I then checked the system. There were two accounts listed at the welcome screen. I logged in under the DMW account. When I tried to bring up the Task Manager, I saw the following window.
| Task Manager |
|
Task Manager has been disabled by your administrator.
|
When I tried running tasklist from a command prompt, I saw
the following.
C:\Documents and Settings\DMW>tasklist 'tasklist' is not recognized as an internal or external command, operable program or batch file.
There was a problem with the active desktop display. A "Restore my Active Desktop" button appeared on the desktop, but clicking on it would return me to the Active Desktop Recovery desktop after a short time.
I logged off the DMW account and logged into the DCW account. In the system tray at the lower right-hand corner of the screen, I saw the following warning.
This was later replaced with the message below.
The messages were coming from a program represented in the system tray by a red circle with a white "X" within it. It isn't unusual for rogue antispyware software to display such warnings. I've seen SpyAxe do the same thing on another system.
I tried bringing up the Task Manager under this account, but got the same "Task Manager had been disabled by your administrator" message as under the other account.
When I rebooted the system with a network cable connected to it and logged into the DCW account, I saw the background for the desktop, but nothing else. I rebooted again without the network cable connected and, when I logged into the DCW account, I saw the same background, but also the desktop shortcuts, the system tray, etc. I.e. the login completed normally.
When I checked the directories under C:\Program Files\, I saw a BraveSentry directory. BraveSentry is included in the Spyware Warrior list of Rogue/Suspect Anti-Spyware Products. The following information is included on the software at the Spyware Warrior site.
| Brave Sentry | bravesentry.com | aggressive advertising, desktop hijacking (1, 2); false positives work as goad to purchase; inadequate scan reporting; same app as DIARemover, MalwareAlarm, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop [A: 3-9-06 / U: 3-9-06] |
The date on the files in the BraveSentry folder was October 23, 2007. All of the files in the directory, except the BraveSentry application, had a time of 5:15 P.M. listed. The BraveSentry application had a time of 7:15 P.M. listed; it was also listed as zero bytes in size.
Looking under Add or Remove Programs, I saw MyWay Search Assistant, Suprisingly, I found someone posting at CastleCops® MyWaySA stating that "Dell seems to be including MyWay in the branded OEM OSs now."
McAfee Security Center software provided by Comcast was installed on the system, but the realtime scanning capability was disabled. The last update check date for it was October 23, 2007 and the last scan date was October 24, 2007.
Spybot Search & Destroy version 1.4 was on the system, but, when I checked its status, I found the last detection update installed was 2006-10-06, i.e. the last update occurred 14 months ago. When I checked to see if any malware had ever been removed with Spybot, I found that WildTangent had been removed on October 11, 2006. I've seen WildTangent on many systems; I don't consider it something to be concerned about.
Since the current version of Spybot is 1.5, I removed the 1.4 version from the system. I downloaded the current version and Detection updates 2007-12-05 from the Spybot Search & Destroy Downloads webpage. I also downloaded FileAlyzer, which is a file analysis tool from the same Spybot developer.
The system was performing sluggishly and when I installed Spybot and scanned the system with it, the scan ran very slowly taking several hours to complete.
Since I couldn't run the TaskManager, I downloaded Windows Sysinternals utilities. I installed PsTools and Process Explorer.
When I ran Process Explorer, I saw five instances of dllh8jkd1q5.exe running. Prevx lists the file as being associated with Malware:SysCovert. The process was running from C:\Windows\system32\dllh8jkd1q5.exe. I also saw a dllh8jkd1q6.exe and a dllh8jkd1q7.exe process running. They were also in C:\Windows\system32. I killed all of them from within Process Explorer.
Process Explorer also showed plite731.exe running. At plite731.exe - Dangerous, Greatis Software lists it as being associated with a "Trojan/Backdoor". Process Explorer shows a description of "SysMon" and a company name of "System Service" for the process. The developer may have given it a description of "SysMon" to make it appear innocuous. It was running from C:\Windows\plite731.exe. Prevx lists it as being associated with Trojan.SysMon. I killed the process through Process Explorer.
I also saw xpupdate.exe running. At file.net, I saw a reference at xpupdate.exe Windows Process - What is it? to a file by that name being associated with the RBQT-QE worm. The process was running from C:\Windows\xpupdate.exe. The timestamp on the file was October 23, 2007 5:14 P.M. I killed that process also with Process Explorer.
I also saw newmaxxsv234.exe running. Prevx indicates that a file with that name is associated with the malware group Trojan.VXGAME and that a file with that name is also associated with Downloader.Obfuskated. Bleeping Computer links the file to the Troj/Tibs-TS Trojan. The process was running from C:\Windows\system32\newmaxxsv234.exe. I killed the running process with Process Explorer. The file had a timestamp of October 23, 2007 7:17 P.M.
