• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
peterpaulmary

Worm.Win32.Raleka alias W32Kelar.A

6 posts in this topic

I was experimenting with 7 different online virus scans. Only one of them was able to identify "Kelar.A". in file "down.com" and I was able to "disinfect" it with the same software. After reading at several websites I learned that "Kelar or Rakela" worm creates "down.com". It also attempts to download the following additional files: svchost32.exe, ntrootkit.exe, ntrootkit.reg; two log files named Rpcss.ini and Svchost.ini and backdoor component "Backdoor.RTKit11.a". I suspect that while I was able to "disinfect the "down.com" file I may still have remnants in my Registry and elsewhere. Each time I boot my computer I have three separate requests from file svchost.exe to access my firewall. I read that "Kelar.A" modifies the file svchost.exe in the Windows system directory and overwrites its content by replaces it by a copy of the worm. I suspect that this worm is still capable of sending data from my computer to IRC Servers.

My HighJackThis log is noted below. It now contains 4 copies of svchost.exe which is 2 more copies than my last log of two days ago. Is there any sort of removal tool which might rectify things? Should I be removing the svchost.exe files and if so, how and what then? I downloaded a DOS tool from www.norman.com but haven't had much luck with it. I have also downloaded an applicable security patch from Microsoft (I thought I had them all).

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 8:14:16 PM, on 7/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Grisoft\AVG6\avgcc32.exe

D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

D:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe

D:\WINDOWS\MXOaldr.exe

D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

D:\Program Files\Messenger\msmsgs.exe

D:\WINDOWS\System32\ctfmon.exe

D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

D:\Program Files\Logitech\MouseWare\system\em_exec.exe

D:\WINDOWS\System32\alg.exe

D:\PROGRA~1\Grisoft\AVG6\avgserv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Dantz\Retrospect\retrorun.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\ZoneLabs\vsmon.exe

D:\WINDOWS\System32\devldr32.exe

D:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Documents and Settings\Mary Paul\My Documents\HighJackThisSearchResults\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [MaxtorCombo] "D:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

O4 - HKLM\..\Run: [MXO Auto Loader] D:\WINDOWS\MXOaldr.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Share this post


Link to post
Share on other sites

Hi again :)

 

I found MORE info:

 

The files are downloaded to the SYSTEM folder:

 

NTROOTKIT.EXE (128000 bytes) Backdoor Trojan

NTROOTKIT.REG (245 bytes) Backdoor Trojan Regfile

SERVICE.EXE (27136 bytes) Application to install Services

SVCHOST32.EXE (14880 bytes) The worm itself

SVCHOST.CMD (132 bytes) Batchfile

 

The NTROOTKIT files are downloaded to the Windows System directory and are detected as "NTRootKit-E" with 4289 DATs or later.

 

After the download, the worm tries to override the SVCHOST.EXE in the SYSTEM folder with a copy of itself and executes it.

 

http://vil.nai.com/vil/content/v_100574.htm

 

Maybe you give McAfee's STINGER a shot??

 

http://vil.nai.com/vil/stinger/

Share this post


Link to post
Share on other sites

Thanks again Marianne. I tried Stinger twice but with no luck. I was hoping that some reader might be able to explain a couple of my questions in my posting relating to svchost.exe in addition to locating a removal tool. I will keep my fingers crossed that you or someone comes up with the answers I need. Have a great weekend.

Share this post


Link to post
Share on other sites

It's me again :weee:

 

What you also could do is download The Cleaner Professional from Moosoft - is FREE for 30 days !

 

http://www.moosoft.com/products/cleaner/download/

 

It has TC Active and TC Monitor - run both at startup- and see if you can locate anything -

 

After downloading and installing - UPDATE first before running !

 

Have a great weekend too :)

Share this post


Link to post
Share on other sites

Thanks again Marianne. I downloaded, updated and tried the Moosoft Cleaner but once again I had no luck. This trial and error method has a down side. Perhaps someone will come along that examines my HighJackThis Log and answers some of the questions I raised in my initial Post. Particularly about the extra svchost.exe and all the other files that Kelar.A alias W32/Raleka may have installed on my hard drive. I know the Panda software disinfected the related "down.com" file created by Kelar but I wonder if there is more for me to find and repair or remove?

Share this post


Link to post
Share on other sites

I can understand you want to get rid of that "thing" !

 

McAfee states:

 

When the worm finds an unpatched system, it creates a 7bit encoded file called DOWN.COM (8954 bytes) on the victim machine and executes it with IP address and a port number of the attacking host. The file will uses the Internet Explorer to download additional files from the attacking host, rather than downloading it from the IP address mentioned above.

 

The files are downloaded to the SYSTEM folder:

 

NTROOTKIT.EXE (128000 bytes) Backdoor Trojan

NTROOTKIT.REG (245 bytes) Backdoor Trojan Regfile

SERVICE.EXE (27136 bytes) Application to install Services

SVCHOST32.EXE (14880 bytes) The worm itself

SVCHOST.CMD (132 bytes) Batchfile

 

As you wrote Panda disinfected down.com

 

As you go into SAFEMODE can you SEE the above files??

 

If you SEE the files - you only have to rightclick and delete them.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0