Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET -- Infected w/ registry keys to dll's not found on HD


  • This topic is locked This topic is locked
2 replies to this topic

#1 Ranger Tom

Ranger Tom

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 31 December 2008 - 06:39 PM

Thanks ahead of time for help.

Internet ads started popping up yesterday afternoon based on time the browser was active, a new one about every two minutes.

Have AOL McAfee and firewall. In the SystemGuard log, McAfee allowed "Eset Hooks DLL" to load at "C:\windows\system32\~.exe". This showed "wavoyesizur rundll32.exe" being placed in the HKLM . . . Run registry. Five minutes later a "rikebege.dll" was placed in the registry HKLM SSODL. Six more entries were made within the next 5 minutes. Found all of this after the fact.

Ran several malware removal programs and none of them got rid of the problem.

Then tried HJT and found the following files in the log and in the registry as well: seretisa.dll, zohijiho.dll, tedikojo.dll, runun.dll

Looking at the log and the registry listings, shows these files to be at "C:\WINDOWS\system32\". However, I can not find any of these files at that location, or anywhere else on my HD.

Another thing that was confusing to me is that when I restarted in Safe Mode all of these programs loaded. Thought SM was a minimal load to help fix these problems.

HJT shows these files in 9 registry locations to include the dreaded O21 and O22.

Thanks again -- as I have never had a problem before.

Attached Files



BC AdBot (Login to Remove)

 


#2 Ranger Tom

Ranger Tom
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 02 January 2009 - 01:08 PM

Malware Removed

Before posting this I had run numerous "malware removal" programs -- to no effect. My IE browser was all but useless. I could see the havoc being caused by scanning with tools such as Windows Defender and then with Hijack This. What I did would not have been possible without the visibility provided by HT. Great free tool.

I had noticed that if an offending registry entry was deleted, it would immediately get rewritten. None of the MW tools would kill the program running in memory.

Also learned that could not find the offending files in C:\Windows\System32 because though the "Show Hidden Files" was checked, had not unchecked "Hide Protected Operating System Files" Duh!

Being desparate and ready to replace the hard drive to solve the problem so could get back to work, decided to try on my own to resolve the issue. I am sure all of the volunteers on this site would agree with me that what I did was not the smartest thing to do and the probability of success was low. Anyway, here is what I learned.

Was wailing to myself about why IE wasn't run in a sandbox to preclude such problems. At that time was checking out Kim Komando's site for MW tools and came across Sandboxie. This is a great freeware program that will greatly reduce IE MW problems as it runs sandboxed and redirects changes targeted to the "real" registry to the sandbox registry. Same is true for new files being downloaded or modified automatically.

My McAfee and Windows Defender saw the MW changes being made -- but let them occur anyway. Did not ask me what wanted to do as it occured. Not much protection to those at the beginning of a MW issue.

Anyway, running IE in Sandboxie, could see new MW dll's being spawned in the "sandbox" System32 folder. So went to the "real" System32 folder and added a "z" prefix to the MW file names. Those file names by type previously identified from MW scans and by checking the registry. Looked for the files in other folders, not found. When rechecked System32 found another set had been spawned. Gave those the z prefix and about a dozen others that matched the profile of random name, file type, file size, and date. Closed all of the windows and turned off my computer with the computer power switch.

Restarted the computer in Safe Mode and scanned with Hijack This. HT showed the registry entries being loaded but the files were not run as they no longer existed with the called name. The MW program(s) were no longer running in memory. Then deleted from the registry all associated MW file names and ClassId's.

Computer runs great now, very fast. And since I am surfing the internet running "Sandboxie" feel a lot safer. So, with the grace of God, I was able to remove all of the malware.

*************

After thinking about this incident for another day, decided that I needed to edit this post by adding more information to what was written above.

While still infected, Sandboxie showed two files (qmgr0 & qmgr1) being accessed at "C:\Documents and Settings\All Users\Application Data\Microsft\Network\Downloader\". When I added the "z" prefix to the filename of the MW files in System32 (see above), these two files also were renamed. Afterward, these two files were automatically regenerated so believed had nothing to do with the MW. Rethinking, I noticed the MW file size was several k larger and they have not been accessed by my "clean" system. So now believe these two files had been changed by the MW.

MW files in System32 were:

1. A 60kb application with filename "~" that was not hidden. This never spawned.
2. A 2kb file that would spawn marked "Operating System Files and Hidden"
3. A 1-2 mb Configuration Settings file that would spawn.
4. 2 .dll's (83kb & 96kb) Application Extension files that would spawn. Description: Eset Hooks Dll. When these two spawned, they would be marked "Operating System Files and Hidden" but occasionally one would be left unmarked and therefore visible.

Filenames were 8 characters long with random letters and numbers.

Another major enlightment I received was about my McAfee virus protection software. I had "ass u me d" that the software would be loaded locked-down as MS now does with their servers. Babe-in-the-woods me was very wrong. The basic configuration did little more than log the MW being loaded. Guess it makes it easier for them to clean the system when you call and pay $90 for McAfee live help.

Ranger Tom

Edited by Ranger Tom, 03 January 2009 - 11:06 AM.


#3 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:15 AM

Posted 03 January 2009 - 07:57 PM

Ranger Tom, if you feel you are all squared away I will go ahead and close your topic here. If at anytime you feel you need to revisit this post feel free to send me, or any other moderator a pm with a link and we will be happy to re-open it for you. Sounds like you did a great job, and thanks you for taking the time to let us know what you had done to fix your computer.

Pandy~

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users