I also saw kmdsrngm.exe running. Prevx links it to the malware group Adware.ZenoSearch. It was running from C:\Windows\system32\kmdsrngm.exe. The file had a timestamp on it of October 23, 2007 8:25 P.M. I also killed that process. After I killed it, I noticed dllh8jkd1q5.exe running again. I killed it again, also.
I also noticed that the program represented by a red circle with a white "X" in it, which was putting up the misleading malware warnings was no longer present in the system tray. I don't know exactly when it disappeared, though, so I don't know which process I killed was associated with it.
Spybot found AdSponsor. It reported the registry
entry HKEY_CLASSES_ROOT\AppID\AdBand.DLL for the adware.
Spybot found Smitfraud-C. The dllh8jkd1q5.exe,
dllh8jkd1q6.exe, and dllh8jkd1q7.exe files were associated with it. Spybot
also listed the C:\Program Files\BraveSentry directory as being
associated with Smitfraud-C. Spybot also listed
C:\Windows\system2\kernelwind32.exe as being found on the system,
which it reported as associated with Smitfraud-C.
Yet Windows Explorer did not list the file in the directory, even when
I turned on the display of hidden and system files. Nor did it appear
when I issued a dir k*.exe command from a command prompt. I
even tried dir /ah and dir /as, but it did not
appear, but then neither did krnl386.exe nor any other exe
file beginning with the letter "k", even though several appeared in
Windows Explorer. Since, when I used dir k*.exe with or without
the /ah or /as options, files Windows Explorer
reported didn't appear, it appeared
that something was trying to hide files from antimalware software or casual
perusal of the directory.
Spybot found CoolWWWSearch. The only entry it listed for it was a file, C:\WINDOWS\system32\vx.tll.
Spybot also found ZenoSearch. It linked C:\Windows\system32\msnav32.ax, C:\Windows\system32\kmdsrngm.exe , and C:\Windows\system32\dwdsrngt.exe as being associated with this malware. It did no link any other objects to the malware.
Spybot found BraveSentry. It listed C:\Windows\xpupdate.exe as being associated with it plus three files in the C:\Program Files\BraveSentry directory.
BraveSentry0.bs
BraveSentry.lic
Uninstall.exe
Spybot also listed a registry key under HKEY_USERS.
When I looked under
HKEY_CURRENT_USER\SOftware\Microsoft\Windows\CurrentVersion\Run,
I found the following.
Value name: Windows update loader
Value data: C:\Windows\xpupdate.exe
Spybot also reported the following.
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify
Microsoft.WindowsSecurityCenter.FirewallDisableNotify
Microsoft.WindowsSecurityCenter.TaskManager
It isn't unusual for antivirus software to assume control of antivirus and firewall settings, so perhaps those changes were made by the McAfee software, but I've never seen antivirus software disable the TaskManager before.
Spybot also found a lot of advertising-related cookies, but I normally don't worry about those, though I do usually remove them.
I installed Bazooka™ Adware and Spyware Scanner 1.13.03 and the latest database update for it and scanned the system with it. It reported the following.
Exploit ntos.exe
Exploit countbest.net
Exploit traff5all.biz
Exploit searchterror.com
Exploit vxiframe.biz
Exploit Zviframe.biz
I had Spybot remove everything it found. After waiting a long time for Spybot to complete its removal process, I finally gave up, rebooted the system into Safe Mode and logged in as the administrator. I was able to start the Task Manager then using Ctrl-Alt-Del. I had to use the Task Manager to manually start the Explorer before I could run a Spybot scan again. This time it ran much faster, though it still took a while to check for 106,700 objects. It only reported Smitfraud-C and ZenoSearch this time.
For Smitfraud-C, it reported the same files
as previously, including C:\Windows\system32\kernelwind32.exe.
From a command prompt, I could see the file with a dir command
this time. It was dated October 23, 2007 3:08 P.M. I had Spybot remove
Smitfraud-C and ZenoSearch,
which it did within seconds this time.
I scanned again with Bazooka Scanner. It only reported Exploit ntos.exe. The Bazooka Scanner webpage for Exploit ntos.exe lists the following files, among many others, as being associated with this malware.
%SystemDir%\kernelwind32.exe
%WinDir%\xpupdate.exe
The system is a Windows XP Home system. On this system %SystemDir%
and %WinDir% point to C:\Windows\system32 and
C:\Windows respectively. That is the default for
Windows XP. You can verify that by issuing the set command at
a command prompt and looking for the values of SystemRoot
and windir. For Bazooka, %systemdir% is
%systemroot%\system32, i.e. normally C:\windows\system32
on a Windows XP system.
