Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This 1 Kills Hijackthis At 1st Sight And Killbox At Execute.


  • Please log in to reply
13 replies to this topic

#1 codevictim

codevictim

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 June 2007 - 01:25 AM

I'm pretty careful but this one got by a ClamWin scan.

Opened up and has nested nicely. Make that tenaciously.

Appears similar to what I've read described as a "kit" which is a new one on me.

I would post a HijackThis log but I can't.

I've tried 3 versions of HjT. All crash as soon as the first menu window comes up.
Get this. If you're in Explorer. You can browse aroudn all you want but the second you open
a folder with an HJT copy in it. Boom. Explorer dies.

I spent a day and a half chasing the thing manually. 'Local Settings' folder; the Root folder had 6 dll's keep
recreating themselves. Safe Boot. Cache and Cookie clears. Reg Mechanic, manual Regedit-ing. System32 dir.
You name it. Even the registry keys were regenerating themselves in real time.

Found a really good sounding procedure using KillBox plus 2 others (C-Cleaner - and Process Mgr?) That
looked like the ticket until KillBox just - well - this virus has to be pretty new.

I swear I think it even recognized the AVG installer and crashed Exporer on the spot.

I have deleted the suspect dll from a Safe Boot DOS Prompt.

Everything.

If you can lend any advice fine - But I'm readying things for zee big FDISK, even as we uhm speak??
I wish.

[It's Win2k SP4(+)]
tks in advance for any jeers, soft tomatoes, lewd stares, bad jokes, cowardly dead lemming like silence, or,
god forbid some best in class assistance.

code

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:19 PM

Posted 05 June 2007 - 01:43 AM

You can kill this manually if you have the UBCD for windows:

you must check the dll size, not name. there is a version of erunt to backup the registry. Look for any files in system32 that end in temp with the same creation date as your problem. the file will have the same size as your dll. this is the exe that re creates the dll and re infects your machine clear all the run keys in the registry that match.

An XP boot disk can also run the recovery console. again, you must manually clean the SYSTEM32 subfolder and the registry.

http://www.ubcd4win.com/downloads.htm

Edited by oldf@rt, 05 June 2007 - 01:49 AM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:11:19 PM

Posted 05 June 2007 - 02:54 AM

I hope you cleaned up you startup list apps too. And able to do AV scan through the hdd means a success for your effort. Good luck.

ps:just curious about your deleting dll instead of exe's, neways..good luck
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#4 codevictim

codevictim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 June 2007 - 08:25 AM

You can kill this manually if you have the UBCD for windows:

you must check the dll size, not name. there is a version of erunt to backup the registry. Look for any files in system32 that end in temp with the same creation date as your problem. the file will have the same size as your dll. this is the exe that re creates the dll and re infects your machine clear all the run keys in the registry that match.

An XP boot disk can also run the recovery console. again, you must manually clean the SYSTEM32 subfolder and the registry.

http://www.ubcd4win.com/downloads.htm


Thank you, oldf@rt.

Plan for the day now after 6 hrs of sleep is/was to hit Staples' $100 350gb HD deal.
Have 9 days left to activate new XP Pro which had to happen to the tune of $3bigones.
So I have that to work with tho not sure if any advantages there, or what to
watchout for yet.

Had seen this slipstream-disk business this time last year but do you think
I could be that patient? So that link is a godsend; will save me an hour scouring bookmarks.
Can't thank you enough. This system looks way better than one I had seen.

...............................................

Yes. I was deleting files from the C prompt using Dir command switches to
scope them out by date. Praying they also had not written this crap to
change date when files write out r something. Roughly a dozen dll's all told.

And only five of those appear to keep the same name when they reappear. ?recall? these
were writing into both winnt\sys32 and c\root.

Win2k Recovery Console attempt complained that ntoskrnl was corrupt tho sys is still
otherwise stable enough to backup/out data to another pc. Wondering how deep the thing hooks
into nt core or [freeeeze] the mbr.

