Jump to content


Photo

New .DLL to look out for?


  • Please log in to reply
7 replies to this topic

#1 LeMango

LeMango

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 January 2008 - 03:23 PM

I'm not looking for help to remove this, since I don't think anyone on Earth has ever experienced this file. I'm an amateur good hacker, and cleaned up my SILs machine and got everything off but this one file. Just wanted to send a flare out to the studs (and studettes) that patrol this forum that this file seems to be an unremovable trace file.

I'm just gonna reformat her PC anyway, so I don't have to deal with any residue left from the 145 million things I removed (using AVG, SDFIX, COMBOFIX, HAKFIX, HIJACKTHIS, FIXWAREOUT, ADWARE, KILLBOX etc. etc. etc.), but I was trying to clean the PC completely as a matter of principle since I have a lot of FREE time and cleaning PCs is sort of a hobby. COMBOFIX, HAKFIX come up clean and HIJACKTHIS flags the WGA Notify pointing to the file.

FBFBA.DLL.

It's out there. Funny thing is that on first scan, AVG recognized it, but did not offer to fix anything. KILLBOX killed it without any errors, but of course it reappeared.

FBFBA.DLL.

I assumed if it was one of those where when it's recreated it takes some sort of new file random file name incarnation, I'd have seen some variance, but for now it's impossible to remove the WGA Notify line manually or via HIJACKTHIS, and like I said, KILLBOX can't seem to remove the file (and it doesn't error out, like it did trying to remove other files)

FBFBA.DLL.

Enjoy this mystery everyone! (FWIW, the time of infection and recurring PC use aloof to said infection was October 2007-December 2007)
FBFBA.DLL.

(I apologize if this post seems like a call for help - - I am reformatting the PC, so it's too late for help, but I hate having an unsolved file issue....call me Columbo)

One more thing (tribute to Columbo), the sequence FBFBA.DLL is a common iteration of all the HEX combinations, so maybe that's where the name derived from...

...if someone wants to re-open this case, I'll go to the other forum and slap up the log files...

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 07 January 2008 - 09:17 PM

New malware variants seem to like to hook their code into LSASS and Explorer. If you have a copy of Process Explorer, take a look at those processes on an infected machines sometime, and you'll see the infector DLLs there.

A good idea for HJT's next version would be for it to track LSASS packages as well, and have the ability to terminate threads within processes (if the user ticks a DLL for removal, it checks all running processes for that DLL and kills its thread).
Signature file is under revision. This will be back shortly.

#3 LeMango

LeMango

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 January 2008 - 03:39 PM

New malware variants seem to like to hook their code into LSASS and Explorer. If you have a copy of Process Explorer, take a look at those processes on an infected machines sometime, and you'll see the infector DLLs there.

A good idea for HJT's next version would be for it to track LSASS packages as well, and have the ability to terminate threads within processes (if the user ticks a DLL for removal, it checks all running processes for that DLL and kills its thread).


good info - - thanks. I'll try that tonite for fun.

what is the best way to force replace EXPLORER.EXE?

#4 LeMango

LeMango

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 January 2008 - 03:42 PM

PS - - just donated on PayPal. You experts are all heroes!

#5 LeMango

LeMango

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 January 2008 - 11:09 PM

New malware variants seem to like to hook their code into LSASS and Explorer. If you have a copy of Process Explorer, take a look at those processes on an infected machines sometime, and you'll see the infector DLLs there.

A good idea for HJT's next version would be for it to track LSASS packages as well, and have the ability to terminate threads within processes (if the user ticks a DLL for removal, it checks all running processes for that DLL and kills its thread).


I've run about a billion other programs.....unlocker...rootkit programs you name it.

FBFBA.DLL, the only non-Googlable file I have ever seen, still sits atop this hard drive, laughing, mocking me.

The reference to it is under HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify\fbfba....the moment you whack the REGISTRY entry it comes right back...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fbfba]
"DllName"="C:\\WINDOWS\\system32\\fbfba.dll"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"StartShell"="StartShell"
"Logon"="Logon"
"Logoff"="Logoff"
"Startup"="Startup"
"Unlock"="Unlock"
"Shutdown"="Shutdown"
"StartScreenSaver"="StartScreenSaver"
"StopScreenSaver"="StopScreenSaver"
"Lock"="Lock"

Any idea how to shut this bad boy down?

#6 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,814 posts

Posted 12 January 2008 - 01:13 AM

I'll go to the other forum and slap up the log files...


Please do.

Please consider donating to help support the continued prompt and excellent services of this site.


#7 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 14 January 2008 - 02:25 AM

New malware variants seem to like to hook their code into LSASS and Explorer. If you have a copy of Process Explorer, take a look at those processes on an infected machines sometime, and you'll see the infector DLLs there.

A good idea for HJT's next version would be for it to track LSASS packages as well, and have the ability to terminate threads within processes (if the user ticks a DLL for removal, it checks all running processes for that DLL and kills its thread).


I've run about a billion other programs.....unlocker...rootkit programs you name it.

FBFBA.DLL, the only non-Googlable file I have ever seen, still sits atop this hard drive, laughing, mocking me.

The reference to it is under HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify\fbfba....the moment you whack the REGISTRY entry it comes right back...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fbfba]
"DllName"="C:\\WINDOWS\\system32\\fbfba.dll"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"StartShell"="StartShell"
"Logon"="Logon"
"Logoff"="Logoff"
"Startup"="Startup"
"Unlock"="Unlock"
"Shutdown"="Shutdown"
"StartScreenSaver"="StartScreenSaver"
"StopScreenSaver"="StopScreenSaver"
"Lock"="Lock"

Any idea how to shut this bad boy down?


Refresh my memory, but Winlogon notifiers are supposed to execute on logon, then terminate, yes? These hijackers stay memory-resident in winlogon, and when you terminate their notifier, a second DLL which has been loaded by means of the first reinstates the notifier.

What about using Killbox and replacing it on reboot with a dummy file? Once that's done, remove the notifier.
Signature file is under revision. This will be back shortly.

#8 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 16 January 2008 - 10:36 PM

And on a side note (sorry to double-post), that seems to work REALLY well with Virtumonde. Find out the rogue DLL via process monitor, replace on reboot, and it's crippled when you restart.
Signature file is under revision. This will be back shortly.




Member of ASAP and UNITE
Support SpywareInfo Forum - click the button