So Bazooka labels the malware associated with Kernelwind32.exe as Exploit ntos.exe, while Spybot associates kernelwind32.exe with Smitfraud-C. And while Bazooka classifies xpupdate.exe under BraveSentry, Bazooka lists it for Exploit ntos.exe. It isn't uncommon for different antispyware or antivirus programs to use different names for particular malware.
When I had Bazooka generate a log file, I found when I reviewed the log
file that it was reporing Exploit ntos.exe, because
it found %SystemDir%\kernelw.sys and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSv12.
When I ran regedit and checked for the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSv12,
I found the following.
Value name: SystemSv12
Value: C:\WINDOWS\system32\newmaxxsv234.exe
I removed the registry entry. When I checked to make sure that Spybot had already deleted C:\Windows\system32\newmaxxsv234.exe, I found it was still present, so I manually deleted it.
BleepingComputer reports C:\WIndows\System32\kernelw.sys is associated with Trojan.Peed.IIG/Packed.Win32.Tibs.ap malware. A posting on the freefixer site at kernelw.sys shows the results of a scan of the file that someone else submitted to Jotti's Online Malware Scan site. The file submitted had the same MD5 message digest as the one on the systm. I manually deleted the file. Bazooka no longer reported malware on the system, reporting instead "nothing detected".
I rebooted the system into Safe Mode with Networking, downloaded ClamWin and scanned the system with it. I left the scan running overnight along with another scan by Spybot. Unfortunately, the next morning, I found that one of my cats had apparently bumped into the power cord for the laptop dislodging it, so the system was powered down.
I logged into the DCW account. I saw a notice that an update to the operating system was available to be installed. It was the Windows Malicious Software Removal Tool - October 2007 (KB890830). I installed it.
I then started a new ClamWin Scan. It took over 5 hours to complete (319 minutes and 26 seconds). It found 15 infected files.
I installed BitDefender Free Edition v10 to scan the system for malware. Since network connectivity for the system was not working, I manually installed updates to the malware definitions for the antivirus software. After rebooting, I then scanned the system. The results of the scan are shown below (log file).
| File | Status |
|---|---|
| <System>==>C:\WINDOWS\plite731.exe (disk) | Infected: Trojan.Adband.A |
| <System>==>C:\WINDOWS\plite731.exe (disk) | Disinfection failed |
| <System>==>C:\WINDOWS\plite731.exe (disk) | Move failed |
| <System>==>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT \WINDOWS\CURRENTVERSION\RUN\plite731.exe==>PLITE731.EXE |
Infected: Trojan.Adband.A |
| <System>==>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT \WINDOWS\CURRENTVERSION\RUN\plite731.exe==>PLITE731.EXE |
Disinfection failed |
| <System>==>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT \WINDOWS\CURRENTVERSION\RUN\plite731.exe==>PLITE731.EXE |
Move failed |
| C:\Documents and Settings\DMW\Local Settings\Temp\stany.exe | Infected: Trojan.Adband.A |
| C:\Documents and Settings\DMW\Local Settings\Temp\stany.exe | Disinfection failed |
| C:\Documents and Settings\DMW\Local Settings\Temp\stany.exe | Moved |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun6.exe | Infected: Generic.Zeno.51DEB277 |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun6.exe | Disinfection failed |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun6.exe | Moved |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun7.exe | Infected: Trojan.Peed.Gen |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun7.exe | Disinfection failed |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun7.exe | Moved |
| C:\Documents and Settings\DMW\Local Settings\Temp\wr-1-77.exe | Infected: Trojan.Retapu.D |
| C:\Documents and Settings\DMW\Local Settings\Temp\wr-1-77.exe | Disinfection failed |
| C:\Documents and Settings\DMW\Local Settings\Temp\stdrun7.exe | Moved |
| C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll | Detected: Adware.Mysearch.E |
| C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll | Disinfection failed |
| C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll | Moved |
| C:\WINDOWS\plite731.exe | Infected: Trojan.Adband.A |
| C:\WINDOWS\plite731.exe | Disinfection failed |
| C:\WINDOWS\plite731.exe | Move failed |
| C:\WINDOWS\system32\mljjh.dll | Adware.Virtumonde.GGZ |
| C:\WINDOWS\system32\mljjh.dll | Disinfection failed |
| C:\WINDOWS\system32\mljjh.dll | Move failed |
| Time | |
| Scan time: | 01:41:12 |
| Scan speed (files/sec): | 14 |
| Results | |
| Infected objects: | 8 |
| Suspect objects: | 0 |
| Process infected: | 0 |
| Warnings: | 0 |
| Disinfected: | 0 |
| Deleted: | 0 |
| Moved: | 6 |
| Identified viruses | 8 |
BitDefender identified C:\Windows\plite731.exe twice as
Trojan.Adband.A I saw the proess running when
I looked at the running process list with Task Manager, which I could
do after having Spybot fix problems it found earlier. But Windows explorer
didn't show it in C:\Windows, even though the system was configured
to show hidden and system files, nor could I see it from a command
prompt using the dir command, even with the /as
or /ah options. I could see a plite731_uinstall_.bat
fiele in the C:\Windows directory, though. It had a timestamp
of 10/23/2007 3:08 PM. The commands in the file were as follows.