Generally - any hints whether I need or want to officially activate new XPPro disk before
or after making a slipstream disk?

#5 codevictim

codevictim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 June 2007 - 09:27 AM

I hope you cleaned up you startup list apps too. And able to do AV scan through the hdd means a success for your effort. Good luck.

ps:just curious about your deleting dll instead of exe's, neways..good luck



Yes, Syunichi. This virus is unbelievable.

I am not trained formally so I use only a basic and cautious approach.
I think I did delete 1 to 3 EXE files but DLL files were predominant.

In SAFE MODE from in the c:\, c:\winnt, and c:\Winnt\system32 dirs I did a "DIR /p /o:dg /t:c" command which puts the newest files last in list. Then I deleted them. Like I say tho I thought I was fried because it's killing HIJACKTHIS even quicker now. 1st HJT run I could see the BHO's there for a split second, then boom, HJT goes poof. KILLBOX doesn't even open; just flash-gonzville. Just gonna list other symptoms here for people if okay:

I did also have to look in many other Windows 2000 Pro folders. This virus also goes into Firefox profile folders and of course duplicated in IE settings in
the registry.

There are a couple of companies that had popups which I avoided clicking, but for example Kaspersky had a couple products pitched for a while till I disabled those with some deletion or another. Don't ask which. I'm already burnt out from yesterday.

This virus also sets up shop all over the place in the registry of course. Fortunately familiar with usual places/reg-keys.
Did the Edit-Find, all hives, checking all 'Run' and 'RunOnce' keys. Yep. There they were.

One pair of dlls plays off each other I noticed while using Process Explorer. urqpqrr.dll and ddccd.dll. killing the second one recreates the first ad infinitum.

But what really saddens me was/is you can nav to any Windows Exporer folder that has a copy of the various popular antivirus tools, checkers, scanner progs and exe files and as soon as you hover the mouse over the executable - the whole Windows Explorer window crashes. It's as if it's reading some code in the icons or some damned thing.

Honestly!! What these idiot saps marvel at as being "genius" makes you wonder if we're all gonna devolve into monkeys soon.

Headin to check out slipstreaming and link next.

Just the stupid way of the world these days I guess.

#6 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:11:19 PM

Posted 06 June 2007 - 12:39 AM

ahh..thk god you had overcome those problems. If I'm not mistaken, you said about going through the registery (regedit) without getting process-killed. Thats a great thing. I thought you were messing with enhanced viral like I did countless times during my visit at schools. It does what you call kill all fix tools...even it will be considered lucky for you to land your cursor onto one. This is the full list of what the virus will kill on payloads

cmd.exe mmc.exe procexp.exe registry killbox hijack anti washer ertanto movzx regedit.exe msconfig.exe killbox.exe hijackthis.exe brontokwasher.exe scheduled task bitdef computer management group policy system configuration command prompt hijack sysinter aladdin kaspersky panda trend cillin grisoft mcaf avast norman symantec norton machine movzx
rontox rontok kill washer remove antivirus folder option


Try this one for change to Killbox that is "IKnowProcess" app. Also removing the virus in bad manner would result in regeneration of another.

By supprise this is the location where those virus resides

C:\WINDOWS\system32\Xyyyy, where x represents alphabet and y as numeric
C:\WINDOWS\system32\s8787

Variety apps are loaded , for instance:
o Winlogon

o Services

o Lsass

o Smss

o Csrss

And renaming msvbvm60.dll to another name will aid as well for some vbs will not load to regenerate those pesky virals.

Hmm...looking at your style I think you know well how OS works. Godspeed and good luck :thumbsup:
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:19 PM

Posted 06 June 2007 - 03:23 PM

Hey codevictim,

Just curious, did you try renaming HijackThis? Might be possible from the command line. Did you try any of the alternative scanners, such as Silent Runners or WinPFind3?

This virus sounds painful for the user but not terribly thorough. If it doesn't kill Regedit or Process Explorer it is probably not aware of the tools I just mentioned, either.

