Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Malware.ca Trojan


  • Please log in to reply
12 replies to this topic

#1 WolfRaven

WolfRaven

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Wells, Nevada
  • Local time:10:26 PM

Posted 17 January 2008 - 01:56 PM

Greetings and Salutations to All...

Jumping right to it, I've scanned my entire computer with McAfee, Spy Hunter, Spy Ware Blaster and even HiJackThis, only to discover that within my System Folder there is a file that none of them can remove. Here we go boys and girls:

I am running Windows ME
HP Pavilion XL753 CPU (Tower)
HP Pavilion M70 Display / Monitor
HP PSC 750 (3-n-1) [Printer-Scanner-Copier]
Capacity = 27.9 GB
Used = 3.88 GB
Free = 24.0 GB
127.0 MB RAM
File System = FAT 32
Browser = IE 6.0
ISP = Frontiernet.net / DSL / SIEMENS SpeedStream

Here it is:
C:\\WINDOWS\SYSTEM\Hfkr4g.dll

None of the afore programs listed have been able to clean, delete or quarantine this thing. I have tried to drag it out and into the trash, nope, that don't work, I tried to change it's name and then remove it, nope, can't do that either. I selected properties and there wasn't anything listed for Opens with - so I selected to open it with Note Pad and this is what the Hfkr4g.dll file looks like:


MZ   @  !L!This program cannot be run in DOS mode.$ ^0K^^^L^M5^Rich^ PE L {tG !                  p p   .text ` 
 PEC2O .rsrc  p  .reloc    @  U EPh j h?  jhahPh  oǺX %(L/5{  .tGP ,ujhYI> , cΕ ]i
shSb ]03#E yS"4] Ah0u9!?.IjF/xdg hfPwb 0Ag
hLN@&h 'E$ WUf3ZY} + u#Ph)-M3#-#D u
jYf56K 6h HOquQ ` 3@`҆, FDž#[ aBhHh$Y P
YE PFPWW\ &hpz Pd5 d% 3PECompact2 (_
,d.Q/!TxF?_9J?3X,T+;EŴ v: K}ًLЈw7tl86M4(YBE8R'^.#ׅeEUr-ۋ-!':SL6 s,:KXӤAͤh,w9- hԝR[X?hq,$N5l@ܾ8)Lj:tK6d֜~@g鹡ilrţt~vlzaӁxLhdk̠E2K=)RWkSqala
8l.ĒeDcqfe UPl4M_fhZhgC-Qh25Uh9TQC<li, ljtj-p`,h3h$Q!3uih]Hǥ=t=Q1iRlN
̒^'q!;'}j7YW@h[Wu`Ó[_G/tL tۋb1Y%@%lhP< $(,048p@DHLtTX\`d ˳|̡;SVW
@  

 !"#$ %&'()*+,-./0123456789:;<=>?@abcd efghijklmnopqrstuvwxyz[\]^_`p{|}~ l  `u0  MΊF׊, G8u;|+;uѰ3_^[/..:A oZd 0yyFC x D]pB|p8bCTCCaqtCBBy*@Rby|AByACy".:A8Ѹ<ШB,DApDCC bwsprintfuser32d .dll CloIg8 HaneY reateFiY@ProcessGnFTh]YdS DeeA' G,Siz,ModulT- Nam 2N2 StarpInfoĢ[ys)gmTiSAsXβJTs6pPhgbalAlh7 c nF˛ rLYdkyUnloسR7XN6SFPo`؀ep eToa irm[!#W^`cd lnrcyxYpy,nk
+nƐFgOaKeyExOpsQuGayVi! .Ȧ'`Mvapi`t
UqCach7Tmr n-aNext*l { I&t,ConcdK w+i+1 URLDowg`yLum>8W8DDDqbso-ylS 1df3rkgdg.t %PN.So