tskill plite731 /a /v
del plite731.exeThe tskill utility is a Microsoft-supplited utility in \Windows\system32.
I killed the plite731.exe process through the task manager. I
then tried deleting it with the del, but got a message
indicating that the file could not be found. I used regedit
to delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIndows\CurrentVersion\Run\plite731
key, so that the program would not be run when Windows is rebooted.
Value Name: plite731
Value data: C:\WINDOWS\plite731.exe
BitDefender also indicated it couldn't quarantine
C:\WINDOWS\system32\mljjh.dll, which it linked to
Adware.Virtumonde. That file also didn't show
up when I looked for it using Windows Explorer or use the dir
command at a command prompt, even when I tried the /as and
/ah options. When I checked to see if processes had it open
by using Process Explorer's "find" option, I saw the following processes were
using it.
| Process | Type |
|---|---|
| explorer.exe | DLL |
| lass.exe | DLL |
| lass.exe | Handle |
| iexplore | DLL |
During the BitDefender scan, a McAfee warning message popped up (the system had McAfee Security Center installed).
McAfee is identifying the process as bdss.exe, which is the
BitDefender process scanning for malware. It identified the file as
C:\Documents and Settings\DMW\Local Settings\Temp\stdrun4.exe, though.
BitDefender identified stdrun6.exe and stdrun7.exe
in the same directory as stdrun4.exe as containing malware, but
did not identify stdrun4.exe as containing malware.
At Threat Profile: Adware-ISearch, McAfee states the program installs a Browser Helper Object (BHO). The summary information provided on the McAfee webpage states the following.
Summary:
Upon execution, this application installs itself as a Browser Helper Object in Internet Explorer and pops advertisements. It redirects search keywords used in google to the site master.mx-targeting.com.
But when I checked for the files and directories McAfee's webpage listed as being associated with the malware, I did not see any of those, nor were they ones removed by Spybot.
When I copied the stdrun4.exe file to another system for
analysis, Webroot® Spy Sweepter™ version 5.0.8.1608
(spyware definitions version: 1046) identified it as malware.
| Name: | command |
| Category: | Adware |
I had the McAfee program remove the std4run.exe file, which
it identified as Adware-Isearch. When I
removed the malware, the McAfee software popped up another warning.
I had McAfee remove that, also. McAfee then reported Adware-Zeno for C:\Documents and Settings\DMW\Local Settings\Temporatzy Internet FIles\Content.IE5\MN0MFDMT\ds[1].xe. That file had a creation timestamp of Tuesday, October 23, 2007 at 7:16:47 PM. I had the McAfee antimalware software remove it.
I then rebooted into Safe Mode with Networking. I was still unable to see C:\WINDOWS|pslite731.exe from the Windows Explorer nor from a command prompt. I was able to see C:\WINDOWS\system32\mljjh.dll. It had a timestamp of 10/23/07 03:11 PM. I tried deleting it, but was notified it was being used by another person or program.
The system has no Internet connectivity. Since I started working on it, it
has been displaying the following error message when I issue the
ipconfig command.
C:\WINDOWS\system32>ipconfig Windows IP Configuration An internal error occurred: The request5 is not supported. Please contact Microsoft Product Support Services for further help. Additional information: Unable to query host name.
To be able to remove the plite731.exe file that wasn't showing up
even in Safe Mode, I booted the system from a
Slax Linux
5.1.8.1 LiveCD. I found
the Windows partition under /mnt/sda2. When I looked in the WINDOWS
directory, the file wasn't there, so, even though BitDefender indicated that
its attempt to move the file failed, it was apparently deleted, perhaps
after I rebooted.
I tried to delete mljjh.dll after remounting the
/mnt/sda2 in read-write mode using the command
mount -o remount rw /mnt/sda2,
since it was mounted in read-only mode (you can view the
mode with cat /etc/mtab). But even though /dev/sda2
was then listed as being mounted rw, I still got a message
saying I couldn't remove the file, because of a "read-only file system".
I did note the file permissions on the file were 400, i.e. read-only access
for the owner, which I couldn't change.
