Jump to content


Photo

How in the world do you get rid of this thing?


  • This topic is locked This topic is locked
18 replies to this topic

#1 cattleina

cattleina

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 11:21 PM

http://www.spywarein...?showtopic=7261

#2 Felt65

Felt65

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 June 2004 - 11:52 PM

Thanks for the reply, I tried what you said and it is still there. Its driving me insane. :weee:

#3 toblerone

toblerone

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 15 June 2004 - 11:59 PM

Tried this twice, hasn't worked...

#4 chrisgaltieri

chrisgaltieri

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 June 2004 - 12:23 AM

http://www.spywarein...?showtopic=7281

#5 sranson

sranson

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 03:11 AM

Ah, this sounds familiar. I'm running spyware guard which is stopping a lot of the bho addition and changes to home pages etc. but it is still very infuriating.
This is a complete bastard.
Just to add to the plot, once whatever is doing this is running, then it tries to update the registry and add the bho at random times during the day even if IE isn't running.
And nothing in the task manager list :-(

I'm still waiting for some assistance on this one as well.

#6 rheinspiel

rheinspiel

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 June 2004 - 03:17 AM

Yea I have the exact same shit. I posted just a few moments ago. Wonder if this is something new that microsoft was talking about last week. Hopefully someone will figure out how to fix this pain in the ass. My friend got this the other day and he just reformated. That hopefully won't be the case here.

#7 Lithium

Lithium

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 June 2004 - 03:26 AM

This is sooo awesome! I finally found some people with the exact same shit as me!I also have tried everything.. adaware, spybot, bazooka, CWS shreader, cws_killer ect. :gah: From what I can tell its a mutant strain of the about:blank CWS and just like the rest of you it writes a randomly named .dll in the c:\windows directory. I really hope sombody can figure this one out.. there is a BUNCH of people with this problem.. ohhhhhhh I wish I could find the guy who wrote this id go crazy ninja :ph34r: on his ass with my keyboard.

#8 sranson

sranson

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 04:26 AM

Time for some self help. A question for those affected :

I've had a mooch through my hdd, and found a couple of suspect files which have dubious content when you look at the hex dump. Do you have them as well ?

C:\windows\rocky.exe
C:\windows\sb.exe

mine have a recent date which could easily be when I was infected.
sb.exe has references to rocky.exe inside it along with

flingstone.com

might be some other pestware but nothing else is found by any of the other programs I use.

#9 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 11:57 AM

sranson, I just checked, and I don't have those two files.

Everyone describe exactly what they're discovering, including filenames, locations, size, and so on. Eventually we'll figure out a pattern of behavior that will let us track the source. So far, the solutions being posted only treat the symptoms, and the hijacker continues to return within minutes. Something (or a combination of somethings) is running that we haven't tracked yet.

Here are new symptoms I've discovered so far, in addition to ones others have posted since last night:

"Only The Best" popup windows. When doing a search, such as in Google, a second window pops up with some third-party "search" page.

It creates a service called "Network Security Service." Disabling this service on my machine did not help.

There is an entry in Add/Remove programs called "Home Search Assistent" that cannot be removed--clicking Remove opens some sort of Russian porn site.

It keeps creating two files:
mfcso.exe c:\windows 19kb
mfcso.dll c:\windows 89kb

It changes the registry at random times throughout the day, whether or not you run Internet Explorer.

Are these symptoms others are experiencing? I am.

As someone pointed out, it appears to be attached to Internet Explorer in some way. Starting that program seems to really activate something, though the registry changes occur whether you run it or not--the only difference is that it just seems to take longer if you don't run Internet Explorer, but the hijack eventually occurs again, and the suspicious dll and executable files reappear, along with the running process.

Any of you guys with file-monitoring programs, can you determine what processes are creating those files and making those registry changes? I'm on my computer at work right now and can't look myself.

Filemon:
http://www.sysintern...e/filemon.shtml

Regmon:
http://www.sysintern...ce/regmon.shtml

Edited by rd_syringe, 16 June 2004 - 01:33 PM.


