Author Topic: Malware fixes and work-arounds!  (Read 124484 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Malware fixes and work-arounds!
« on: July 31, 2008, 11:42:00 PM »
Facts to better write your malware-fix

Identification of malware

When you start getting involved in malware fighting, recognizing certain infections is hard. Every infection has specific characteristics. There are sites where you can find descriptions of various infections.

1. Read a log several times to get a good grasp of what it has.

2. Using Google or the Castlecop database or a good online hjt analyzer page the lines can be found that should be fixed.

3. Important about filtering is that it can be a further indication of the malware at hand. Many malware infections demand more of you than just simply end a process.

Most databases like castlecops give links to further information about the specific infection.
Then you can also find interesting information here. The most important resource for information always is Google. You stand on the shoulders of many malware fighters in what you do. How did others handle a similar infection on a reliable help site.

Read a hijackthis-log/

From a line of a hijackthis log you can see what it is?

Take this line for instance:
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

A 04-line consists of a name of a process and the name of a program.
O4 - HKLM\..\Run: [Program-name] "C:\Program Files\map\proces.exe"
In the Castlecops database look for a process named nwiz.exe 3 posible variants.
All have a different program-name. So the combination gives you the key. In this case nwizz.exe is part of nVidia graphics cards drivers.

Do's and don't's

1. Clean the computer with standard scanners before anything else.

Hijackthis is brought in as other methods did not solve the problems. Then HJT is not finding all..
By using various reliable malware scanners a lot can be taken off. Maybe the problem is solved completely.
But when everything fails we use a "dangerous" program like  hijackthis.
There are cleansing routines to state how a PC is cleansed correctly.

2. Never fix with a hjt program that has not been updated to the latest version, and hijackthis.exe has been placed in the right file. An older version of hijackthis misses things and messes your cleansing up.
Hijackthis.exe should be unzipped te zijn and put in a non-temperal file. This to prevent to loose backups.

3. Never start a fix with systemrestore disabled.
You reset system restore only after the PC is fully cleansed. not earlier. If something goes wrong, you have nothing to cling to. Step 7 describes how you can reset system restore.

4. Hijackthis is NO scanner.

Fixing wrong lines with Hijackthis is not sufficient to cleanse all malware. Sometimes we need additional tool,or manual removing processes can be necessary in severe cases.
 
Only fixing the 02-lines takes the processes out, but with exemptions.

5. As a rule of thumb leave all 016-lines unfixed.
Most 016-lines are completely harmless and useful even. A database will give you the malware ones.

6. (file missing) does not always equals that file is actually missing.
In a hijackthis-log you may find (file missing) behind a line. These are mostly 02, 03, 09 or 023-rules.
Normally only for 02- and 03-lines this can be taken as a fact, in other cases it is dubious.
This is a known bug in Hijackthis. As a rule 09 and 023-regels with (file missing) can be left alone,
only when it is not known malware, then the files that come with it should be fixed.
When in doubt about a (file missing) you can check if the process is active in "running processes".

7. Manually changing the register is a matter of last resort and a final option.
It is utterly dangerous for the victim without experience to have a go at the registry.
A small mistake can make that the PC will misfunction or halts.
When all scanners fail,  hijackthis and other tools fail, it is better to write a register fix for the victim.
When this also fails, manual registry alterations are allowed, but back-up the registry first, and fully instruct.
 
8. Do not take a process out before you have identified it to be bad, and know what it is and does.

When in doubt, and no database to go by, these options are still open to you.
- Have a file scan by uploading it to Jotti, or Virustotal and look at the results, more results more likely to be malware.
- Look what firm made the file.
- Rename the file in question and move to a backup-file. If it is essential you can put it back later.

9. Never fix a 010-line using hijackthis
This may corrupt winsock, and you loose your internet connection.
Better to use LSPFix or Winsockfix for these purposes.

10. At the end of your malware topic. give some further security tips to prevent re-infection.
Tell them they need a FW and one resident AV scanner. For us we are avast evangelists! And stress the importance of patching windows and other software.

Outline of your fix

Every fix is different, but generally this is a good outline.

1. We welcome those that seek help from us.
Tell them not to panic, tell them all will be well in the end.

2. Let them know what infection they have, and when known how they were infected.

3. When hijackthis.exe is in a wrong folder, it should be placed in the right one.

4. Let them download the tools necessary to fight the malware at hand.

5. Let them make hidden files visible, so they can be found and deleted.

6. Deinstall infections through configuration screen > software. A better option than manual uninstall.
Do not forget to restart after every uninstall. There are lists for easily to uninstall malware programs.

7. Have your instructions printed for further instruction as a txt.file. This because the rest of the cure should be dome in SafeMode.

8. When a PC has various infections, it is better to have the victim start up his PC in SafeMode.
In SafeMode malware processes responsible for the infection are non-active, so easier to be deleted.

9. Have the malware-lines fixed with Hijackthis. Do not forget that all othr windows and programs should be closed, before fix checked can be entered.
 
10. Have all malware folders and files deleted.

11. In SafeMode also clean temp-folders, where malware can reside.
A new scan can be better performed that way.

12. Have the PC restart in normal mode

13. Perform an online scan or a DrWebCureIt scan for instance.

14. Tell what logs you like to have attached.
Ask whether the victim encountered further problems.

15. Wish the victim all the best and thank them for coming here for help.
- Make you fix readable by using bold, italics etc. and numerics.
- Many that come here for help are not very computer savvy. Be precise and simple in your instructions.

If at a certain point your malware cleansing routine may take a wrong turn, ask for help from the experienced malware fighters here.
No one will blame you, now dive into it, and try to help others,

polonus (malware fighter)

P.S. hijackthis manual: http://hometown.aol.co.uk/jrmc137/index.htm

A very good link to an extensive hijackthis manual can be found here:
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
« Last Edit: December 24, 2009, 08:28:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

wyrmrider

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #1 on: August 02, 2008, 04:22:19 AM »
here's what charlie at Maddoktor2 has to say

Here's how to post a HiJackThis log:
First please
Register and Login.
Then......
Please download HiJackThis into its own permanent folder,
example: C:\HJT\HiJackThis.exe, C:\Program Files\HJT\HijackThis.exe or C:\MyDocuments\HJT\HijackThis.exe

Please Note:
You can get a complete installer that installs HijackThis to C:\Program Files\Trend Micro\HijackThis, makes an entry in the start menu and also providing a desktop shortcut from HERE

Double click on it to open it up, hit the Do a system scan and save log button, WordPad or NotePad will open and it will be saved in the folder, copy and paste the entire log into your New Post. (use edit > select all > copy > paste it into a New Post)

7. Along with your HijackThis log, please post a log from this free tool as well:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

   1. Close all applications and windows.
   2. Double-click on dss.exe to run it, and follow the prompts.
   3. When the scan is complete, two text files will open - main.txt<- this one will be maximized
      and extra.txt<-this one will be minimized
   4. Copy and paste the contents of main.txt and the extra.txt to your post. in your reply

Good Luck and Please be PATIENT.....we will get to you asap

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: How to better write your malware-fix and using hijackthis!
« Reply #2 on: August 04, 2008, 09:40:28 PM »
Hi malware fighters,

People that have no experience better stay away from analyzing HJT logs and fixing, this should be accompanied by people that know how to do this, here I give you an example:

0CAT YellowPages
Whenever you have this infection, you will get pop-ups from this IP 69.50.160.100.
 
In a hijackthislog you will find:
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll
 
Cause of this infection, not visable in the hjt log, is a file to replave webcheck.dll in the system32 folder.
 