I rebooted Windows into Safe Mode, logged on as the administrator.
I checked the permissions on mljjh.dll by right-clicking on it
and choosing Properties and found it wasn't marked as read-only.
I still couldn't delete it, so I ran the Sysinternals' Process Explorer
program. When I asked it to "Find Handle or DLL" and searched fo
mljjh.dll, it showed
lsass.exe and explorer.exe were using it, which
was why I couldn't delete it.
I ran regedit and looked for any reference to it in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
I didn't see any, but I did see a reference to kmdsrngm.exe, which
was malware previously deleted (the file is no longer in
C:\WINDOWS\system32. I deleted the registry reference.
Value name: {51-10-05-52-ZN}
Type: REG_SZ
Value data: C:\WINDOWS\system32\kmdsrngm.exe CHD001
I also deleted a TA_Start shortcut I found in the Startup
group on the system. The target for the shortcut was
C:\WINDOWS\system32\kmdsrngm.exe CHD001. The file was
in C:\Documents and Settings\TEMP\Start Menu\Programs\Startup and
had a timestamp of 12/05/2007 7:11 PM.
I downloaded and installed CWShredder, which is now provided by Trend Micro. CWShredder searches for and removes CoolWebSearch malware. CoolWebSearch is a name given to a variety of browser hijackers, which redirect users to coolwebsearch.com and other sites associated with the malware developer.
Symptoms of a CoolWebSearch infection may include the following:
When I ran CWShredder v2.19 while booted into Safe Mode, it did not find any evidence of CoolWebSearch malware on the system.
When I had CWShredder generate a system report, I saw it listed
BHO:[BndDrive2 BHO Class]C:\WINDOWS\system32\mljjh.dll under
"Browser Helper Objects". It also lists
RUN:[winshow]C:\WINDOWS\winshow.exe under "Run Keys". Winshow.exe
is malware, also. The key is still in the registry, but the file is no
longer on the system. According to
CastleCops it
is added to a system by
Troj/VB-DXP.
I manually removed the registry entry with regedit.
Since BitDefender identified mljjhh.dll as being associated
with Adware.Virtumonde.GGZ,
I downloaded VundoFix
V6.7.0 by Attribune from
www.atribune.org and scanned the system
with it. VundoFix.exe is a removal tool developed to remove Virtumonde
infections. It listed the following files:
C:\windows\system32\hjjlm.bak1
C:\windows\system32\hjjlm.ini
c:\windows\system32\mljjh.dll
c:\WINDOWS\system32\urqqonn.dll
The last file c:\WINDOWS\system32\urqqonn.dll wasn't showing
up in the Windows Explorer or when I issued a dir command at a
command prompt, even though I was in Safe Mode.
Note: VundoFix also stores this list of files in \WundoFix Backups\addmorefiles.txt.
As had been happening since I started working on the system, the Windows Explorer crashed periodically while I scanned and afterwards, though it was restarting automatically, which had not happened on some prior crashes. Sometimes there was less than a minute between the Explorer crashing and restarting.
I had VundoFix remove the files and then rebooted the system. I still got
the same error when I issued the ipconfig command afterwards,
but I wasn't expecting that to change.
I saw the message below regarding the McAfee Personal Firewall when I logged into the system.
Shortly thereafter, I saw the message below:
The Windows SecurityCenter is showing the firewall is turned off, but Automatic Updates and Virus Protection is on. I clicked on the McAfee warning balloon, which opened the McAfee SecurityCenter. I clicked on the Fix button within it, but got the message "One or more problems cannot be fixed because of an error."
I opened Spybot Search & Destroy again and looked ta the ActiveX, BHOs, and Winsock LSPs. All of the ActiveX applications looked legitimate and all of the Winsock LSP entries had a checkmark in a green circle next to them indicating that Spybot regards them as innocous. But when I checked the BHOs, I saw two unclassified entries that appeared to be illegitimate (see Spybot BHOs).
Note: you must switch to Advanced mode and click on Tools in Spybot to see the ActiveX applications, BHOs, and Winsock LSPs.
One BHO, which was in bold black, indicating it isn't in Spybot's database, was
for mljjh.dll - the file was removed
by VundoFix, but the registry entry remained. I selected
the mljjh.dll BHO in Spybot and clicked on the Remove
button to remove the registry reference to it.
The other BHO I wasn't confident was innocuous had a name of BndDrive2 BHO class. The file associated with it was C:\Program Files\ISM\BndDrive5.dll. When I checked the ISM folder, I found the following files within it.
| Name | Date Modified |
|---|---|
| BndDrive5.dll | 9/27/2007 12:49 PM |
| bndloader.exe | 9/15/2007 12:59 PM |
| ism.exe | 9/15/2007 12:59 PM |
| Uninstall.exe | 10/23/2007 3:08 PM |
The fact that the uninstall.exe file has a timestmp of
October 23, 2007 3:08 PM makes me inclined to view the files in the
directory with suspcicion, since it seems to have arrived at the same
time as a load of malware.
