found 2 more spyware programs: runwin32.exe & wininet32.exe. Deleted these and their entries.

Checked my local proxy info (in IE) and found it had been changed to 127.0.0.1:8080 hence the lack of internet access earlier. Changed this back.

Noticed that all notepad shortcuts now point to c:\windows\system32\actmovie.exe. Deleted this file and repointed back to notepad.exe (wordpad was unaffacted thank goodness!) Looking at actmovie.exe I don't think its actually part of the virus. It seems to listed as Microsoft directshow setup tool, so maybe just pointed to a random file so that Notepad does not work.

Noticed it had removed/hidden my Google toolbar.

Tried to run Trend Housecall. It managed to crash out the window that Trend opens!

At this point I'd got rid of the popups but still had my home page being set to http://aifind.info/ and my hosts file getting changed every 5 mins and read-only kept coming back. Also notepad.exe shortcut still being repointed. Have to admit I was scratching my head a little by now!

Performed a complete virus check using e-Trust from Computer Associates (yes I know its not great, but free from work so can't complain) This found another 11 virused files!

Spent a further 30 mins trying various stuff. Then I got heavy, and used HijackThis to basically remove anything I thought looked dodgy. I also Uninstalled Google toolbar to make fault finding in HijackThis easier. This all worked!! This is the stuff I think pertained to the worm (but not sure):

Think these 3 were the worst culprits:
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\msxslab.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

This is just general crap the worm did:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O15 - Trusted Zone: http://www.emode.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


This is stuff I removed anyway, but I don't think it had an effect:
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

And after 1.5 hours I think its finally over! I really must switch my virus checker on more often....



S

[ATNO/TW]

May 12th, 2004, 5:23 pm

DuckIT


That is most excellent. It's nice to see people take the time to provide such detail so others can learn. Looks to me like you (at the least) had
http://securityresponse.symantec.com/av ... rojan.html

^That one

But your detailed blog is most impressive and helpful. But like what you did to day it just takes some thought to troubleshoot problems and a good deal of patience... My hat is off to you, sir.

May 12th, 2004, 5:35 pm

Hi DuckIT, did the popup come up even though you had google popup blocker? Also, if you had a firewall would it have stopped it being put onto your system?

Can you recommend how someone can block these things from being downloaded onto their computer without their permission?

Thanks,
Rose

(great post by the way)

May 13th, 2004, 12:00 am

Quote:

But your detailed blog is most impressive and helpful. But like what you did to day it just takes some thought to troubleshoot problems and a good deal of patience... My hat is off to you, sir.

Heh thanks. Patience though? I was growing like a dog and reeling off all the things I'd like to do to the person that coded this

Quote:

Hi DuckIT, did the popup come up even though you had google popup blocker? Also, if you had a firewall would it have stopped it being put onto your system?

Yeah google pop-up blocker only seems to block IE windows that initiate from the original window. It won't stop you getting the thing in the first place & it won't stop any subsequent pop-ups as they are started by the OS rather than IE.

Quote:

Can you recommend how someone can block these things from being downloaded onto their computer without their permission?

*cough* a virus checker would probably be a good start. I had mine disabled as its a games machine & rarely used for surfing. Learned my lesson I have (to be said in your best Yoda voice)

Also I think most ad programs come with a feature to stop this kind of thing. Ad-Aware does for instance. In this instance though I have a feeling that I had one of those grey yes/no to installation boxes come up and it looked like the default option was to click no, hence I did not bother with the mouse but rather hit enter. With hindsight it was probably coded to look like 'No' is the default when in fact yes is!

May 16th, 2004, 3:33 pm

A few program to help stop adware/spuware /malware.what ever you want to call it .
this one install blockers in the registry .download site Here

Download and install these two programs to help stop Spyware .


Spywareblaster


SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

May 17th, 2004, 3:07 am

I still have the damn popup thingy. Blasted thing it is. I've run CWShredder, ad-aware, hijack this & pest patrol and it still comes back after a reboot! Checked reg entries, checked startup files yada yada yada. Damn they are getting good these days!

Thanks for the tip caperjack, i'll give spywareblaster a go when I get some time. For the moment, i've just given up on browsing on that machine. Its only a games PC anyway.

S

May 17th, 2004, 11:27 am

spywareblaster is for use after you get rid of all infections,
post you hijackthis log ,to see what is in it.
it sounds like you have the returning and harder to get rid of about/blank.

May 18th, 2004, 7:21 am

I *think* I got it now. I'll double check again when I get home but it looked ok this morning.