#10 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 12:26 PM

Two other rogue processes have appeared (I'm having my brother relay these to me via Messenger since I'm at work!):

netys32.exe 9 kb \windows memusage 2,812 K
winbl.exe 28kb \windows memusage 2,384 K

Notice again, the 2384kb usage. Same stupid process as before, different name. Anyone who sees this process, kill it!

Edited by rd_syringe, 16 June 2004 - 12:27 PM.


#11 sranson

sranson

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 01:35 PM

I managed to have filemon running on my machine when it created the randomly named dll and tried to change the registry.
Certainly this time it was iexplore.exe that was doing the creation. Strange though because I'm sure I've had this occur when internet explorer isn't running.
:hmmm:

#12 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 01:39 PM

I think if possible, posts on this hijacker should be put in one thread, just so we have a central location for all the logs, filenames, etc. <= Edited by PGPhantom - Please DO NOT DO THIS. The forum is clear about posting logs into separate threads as this is near impossible to resolve with so m,any logs in one thread. Thank you

Right now this thing is hitting so fast that five new threads pop up about it every hour!

It's definitely attached to iexplore.exe somehow. What's the filesize and modification date on your iexplore.exe, and are you fully patched via Windows Update?

My work laptop that I'm using now is fully patched with Windows XP SP1 and not infected, and my iexplore.exe is 89kb in size.

I'm curious what registry and file changes do the monitors pick up when you actually start up Internet Explorer? This thing seems very clever at propogating itself, and maybe it's making backup copies somewhere on the system to reinject itself when it gets deleted or something.

Edited by PGPhantom, 16 June 2004 - 04:23 PM.


#13 sranson

sranson

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 02:10 PM

I've checked my iexplore.exe against a machine that isn't infected. XP SP1.
iexplore.exe = 91136 bytes, 29/08/2002
same on both machines, so it looks like it hasn't modified the .exe but something that it uses.

#14 sranson

sranson

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 02:20 PM

ctfmon.exe is a microsoft program that deals with alternative user input services. usually part of ms office.
Don't recognise the other two though.

#15 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 02:27 PM

I did a search on Google for them, no results. After ending both processes, they both come up again after IE is opened. Also - when trying to open a site in IE, it shows the Office Pro installer loading up. If I click cancel and do not let it go through, IE doesn't work.

#16 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 04:07 PM

Please STOP posting multiple logs into one thread. I am going to break up the thread as it is far too complicated to assist. Each log is different, each dll and exe causing the problem are different.

#17 ritoun

ritoun

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 16 June 2004 - 04:16 PM

To PGPhantom and the rest of you.
Same shit on my comp. It's set to res://eoctj.dll/index.html#96676 now.
Is there a way I can help? :scratchhead:

#18 cattywhompus

cattywhompus

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 June 2004 - 04:23 PM

Just a quick note that I tried something on one of the other posts, and it *seems* to have worked:

http://www.spywarein...?showtopic=7281

This is a little scary, as you have to have a good idea of what executables and DLL's are at fault, so I'd only recommend it to people who don't mind "taking their chances." I'm used to looking at task manager anyway, so I had a good idea of what processes were "new."

The gist of it is that you have to find and remove the DLL's, and the executables, AND disable a service that is secretly running. It looks like if you only fix the DLLs or the executables, the service will just restart the hijacker later. The service "NetworkSecurity Service" was what was killing me...

BTW, I don't have Ad-Aware Pro, so I wasn't able to "watch" the registry like he did, but I've restarted a couple times, and have checked and re-checked with Ad-Aware and Bulletproof, and it hasn't returned yet...

#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 04:30 PM

I am sorry folks but I am locking this topic and breaking off all the logs into separate threads. Too much bad advice, even though well intended, is not helping resolve the problem - It is only confusing people more.

Please - At the top of the forum it is in big bold letters ...

DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC! START YOUR OWN. Please stay with your original topic when posting follow up log files.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button