Since Regedit works an analyst could use a Silent Runners log to work up a manual fix. WinPFind3 does not even need Regedit -- it deletes files and reg keys from a script file that the analyst creates for the user.

Dave

#8 codevictim

codevictim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2007 - 08:46 AM

Hey codevictim,

Just curious, did you try renaming HijackThis? Might be possible from the command line. Did you try any of the alternative scanners, such as Silent Runners or WinPFind3?

This virus sounds painful for the user but not terribly thorough. If it doesn't kill Regedit or Process Explorer it is probably not aware of the tools I just mentioned, either.

Since Regedit works an analyst could use a Silent Runners log to work up a manual fix. WinPFind3 does not even need Regedit -- it deletes files and reg keys from a script file that the analyst creates for the user.

Dave



Dave,

'Fraid to say that yeah I did try renaming HJT. First the exe to RijackThis.exe, then after it still crashed, renamed the HJT folder to \RijackThis\. No dice. It still recognizes it.

Spent the day cherry picking out all my data, installers, etc, and backed up onto another machine and a few data dvd's.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Dave, or Anybody in this group!!!!!!!!!!!!!!!!!!!!! Please note!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Somebody has to let me know if I have a NEW unseen before virus and if I should try the utilities / procedures tested
before I format away this corrupted Win2000 environment. Got 3 decent years out of this Win2k install so FDISKing it is prob well overdue.
Am less motivated to fix this manually at this point where I could still risk missing something, and starting over.

Will try a couple of these things before formatting but someone should let me know if this virus sounds more important to investigate or test/experiment with.

Will go through the suggestions to see if it fixes the symptoms / behaviours mentioned above, but can't have machine out of service too long.

I have wanted to do up a slipstream installer so good time for it. Unless like I say, if you guys think I have a "kit" or "package" that should really be analyzed more thoroughly. Got it from a dirty keygen so I only have myself (and an un-updated install of ClamWin) (which again falls on me) to blame.

Thanks for all input.

Any vets on this stuff should tell me if this sounds like a real new one on you too. If so I would be glad to help.

code

#9 codevictim

codevictim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2007 - 01:48 PM

Syunichi,

Thank you. I have downloaded IKnowProcess. I will try that and a few things before I FDISK. Almost ready now.

Wow. The list you sent explains that part good. Thanks for that.

As for system32 dir, I saw some Xyyyy items but I think it was in temp folders under Docs&Settings. I could be incorrect about this - I found and deleted suspect items in so many folders now I forget. But..

Right now in System32 I still get the worst ones.
Ddccdd.dll
Urqupqrr.dll
Mnolhhpwtgsa.dll
D3acdb.dll
+
was having others that change name to similar like this:
jjuxuipl.dll
these others were about 10 originally.
I could kill most but not all of them from TaskMgr okay. At first they regeníd, but if you hit them quick - highlight with mouse + hit Alt-E(end process) repeatedly you can kill them, but like you say you have to be quick.

At most recent bootups, - after hours of careful deletions all over explorer and registry they do not reappear during a session.

I have Win-autoupdates off. And most others. And Firefox just did an update. But something new is trying to call out. Probably the foistware (spamware) included in the virus payload.

............................................

Notes:

1. .......................

I have one question to be sure about something.

On my W2k machines TaskMgr always shows Smss.exe and Csrss.exe and Services.exe. Even on healthy machines. Are not these three (3) legitimate Windows processes?

2. ........................

Lsass is one I remember fixing a couple yrs ago. But do not recall seeing it among files I deleted this time.

3. .........................

Msvbvm60.dll: I have 3 copies.
a.) Win\system32\
b.) Win\ServicePackFiles\i386\
c.) Win\$NtServicePackUninstall$\

Do I have to rename them all. And donít I have to turn off Windows AutoUpdating Service before trying to rename anything for i386 dir?

................................................

I would like to know more than I know. So I hope you will please say if it I should delete the Service Pack folders under Winnt\. I am always afraid to delete those cause I think they correspond to Hotfix listings in Add/Remove, no?
Ha! I have about 20 of them on each machine.

