MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
September
Sun Mon Tue Wed Thu Fri Sat
       
20
 
2005
Months
Sep


Tue, Sep 20, 2005 11:58 pm

RB Laptop Infections

I was given a laptop running Windows XP Home Edition with a report that it was badly infected. Norton AntiVirus 2005 was installed on the system. It was displaying alerts that the system was infected with W32.Desktophijack.

I installed Bazooka Adware and Spyware Scanner 1.13.03 on the system and updated its database to the September 20, 2005 version. It found the following malware:

Exploit ebs.fuck-access.com
Exploit crackzws-1
Exploit Lookforthe.net

For "Exploit ebs.fuck-access.com", I checked Bazooka's manual removal instructions, which suggested starting the system in safe mode and checking for various registry keys and files. I didn't find any of the listed registry keys, but I did find two of the files: c:\windows\system32\oleadm.dll and c:\windows\system\wp.bmp. I submitted oleadm.dll to Jotti's Online Malware Scan for analysis. The report I received showed that many of the 14 antivirus programs Jotti uses detected the file as being part of a trojan.

I generated a log in Bazooka, which I examined. It only listed C:\Windows\System32\wp.bmp as being associated with "Exploit ebs.fuck-access.com", though. It didn't list oleadm.dll, though the removal instructions advised removing that file if it was found. Symantec was reporting W32.Desktophijack. It's webpage for that malware indicates that wp.bmp is associated with W32.Desktophijack. It doesn't list the other files that Bazooka reports are associated with "Exploit ebs.fuck-access.com". I had to remove oleadm.dll as well as wp.bmp before Bazooka no longer detected "Exploit ebs.fuck-access.com" on the system.

I replaced the infected wininet.dll file with an uninfected copy of the file that was in c:\i386 (see W32_Desktophijack - September 17, 2005 for the MD5 checksums for the infected and uninfected versions of the file and additional information).

For the "Exploit crackz.ws 1" infection, I checked under "Add or Remove Programs" for "Content Delivery Module", "Internet Update", "OIN", "PSGuard" or "UCMore - The Search Accelerator", which the Bazooka webpage indicated are associated with this malware, but didn't find any of those. But I had noticed a deleted shortcut for PSGuard in the Recycle Bin and there was an empy "C:\Program Files\PSGuard" directory with a timestamp of 8/3/2005 6:18 PM. Apparently the software was on the system, but was deleted by the user. When I deleted that directory, Bazooka no longer reported the presence of "Exploit crackz.ws 1".

To remove "Exploit Lookforthe.net", I followed the removal instructions provided by Kephyr. I started the system in Safe Mode and then ran the registry editor, regedit. I didn't see a Olympic key under HKEY_LOCAL\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but I did see a intell32.exe key with a value of "C:\WINDOWS\System32\intell32.exe". I deleted the key and removed the file from the system. That file had a time stamp of 9/20/2005 11:14 PM and was 6,144 bytes. The creation date was Saturday, August 27, 2005 1:49:48 AM. I also found one of the other files, oleext.dll, listed on the Kephyr page as being associated with this malware. It was also in the "C:\WINDOWS\system32\" directory. At SpyWare BeWare! -> PSGuard, I found a reference to this file being linked to "Trojan.Desktophijack.C". The Symantec webpage indicates this is another piece of malware that attempts to dupe unsuspecting users into downloading antispyware software by displaying a warning message linked to this malware. In reality the user's system is indeed infected - by this malware. Clicking on the link in the displayed message will take the user to a download.psguard.com webpage. I deleted oleext.dll. I didn't see any of the other files Kephyr's site reported as associated with this malware. I then went into Internet Explorer and went to "Tools" and selected "Programs", and then "Reset Web Settings".

After removing the intell32.exe registry entry and the intell32.exe and oleext.dll files, I rescanned the system with Bazooka Adware and Spyware Scanner. It reported "Nothing Detected".

I then rebooted the system normally only to find Norton AntiVirus now displaying the message "Norton AntiVirus 2005 does not support the Repair feature, please uninstall and reinstall." I rebooted again and the message didn't reappear.

[/security/viruses] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo