How in the world do you get rid of this thing?
Posted 15 June 2004 - 11:52 PM
Posted 16 June 2004 - 03:11 AM
This is a complete bastard.
Just to add to the plot, once whatever is doing this is running, then it tries to update the registry and add the bho at random times during the day even if IE isn't running.
And nothing in the task manager list :-(
I'm still waiting for some assistance on this one as well.
Posted 16 June 2004 - 03:17 AM
Posted 16 June 2004 - 03:26 AM
Posted 16 June 2004 - 04:26 AM
I've had a mooch through my hdd, and found a couple of suspect files which have dubious content when you look at the hex dump. Do you have them as well ?
mine have a recent date which could easily be when I was infected.
sb.exe has references to rocky.exe inside it along with
might be some other pestware but nothing else is found by any of the other programs I use.
Posted 16 June 2004 - 11:57 AM
Everyone describe exactly what they're discovering, including filenames, locations, size, and so on. Eventually we'll figure out a pattern of behavior that will let us track the source. So far, the solutions being posted only treat the symptoms, and the hijacker continues to return within minutes. Something (or a combination of somethings) is running that we haven't tracked yet.
Here are new symptoms I've discovered so far, in addition to ones others have posted since last night:
"Only The Best" popup windows. When doing a search, such as in Google, a second window pops up with some third-party "search" page.
It creates a service called "Network Security Service." Disabling this service on my machine did not help.
There is an entry in Add/Remove programs called "Home Search Assistent" that cannot be removed--clicking Remove opens some sort of Russian porn site.
It keeps creating two files:
mfcso.exe c:\windows 19kb
mfcso.dll c:\windows 89kb
It changes the registry at random times throughout the day, whether or not you run Internet Explorer.
Are these symptoms others are experiencing? I am.
As someone pointed out, it appears to be attached to Internet Explorer in some way. Starting that program seems to really activate something, though the registry changes occur whether you run it or not--the only difference is that it just seems to take longer if you don't run Internet Explorer, but the hijack eventually occurs again, and the suspicious dll and executable files reappear, along with the running process.
Any of you guys with file-monitoring programs, can you determine what processes are creating those files and making those registry changes? I'm on my computer at work right now and can't look myself.
Edited by rd_syringe, 16 June 2004 - 01:33 PM.
Posted 16 June 2004 - 12:26 PM
netys32.exe 9 kb \windows memusage 2,812 K
winbl.exe 28kb \windows memusage 2,384 K
Notice again, the 2384kb usage. Same stupid process as before, different name. Anyone who sees this process, kill it!
Edited by rd_syringe, 16 June 2004 - 12:27 PM.
Posted 16 June 2004 - 01:35 PM
Certainly this time it was iexplore.exe that was doing the creation. Strange though because I'm sure I've had this occur when internet explorer isn't running.
Posted 16 June 2004 - 01:39 PM
Right now this thing is hitting so fast that five new threads pop up about it every hour!
It's definitely attached to iexplore.exe somehow. What's the filesize and modification date on your iexplore.exe, and are you fully patched via Windows Update?
My work laptop that I'm using now is fully patched with Windows XP SP1 and not infected, and my iexplore.exe is 89kb in size.
I'm curious what registry and file changes do the monitors pick up when you actually start up Internet Explorer? This thing seems very clever at propogating itself, and maybe it's making backup copies somewhere on the system to reinject itself when it gets deleted or something.
Edited by PGPhantom, 16 June 2004 - 04:23 PM.
Posted 16 June 2004 - 02:10 PM
iexplore.exe = 91136 bytes, 29/08/2002
same on both machines, so it looks like it hasn't modified the .exe but something that it uses.
Posted 16 June 2004 - 02:20 PM
Don't recognise the other two though.
Posted 16 June 2004 - 02:27 PM
Posted 16 June 2004 - 04:07 PM
Posted 16 June 2004 - 04:16 PM
Same shit on my comp. It's set to res://eoctj.dll/index.html#96676 now.
Is there a way I can help?
Posted 16 June 2004 - 04:23 PM
This is a little scary, as you have to have a good idea of what executables and DLL's are at fault, so I'd only recommend it to people who don't mind "taking their chances." I'm used to looking at task manager anyway, so I had a good idea of what processes were "new."
The gist of it is that you have to find and remove the DLL's, and the executables, AND disable a service that is secretly running. It looks like if you only fix the DLLs or the executables, the service will just restart the hijacker later. The service "NetworkSecurity Service" was what was killing me...
BTW, I don't have Ad-Aware Pro, so I wasn't able to "watch" the registry like he did, but I've restarted a couple times, and have checked and re-checked with Ad-Aware and Bulletproof, and it hasn't returned yet...
Posted 16 June 2004 - 04:30 PM
Please - At the top of the forum it is in big bold letters ...
DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC! START YOUR OWN. Please stay with your original topic when posting follow up log files.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users