When I analyzed ism.exe with FileAlyzer and listed strings within
the file, I saw the following:
ISM will now connect to the internet and detect a speed of your connection.
This will take several seconds. Are you sure you want to proceed?
You have ran the test already. Please wait for results.
Internet Speed Monitor
The grammatical errors incline me to suspect the developer may not be a native English speaker.
Slightly below that text in the file, I saw
http://zredirector.com/ism/speed.php
Checking on the URLs listed in the file with FileAlyzer, I saw two.
http://zredirector.com/ism/datafile.dat
http://zredirector.com/ism/speed.php
CastleCops labels this BHO as BHO/CLSID/Toolbar Deep Dive and classifies it as "Certified spyware/foistware, or other malware"
|
The CastleCops entry on this malware references BndDrive6.dll,
whereas BndDrive5.dll is the file present on this system, but
that appears just to be an indication of a different version of the same
malware.
The zredirector.com domain is listed in the
Malware Domain List
In addition to the C:\Program Files\ISM directory there was also
a C:\Program Files\ISM2 directory. Both had a "Date Modified" date
of 10/23/2007 3:08 PM. The only file in the ISM2 directory was
ISMPack6.exe. Analyzing that file with FileAlyzer, when I checked
for URLs within it, I saw many referencing srvclsubringstf.net
and one referencing srv.clsubring.net
(see ISMPack6_exe-URLs). Neither
clsubring.net nor the domain srvclsubringstf.net
are listed in the Malware Domain
ListThe registrant for the domain clsubring.net
is Domain Park Limited in Germany.
I also checked the DNS-BH List.
for any entries regarding the domains. The DNS-BH project creates and maintains
a listing of domains that are known to be used to propagate malware and
spyware. This project creates the Bind and Windows zone files required to
serve fake replies to localhost for any requests to these, thus preventing
many spyware installs and reporting. When I checked the
domains list
provided at that site, I did not find those two domains listed, though
I did find zredirector.com listed.
Since the software was listed under "Add or Remove Programs" (Click on
Start, Control Panel, then Add or Remove Programs),
I removed it by that method. It had a "last used" date of October 23, 2007
under "Add or Remove Programs". When I started the uninstall I saw a waring
that "You are now about to uninstall Internet Speed Monitor. Please close
all the Internet Explorer windows to ensure complete uninstallation." I didn't
have any open at the time. I saw the uninstall executed the
C:\Program Files\ISM2\ISMPack6.exe -uninstall. At the end of
the uninstall, I was prompted to reboot the system. Prior to rebooting,
I checked the BHO list in Spybot. It no longer showed the
BndDrive2 BHO class BHO.
Before rebooting, I checked the System Startup list in Spybot to see if it listed anything there that might be dangerous. I saw some entries in yellow, but none in red (see Spybot System Startup Report). When I checked all of those entries, they all appeared to be innocous. You can check on whether processes may be dangerous at Neuber Software's Windows process and task list or by using their Security Task Manager software.
I noticed a log entry in the McAfee Security Center pertaining to the
BndDrive5.dll BHO. The entry referenced process
C:\Documents and Settings\TEMP\Local Settings\Temp\~nsu.tmp\Au_.exe
(See Mcafee - BndDrive5 BHO).
At
au_.exe on Spyware-Net, I see the file listed as being associated
with the Spyfalcon Trojan.
Description of au_.exe This is a component of SpyFalcon. SpyFalcon is a Trojan disguised as an anti-spyware application. It installs with other Trojans through various security exploits. It typically hijacks the user's desktop, and makes unwanted changes to various user settings.
It is also listed at
Spyware Data as possibly being associated with SpyFalcon, though there
it is rated as "safe". The file size on the system is 33KB, which doesn't
match the filesizes listed on that webpage, but it could just be a different
version of one of those. For the SpyFalcon entries on that webpage, I see
the location as [%temp%]\~nsu.tmp\. On this system
%temp% is
C:\Documents and Settings\TEMP\Local Settings\Temp (you can
issue the set command to see the value of the temp
variable).