Thanks

S

May 18th, 2004, 12:22 pm

It's still there!

I'm seriously considering sacrificing a chicken over my computer. Think this will help?

I can sometimes get rid of it but it comes back the next day. I'm 99% sure i'm not getting myself re-infected as I don't use this PC much for surfing. It seems like its timed to re-infect me every day somehow.

Quote:

it sounds like you have the returning and harder to get rid of about/blank.

This sounds good. I'm all ears!


Hijack this log (i've removed all the R0-R1 & the O2 entries before - they just come straight back. I'm presuming one of my processes has been replaced by this but no idea which):

Logfile of HijackThis v1.97.7
Scan saved at 08:09:00, on 18/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\data\apps\E-Trust\InoculateIT\InoRpc.exe
c:\data\apps\E-Trust\InoculateIT\InoRT.exe
c:\data\apps\E-Trust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Data\Apps\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Windows Media Player\wmp.exe
C:\Data\Apps\E-Trust\InoculateIT\Realmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephan Torcy\Desktop\HIjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eldnba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {3BA44967-D4A3-4208-B5FE-E208E82D5FA9} - C:\WINDOWS\System32\eldnba.dll
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Data\Apps\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\apps\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: Logon.BAT.lnk = ?
O4 - Startup: Realtime Monitor.lnk = C:\Data\Apps\E-Trust\InoculateIT\Realmon.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_41.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 5993055556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4454BC1A-639D-4FB2-9297-A67EA5FF7EDD}: NameServer = 10.1.1.2,195.112.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{467CDA8E-8BCC-4663-B85E-23FA4ED54EA1}: NameServer = 195.112.4.4,195.112.4.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1DDD18B-6997-4B16-9B41-39539892FB65}: NameServer = 194.119.131.65,195.112.4.4

May 18th, 2004, 12:33 pm

You do have the hidden DLL,about/blank I have never had it but ,i do study and helping at SWI,fourn and this is the fix they use '.

1. Download reglite
2. install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
3. Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
4. You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
5. Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
6. Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
7. Rename the windows folder back to its original name "Windows".
8. Next step will be to remove this dll file so make sure you have it noted down.
9. Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
10. This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
11. Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
12. Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -r "nameofdll".dll
13. Type del "nameofdll".dll
14. Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
15. Check the following two links for instructions on downloading and running the applications listed:
    • How to use Spybot to remove Spyware
    • How to use Ad-Aware to remove Spyware
16. Restart computer in safe mode (How do I boot into "Safe" mode?) and run these programs again, just to make sure all traces are gone.
17. Boot up pc as normal and you should be trouble free.

May 19th, 2004, 9:53 am

or use this info .

http://forums.subratam.org/index.php?showtopic=583

May 19th, 2004, 12:31 pm

I'm working on this now thanks caperjack! I'll post in a while with results. Nice registry editor that is by the way.

Quite ironic that after acting all big about how clever I was to get rid of this and then my post turns into a cry for help

S

May 19th, 2004, 2:13 pm

ok I followed all the instructions. Your details didn't seem to clear it as the file it pointed too (C:\WINDOWS\System32\wdm.dll) seemed to be somehow invisible even though I have show hidden & system files switched on.

Luckily the batch file in your second post sorted it. It did all this:

Quote:

Processing File Manually
C:\WINDOWS\system32\wdm.dll
Md5 Check of C:\WINDOWS\system32\wdm.dll

File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\wdm.dll>

File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

and that seemed to resolve it so I was able to manually delete it then! I did every thing else in the post. I just have to leave it a day or two now to see if that fixed it. Hopefully it has.

Thanks a lot dude!!

S

May 20th, 2004, 2:32 am

Your welcome ,glad it worked ,Im new to those progrqms and have never had to run any of the fixes on my own machine ,I just pass it along for folks to use to fix there problems .

May 20th, 2004, 7:28 am

Found my internet access was blocked, so went to C:\WINDOWS\system32\drivers\etc and checked my hosts file. Sure enough there was an entry for '213.159.117.235 auto.search.msn.com' that seems to block all internet access (I later found out the reason was that it had changed my proxy settings - will come to that in a minute). Removed the offending line (you only need '127.0.0.1 localhost' unless your doing anything freaky! and went to hit save, then noticed the sneaky 'tards had changed my hosts file to read only! Grrrrr removed that and saved it.


How do i edit the hostfile?
please reply asap..do i need a program or just edit from ms-dos.

i'm a noob and i'll be guiding a friend through phone on how to restore his internet access...(i deleted his runwin32.exe and wininet32.exe because of uncleanable virus)