ftwa\Micvfs\W|Ss\CFxVYansi\~Cpidf ERRORd- UXXhttp://'bsd.iG/{.php?=%s&vj] =ig1a
Zzt/v`C&llp.g'kxREG_SZH3LSI{B5AF0 2-94F3-42-F4-260 f!48C797D} $gI Apu'm nhGhk393kc!g9dtj COM\\"O0OFTWA-B<laEe ~\\Q<M7SS 9n\BrƍG8 HqObjbmO;YSh&Y;3 kSSdd)ÂfLem9e4md 3@:kd9f0%FEdhhc\hr
1 0`8   
Qr,5 /;,%=+:
! Z,@ ? ; Ky} '(o{A && [6` U> {tG D    Hp 8p 0p    Xp hp zp p \ ` + V DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer \q lq q q q q q r p Lq p p q p p q p p q p p r p kernel32.dll LoadLibraryA GetProcAddress VirtualAlloc VirtualFree user32.dll wsprintfA advapi32.dll RegSetValueExA wininet.dll InternetGetConnectedState urlmon.dll URLDownloadToFileA )^Xx!X!   X `t$$|$(3Ʌt  3ҍ8r s; SUW\ 3C3Í| Q , \= NjB_][+s = $)Iu![,@X c=V`, +^AAuB XAX8r+o`a P ,4,2,@x p8ܳp#>p @` :wh.r7gq" ԻKp<+u8@׺ 3;o
^L++WVU`]L9 CF ދVv/ {Htq sDt 0 {@ a/o2YAQFH.N,+j@x6mhQj`Y7'Vs {L@U6`3S49p "NQGxN{-u8x&:- tRy-QP@c?LQȣxR1GY?=P jH= #ruC K@(35=`A3<]W7dƃ;F Շ ]^_[U#,_[|Qa!EV~o 3tRuG3ZYZTuijl } G_;tYw8 4R+؉]ڭ0\?ȃ,@YtfEff},ptfff  nuEI^` IfMU i eĐ7WU+\r~H<t
~oP5 UFu}6 K| M^6+ ;}4FU, $tȊu:u
n
Ę ?US~^YFt5;Nt0¼Ax1Q t3ƒfvRPgYIh9W4ip?A'aG0#CtMaZtSs}KZa{<%ѫʪZx9;ruIQ〱MGQRV!@Vֻ}E}fnj+-Qœ^+
|cq.HRPK΢xQ0/=@tttN ]) ,ЏEZ,X;}u?-`H0L; +62^^Zy ٱX,@)mٮk#]PlK99%t$C~0Nyς~ PWQS @mH4ެmsvbvmS5E s.6:FF O.xNu:b4H lU
upk' Gr1'DR1 %jijVQMAbȡ @@Z\WoN_6Jo6;[TF\rN 0+Wh4;M MH)lf%Ut7 E@< H|' Qà@_Pjm&n,YdQ_,3vv97\ 3 rψՍa@ $4Oz wApplication error EGcrupt. Tt he pcedur %suld not blow i EtDLL-edųPald * Wc) us @32 MessageBoxA wsgtfz Eknel(OExitP MCHandle C] OpenGem1olVirtu;ct6lv{簂嶨m<P<HȒzs `t$$|$(3Ʌt3ҍ8r s; SUW3C3Í| Q s\= NjB s_][+s = $) Iu@) = = V+^AAuB3Ar+|$(|$a Tr   y p p p p g9 AT$R +ʉJ3øxV4d USQWVRW9 SRj@h  sj KʋZPR3C ‹K C‹KK ʍCPWVZXCRF+VK N׉?9 KZ h j WZ^_Y[]  1 p d:q:
Please note that all of the little white blocks show up in this code as black.

In addition to this its size is 9.76 KB and its size on disk is 16.0 KB. It first appeared on Tuesday, January 15, 2008 at 9:28:45 AM
Attributes = Archive

This thing was found while trying to do a search on Google and everytime I would select a link or page to go to I was getting redirected to other sites which in turn were redirecting me to even other sites. None of those had anything to do with what I wanted...most of them were actually adult or porn related. This happened no matter what I was looking for on any link I chose, also, all of the images had changed to the little place holder on every page including on the Search Google Image pages. Therefore, at this point I ran an entire system search and destroy and found the following items that were removed, less this Hfkr4g.dll thingy, here's what I removed:

[//kolmic.com/]http://kolmic.com/[/url]
[//www.http://unavailablepage.com/.com]http://www.http://unavailablepage.com/.com[/url]
[//www.wbr4.com/]http://www.wbr4.com/[/url]
[//www.partners.mamma.com/]http://www.partners.mamma.com/[/url]
[//www.gaster-results.com/]http://www.gaster-results.com/[/url]
[//www.monstermarketplace.com/]http://www.monstermarketplace.com/[/url]

Unless you're really good, I would advise not clicking on these links as they might try to download themselves or their junk on your system. BE CAREFUL.