The Spyware Warrior list of Rogue/Suspect Anti-Spyware Products & Web Sites lists SpyFalcon, so I would definitely not consider the presence of any applications associated with SpyFalcon to be safe. The SpyFalcon software is marketed under many different names according to the Spyware Warrior site; I had to fix problems on another system related to this supposed antispyware software in April (see Charlene Infection on April 30, 2007).
| SpyFalcon | spyfalcon.com | desktop hijacking, aggressive/deceptive advertising (1); uses inadequate scan/detection scheme; same app as AdwareDelete, AntiVirus Gold, MalwareWiped, SpyAxe, SpyLocked, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast [A: 2-14-06 / U: 2-14-06] |
I scanned the au_.exe file with BitDefender Free Edition 10
(Updated Fri Dec 7 1:25:15 2007 Signature number: 958438) and
with ClamWin Free AntiVirus 0.91.2 (Updated: 01:28 06 Dec 2007).
Both reported it as ok. I tried deleting the file anyway, though. I was
unable to, though, since the Internet Speed Monitor Uninstall
window was still open. That window was created by the Au_.exe
process when I chose to uninstall the software through "Add or Remove Programs".
A complete scan of the system with the McAfee SecurityCenter 7.2 software on it detected 3 items. That virus definitions for that software were last updated on October 23, 2007, so were about a month and a half out-of-date. The last scan of the system with the McAfee software was done on October 24, 2007.
Version: 11.2
Build: 11.2.124
Language: en-us
Last Update: 10/23/2007
DAT Version: 5147.0000
DAT Creationg Date: 10/23/2007
Engine Version: 5100.0194
When the scan completed, I saw the following:
Details Number of items scanned: 159854 Number of items detected: 3 Number of items repaired: 0 Number of items quarantined: 0 Number of items removed
| Scan Details | |||
| Total Detctions: | 3 | Registry Keys Scanned: | 82937 |
| Processes Scanned | 65 | Registry Keys Detected | 0 |
| Processes Detected: | 0 | Cookies Scanned: | 1560 |
| Files Scanned: | 75290 | Cookies Detected: | 0 |
| Files Detected: | 3 | ||
But the only malware detected was Adware-Isearch, which it found in 2 zip files I had stored on a USB thumb drive, which I had left attached to the system, but which I had write protected. I had placed the some malware files within zip files, which I copied to the USB thumb drive prior to removing them from the system, so I might use the files for later analysis of the malware.
I clicked on OK in the Internet Speed Monitor Uninstall
window to reboot the system. When I did that, the CPU utilization shot up
to 100% with services.exe consuming most of the CPU time. After
waiting a couple of minutes for the system to reboot, I clicked on
Start, Turn off computer and slected Restart
to reboot the system.
When I logged into the DCW account after rebooting, I still got the "
An internal error has occurred: the request is not supported" error
message when I issued the ipconfig command. The additional
information listed indicated the problem was "Unable to query host name".
Even though Spybot had not reported any LSP anomalies, I decided to run LSP-Fix, which is a Winsock2 repair utility. LSP-Fix attempts to correct Internet connection problems which have resulted from buggy or improperly removed LSP software, which some malware will install on a system. I placed LSP-Fix 1.1 on the system, but, when I ran it, it reported "no problems found".
At
networking and internet connection problem, I found someone
reporting the same error message when he issued the ipconfig
command. One person who responded stated that the problem could be due
to a missing or altered tcpip.sys file, which could be removed
by an antivirus program if the program determined the file was infected. I
searched the Windows directory and its subdirectories for
tcpip.sys, but could not find it. The system, which is running
Windows XP Home, has Service Pack (SP) 2 on it, so it should have the
tcpip.sys file, which was modified to limit the maximum
of TCP attempts
to 10 per second [Note: that number can be changed by manually editing
tcpip.sys as outlined in
Windows XP SP2
additional tweaking information or by following
the instructions at
Patching
TCPIP.SYS and how it affects P2P performance].
So I then checked the McAfee Quarantined and Tracking Cookikes information to see if, perhaps, that software had quarantined it. But it did not appear to have done so. When I checkd on what had been quarantined in October, I saw only cookies listed up until October 23. On that day, McAfee quarantined the following:
Detection Name: Dialer-257
Removed Date: 10/23/2007 8:16:50 PM
Items:
The above file was listed 3 times. The first two entries had the same timestamp while the third entry had a timestamp of 30 minutes - perhaps the file was resuscitated by the malware with which it was associated.
I also found the following entry for October 23:
Detection Name: Adware-Zeno
Removed Date: 10/23/2007 8:18:41 PM
Items:
There was also an entry for October 24.
Detection Name: Winfixer
Removed Date: 10/24/2007 2:49:11 PM
Items:
There were no other entries until I had McAfee remove Adware-Isearch on December 9.
Ad-Aware SE was on the system, so I started it. At startup, I was informed that its malware definitions were 431 days old. The definitions file was listed as SE1R125 06.10.2006. I found the last system scan with Ad-Aware was performed on October 11, 2006, i.e. more than a year prior to the current infections. When I checked the Ad-Aware quarantine items, I found only cookies listed.