Thanks again

Codevictim

#10 codevictim

codevictim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2007 - 02:01 PM

Update:

My mistake. I do have Lsass.exe listed in TaskMgr.

Anyone know if following files (services) are needed by Windows 2000?

Csrss.exe
Smss.exe
Lsass.exe

And if there is a recent standalone removal procedure for those, or if any fixes are more recent than others?

Thanks for any and all advice.

God I hate this. Such a stupid waste of everybody's time. Or just plain lack of creativity. Or common highway thuggery. Take your pick. They did say we could rant, lol, right?

Code

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:19 PM

Posted 07 June 2007 - 10:00 PM

Sorry to be late replying, I've had a busy day but I managed to do a little research.

Please take a look at this topic over at SpywareInfo. Note how the victim was able to get HijackThis to run by killing explorer.exe (-- to start Task Manager, under the Processes tab navigate to Explorer.exe, select it, and click End Process), and then running HJT from Task Manager (under the Applications tab, click New task and browse to your HijackThis.exe file).

Similarly you can use Task Manager to launch your browser and post the log in the HijackThis forum here at BC.

Also note that after trying a couple of tools nasdaq (the helper) figured out the right one to use on this infection. Which by the way was quite a feat, I'm not sure I could have done it.

Even if you are able to run delfkil by yourself, I recommend you post the log and work with a helper on this because there will be some manual cleanup to do after you stop the infection.

Anyone know if following files (services) are needed by Windows 2000?

Csrss.exe
Smss.exe
Lsass.exe


Those are all normal Windows System files. So is Msvbvm60.dll. Leave them alone.

Good luck.

Edited by DaveM59, 07 June 2007 - 10:07 PM.


#12 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:11:19 PM

Posted 08 June 2007 - 02:42 AM

msvbvm60.dll if renamed wont cause much trouble in the system. It just stops vbs codes from running and if at startup you received an error for msvbvm60.dll, but the system will still runs, renaming it back to what it was is the remedy. And I use my old fashion style to peek at fast killed apps like msconfig and taskmanager, oh and btw you can safely get a copy of WinXP msconfig and put it at system32 folder and execute it if you are running win2k. Correct me if I'm wrong, but if i'm not mistaken win2k is the running engine for winXP system. Try my style for a change, the PrintScreen button. :thumbsup:

ctrl+alt+del or ctrl+shift+escape to bring up task manager, max it and print screen it before it closes. Paste it at mspaint and hope you can snapshot all the running apps. Delete via cmd prompt with taskkill /IM *.exe, for instance

taskkill /IM notepad.exe

If lucky, it will kill the running process and you can now proceed to the next process. The IKnowProcess works like taskmanager so I hope it also aids you in killing those pesky running processes. And be aware of
Csrss.exe Smss.exe Lsass.exe that is not running under system32 folder...kill it. If possible run the msconfig and see what exe or any weird payload running at startup..maybe then you know where to end it :flowers: Good luck
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."

#13 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:19 PM

Posted 08 June 2007 - 06:42 AM

Syunichi is right about msvbvm60.dll, it is not vital. (The other three are.) However, there's no need to kill msvbvm60.dll, it's not part of the problem here.

Syunichi is also right about Csrss.exe /Smss.exe /Lsass.exe running from other locations than \system32, they can be malware. However, What Codevictim has is a new variant of the Win32.Delf trojan and there is a tool made to deal with it. See the SWI topic I linked to.

#14 syunichi

syunichi

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miri
  • Local time:11:19 PM

Posted 09 June 2007 - 04:26 AM

aahhh...no wonder I felt like it is a never ending,thx dave for the reminder. True, as for trojan as stuborn stain to deal with. Hope to hear good news from you soon code..godspeed.
Posted Image

Tech Support: "Do you have any windows open right now?"
Customer: "Are you crazy woman, it's twenty below outside..."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users