In conclusion, is anyone familiar with the so-called Trojan New Malware.ca ?

Okay, I need some help on how to get rid of the Hfkr4g.dll

Whether or not I am on the internet I keep getting these McAfee Alerts that it has found and deleted the following Trojans:

C:\\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\OPQ34HU7\MUN... Generic BackDoor.u
C:\\WINDOWS\TEMP\21389870.EXE Generic AdClicker.b

These will come up several times because each time the numbers are different. (In the area marked in bold type). Obviously, even though McAfee gets rid of these, they keep coming back - as the random numbers indicate.

SpyBot works for awhile and then it acts like it wants to take over any and everything I do - on or off line...no matter how I set my options or preferrences. I've given it the benefit of the doubt four times, in other words, I've put it in and taken it out, in and out, in and out and finally goodbye.

Windows ME does not allow me to upgrade IE6 to anything higher. I tried.

Note: I have been running this OS since it came out, early in 2000. It was a limited pre-release full function complete OS that was not preinstalled. I had to do that and it took nearly six (6) hours. Oh yeah, it came out six months ahead of the official release date. After watching TechTV one night they were discussing the new Windows OSX or 10. Everything they said this new system would have I learned I already had with my version of ME, yet, it acted completely different when I tried to do things as an ME. So what did I really have. When I right click on the My Computer icon and select Properties it shows that I have Microsoft Windows ME (9x). Anybody know what that is?

Anybody got any solutions? Thanks ahead of time.

Respectfully,
WolfRaven

{Mod Edit: Removed potentially dangerous links
Remove EMail addy to prevent death by Spambots to poster~~boopme}

Edited by boopme, 17 January 2008 - 04:52 PM.

Life is a Journey not a Destination...Enjoy the Adventure.

BC AdBot (Login to Remove)

 


m

#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 17 January 2008 - 03:27 PM

for starters you could try fully update, reboot and run on full deep scans

http://www.superantispyware.com/superantis...efreevspro.html superantispyware bleu box free for home users;

and asquared free for private use

http://www.emsisoft.com/en/software/free/

if it will let you try an on line scan from trend
http://housecall.trendmicro.com/


also this little gem called stinger
from http://vil.nai.com/vil/averttools.aspx
exe is
http://download.nai.com/products/mcafee-avert/stinger.exe

try that selection to start with?
will the computer let you actually create a readable HJT log?

also; cannot recall; do you have a system restore on that windows version? and if so is it enabled?

#3 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:12:26 AM

Posted 17 January 2008 - 04:38 PM

ME did have system restore. I would disable it and reboot before running any scans as malware loves to hide there
In the beginning there was the command line.

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 17 January 2008 - 05:18 PM

ME did have system restore. I would disable it and reboot before running any scans as malware loves to hide there

is it not wiser to have an infected restore point than to have no restore point at all?

if any scans go pear shaped ( anything is possible :thumbsup: ) then at least there IS A point to go back to, even if it does have an infection in it than to have none at all :flowers:

can you also list exactly what protection programs you think you have on board including your antivirus protection ; I have a suspicion you may have a clash of programs there

via what do you connect to the internet, and which firewalls are you using?

I presume that ME windows version itself will no longer update either ?

you say that the computer came with a PART windows installation? from where did you get the computer and your CD to ??update it?

Edited by ruby1, 17 January 2008 - 05:28 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:26 AM

Posted 17 January 2008 - 07:24 PM

ruby1 is correct on this. It is better to clean the PC. Then after it is clean to Create a New restore point.

The scans should also be run from Safe mode(after having updated all tools in regular mode.
How to start Windows in Safe Mode

Please post back the scan results of SUPERAnntispyware
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Edited by boopme, 17 January 2008 - 07:25 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 daklander

daklander

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:LoCal
  • Local time:10:26 PM

Posted 17 January 2008 - 09:32 PM

I would first run Trend Micro's House Call. You may have to disable McAfee. I would then download and install either AVG or Avast, disconnect from the net, disable McAfee and install and run either of the others you downloaded. Reboot to safe mode and run again.
Also look for Win32.Small.ddx. That seems to be part and parcel.
Any of those un-deletable files should be able to be deleted when in safe mode.
Another way to get rid of those files is to download and burn one of the Linux live CD distros and boot up to it. You can then search your windows folders and because you're running in Linux, not windows you should be able to delete those files.