While I was simply viewing the list of quarantined items for Ad-Aware, a window popped up informing me that "'C:\WINDOWS|system32\services.exe' terminated unexpectedly with status code -1073740972" and the system rebooted.
After logging back in, I went to System Information (click
on Start, select Accessories, then System Tools,
and then System Information. I looked under Problem Devices,
but didn't see anything listed. When I clicked on Network and then
select Adapter, nothing was listed, i.e. the network adapter for
the system was not listed. Yet the Device Manager shows a
Broadcom 440x 10/100 Integrated Controller in the system and
there is a network port on the back of the laptop. The Device Manager doesn't
show any problems for the Broadcom network adapter.
I checked the Recycle Bin for the missing tcpip.sys,
but it wasn't there either. I had searched for the file by clicking on
Start then Search. When I tried looking for it from
a command prompt, I fid find prior versions, which had been backed up
to uninstall directories during the installation of patches, e.g.
C:\WINDOWS\$hf_mig$\KB913446\SP2QFE. But there was no instance
of it in \Windows\System32\drivers, where it should be located.
At
Signs of a corrupt tcpip.sys, I found someone reporting encountering
the same problem with several systems having a corrupted or missing
tcpip.sys file. As suggested there,
I copied a tcpip.sys file from a Windows XP Professional
Service Pack 2 system (a tcipip.sys file from XP Professional
should work on an XP Home system and vice versa) and used a USB thumb drive to
transfer it to the laptop I was working on. The file was dated April 20, 2006
and was 359,808 bytes in size.
When I rebooted, McAfee reported "New Network Detected". It then showed
the IP configuration for the wireless network connection. After I answered
the prompt regarding trusting that network, I also saw a similar "New
Network Detected" message for the wired connection I had between the
laptop and my router. And when I ran ipconfig, I saw the
IP information for both the "Ethernet adapter Local Area Connection"
and Ethernet adapter Wireless Network Connection". Yeah!
I ran BitDefender and ClamWin and had both update their malware defintitions. I then installed the following Microsoft patches using Automatic Update.
I configured Spybot to "download updated include files if available online." I then downloaded and installed the latest updates for Spybot.
I also checked for updates for Bazooka Scanner, but there was no later update available for it. I scanned the system again with it. It reported "nothing detected".
I also checked the McAfee security software. It now showed the last update check to be December 12, 2007.
Since I started working on the system, Sonic Update Manager runs when I login to the DCW account, but it can't complete, since it can't find files it needs. The message "The feature you are trying to use is on a CD-ROM or other disk that is not available" appears. When I cancel the installation, the message "An installation package for the product Sonic Update Manager cannot be found. Try the installation again using a valid copy of the intallation package 'UM.MSI'."
Checking the process associated with the application using the Task
Manager, I see it is agent.exe. The file is located
at C:\Program FIles\Common Files\InstallShield\UpdateService.
It may be started by isuspm or issch, which
are both in the same directory and which I see listed in the Startup
secton of the System Configuration Utility (run msconfig).
I found others reporting the same problem at New Dell laptop error: Insert the Sonic Update Manager disk and click OK and the fix and at Sonic update manager. Since I had to also work on a Gateway laptop that wouldn't boot into Windows, I simply went into Add or Reomove Programs and removed Sonic Update Manager. I rebooted the system and logged in again to verify that the problem no longer occurs.
When I checked the Services section under the System Configuration
Utility, I found DSBrokerService
listed with a value of "unknown" for the manufacturer.
CastleCops
has a description of "Related to Dell_Support Offer additional support.
Note: Located in C:\Program Files\DellSupport\" for
it. The command associated with the service is brkrsvc.exe.
After verifying that no further problems seemed to be effecting the DCW account on the system, I logged into the DMW account. I saw the Active Desktop Recovery desktop display. When I clicked on Restore my Active Desktop, I received the message "An error has occurred in the script on this page" with an error of "Object doesn't support this action" listed. I chose to continue running scripts on the page. The desktop display did not change. So I just right-clicked on the desktop, chose Properties, clicked on the Desktop, then clicked on Customize Desktop, and then clicked on the Web tab. For Web pages, I saw "My current Home Page", but it was already unchecked, so I clicked on it to check it and then clicked on OK and then OK again. I then saw an AOL page displayed. I logged off and then logged on again just to make sure the page would display correctly for subsequent logins.
I performed an image backup of the disk drive in the system to an external USB drive using Symantec's Norton Ghost 2003 (see Ghost Backup Info 2).
References:
Certified spyware/foistware, or other malware