Edited by daklander, 17 January 2008 - 10:14 PM.


#7 WolfRaven

WolfRaven
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Wells, Nevada
  • Local time:10:26 PM

Posted 17 January 2008 - 11:51 PM

In response to everyones input at this point....Thank You

I will attempt to try anything and everything possible from everything I've done so far. I agree with 98% of what everyone has posted and I already have Stinger and have used it also...to no avail. I understand a possible clashing of programs, e.g., various spywares and so forth, and I do take every precaution not to have them collide with each other.

When I finish with your suggestions I will post the befores and afters of the files requested.

In any event, has anyone heard of this particular Trojan or any of the associated malwares related to it? SpyHunter offers a list of AdClicker.(?) but it doesn't list any with the [.b] form. Also, I have not seen any new warnings on these with any of my Tech-News Online that I check daily. Am I the first one to get hit with this new stuff? If so, then everyone beware...something new and strange is on the horizon...again.

Thanks Everybody,
See you soon...

WolfRaven
Life is a Journey not a Destination...Enjoy the Adventure.

#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 18 January 2008 - 09:09 AM

this lot
http://www.google.co.uk/search?hl=en&q...earch&meta= is what a google search has to say ; one notes the link to macaffee which is suggested as a tool to shift it :thumbsup:

you are obviously infected with/by something and my suggestion is to run these scans as linked above, let us know the bad news, then go to this section
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

and post a log for the experts to check out for you


darklander

because you're running in Linux, not windows you should be able to delete those files.



ARE you? your comments state you are running windows ME which , as far as I am aware is NOT linux???

http://www.linux.org/

maybe the Board Admin can clarify this?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:26 AM

Posted 18 January 2008 - 11:12 AM

WolfRaven Yes please post those results
There is some additional information on that malware here at CounterSpy


ruby1 you've misunderstood something I believe. Something we all do at times. :thumbsup:

ARE you? your comments state you are running windows ME which , as far as I am aware is NOT linux???


Wolf is running ME. darklander is saying to Install a Linux and then remove the data in ME.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 daklander

daklander

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:LoCal
  • Local time:10:26 PM

Posted 18 January 2008 - 11:20 AM

because you're running in Linux, not windows you should be able to delete those files.



ARE you? your comments state you are running windows ME which , as far as I am aware is NOT linux???

http://www.linux.org/

maybe the Board Admin can clarify this?


Sorry for the misunderstanding. I run PCLOS, a very nice Linux distro, as my primary operating system. I dual boot on this laptop with WinXP. I ran Windows OSs primarily until a couple of years ago and I still have to maintain my wife's computer because she still prefers XP so I keep up on the problems with Windows OS virus problems.
Again, if you download one of the live CD Linux ISOs and burn the image to CD you can boot to that CD and access the XP files on the hard drive. You don't have to install the Linux operating system for it to work.
For ease of use in that I would, of course, recommend PCLOS if you have a PC with reasonable memory and CPU, or Puppy if you're on a slower PC.

Edited by daklander, 18 January 2008 - 11:28 AM.


#11 daklander

daklander

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:LoCal
  • Local time:10:26 PM

Posted 18 January 2008 - 11:23 AM

Wolf is running ME. darklander is saying to Install a Linux and then remove the data in ME.


Sorry, no, I didn't mean to install the Linux, rather run it as a live CD. He can then access the Windows hard drive to remove those files, and should be able to because there is no Windows operating system using those files.

Edited by daklander, 18 January 2008 - 11:25 AM.


#12 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 18 January 2008 - 01:50 PM

as this thread has now been moved down the forum the Log and infection removal experts will be monitoring progress and advising on infection removal methods

however, this caught my eye on Boopme's link to counterspy



Level High
Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.




Advice Type


Remove


and the removal tool is......... :thumbsup:

I hope , with the help of the specialist Team in this section on here, you get this computer swiftly cleaned up and back under YOUR control :flowers:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:26 AM

Posted 18 January 2008 - 02:01 PM

and the removal tool is.........


Patiently awaiting the SAS scan results... :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users