How to remove:
The file is also shown in the HJT startuplist under Enumerating ShellServiceObjectDelayLoad items.
False: WebCheck: C:\WINDOWS\system32\msvcrta.dll
Secure: WebCheck: C:\WINDOWS\system32\webcheck.dll
Check if msvcrta.dll can be found.
Go to start - run.
Give in: regsvr32 webcheck.dll
Delete using Killbox or fix with HijackThis C:\WINDOWS\system32\msvcrta.dll or the false file shown following WebCheck.
(met Hijackthis: Config - Misc Tools - Delete a file on reboot)
further info on 0CAT YellowPages spyware infection:

http://www.wilderssecurity.com/showthread.php?t=59940

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: How to better write your malware-fix and using hijackthis!
« Reply #3 on: August 05, 2008, 08:59:55 PM »
Hi malware fighters,

Just another example, this time a not so easy one,

Switch-dialer
Startportal of MS-Connect of…. is a dialer that also hijacks your start page (e.g. 24start.com).
This dialer is owned by ConnectSwitch.
It is a tricky dialer because it changes names regularly.
 
Recognize this infection.
If you are infected with this dialer you can see this in your hijackthislog.
 
MS-Connect:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
 
Startportal:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Startportal/Portal/portal.html
O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe
 
QuickPage:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/QuickPage/Portal/portal.html
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\cp.exe
 
OnlineDirect:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe
 
NowOnline:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagine = file:///C:/Program%20Files/NowOnline/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
 
FirstEnter:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe
 
First2Enter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/First2Enter/Portal/portal.html
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
 
Plus18Point
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
 
MStartEnter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\mstar2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe
 
MStart2Page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\system32\mmgr32.exe
 
EnterOne
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe
 
PageOn1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/PageOn1/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe
 
Make125
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Make125/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/Make125/Portal/portal.html
O4 - HKLM\..\Run: [sVideo2] C:\WINDOWS\system32\vxdrun6.exe
 
eMakeSV
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagw = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/eMakeSV/Portal/portal.html
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emakesv.exe
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\system32\emake2b.exe
 
NIEUW2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpage = file:///C:/Program%20Files/NIEUW2/Portal/portal.html
O4 - HKLM\..\Run: [NIEUW] C:\WINDOWS\system32\emake2b.exe
 
How to remove:
1. Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall Switch.
 
2. If the uninstall fails, use HijackThis.
End active process, search known entries and fix these using HijackThis.
 
Delete in SafeMode the exe-file and also the folder c:\Program Files\ where Portal can be found.
 
Other variants related to Switch:
 
AtivOpen
A hijackthislog shows:
O4 - HKLM\..\Run: [AtivOpen] C:\WINDOWS\system32\ativopen.exe
O16 - DPF: {5CBF8C22-E9A6-11D7-90FE-000AE4012999} - hxxp://a0e6.ffx23wl.nl/plugins/nl/ativopen.cab
 
How to remove:
Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall AtivOpen.
Fix the O16 using HijackThis.
 
AdServerNow
A hijackthislog shows:
O4 - HKLM\..\Run: [Updater] C:\Windows\system32\adservernow.exe
 
Hoew to remove:
Go to start - Configurationscreen - Software - Change or remove programs.
Uninstall AdServerNow
 
Others:
A hijackthislog shows:
O4 - HKLM\..\Run: [NAP32] "C:\WINDOWS\System32\NAP32.exe"
O16 - DPF: {62C9173E-C4C3-43B9-82F2-3DDD51663B00} - hxxp://pms.localscripts.nl/plugins/nap32/nap32_nl.cab
        
polonus   
   
« Last Edit: August 05, 2008, 09:02:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: How to better write your malware-fix and using hijackthis!
« Reply #4 on: September 01, 2008, 01:10:27 AM »
Hi malware fighters,

Today we discuss hijackers:
017 - LOP.com Domain Hijacks
When you are surfing to a website using a hostname in stead of an IP-address, the computer use the DNS-server to translate the host to an IP-address. Some hijackers change the names of DNS servers, so their DNS servers are being used. In this way they can redirect you to whatever site they want.
Internet addresses without dots do not really exist.
It works when you type e.g.google' in the browser address bar.
Internet Explorer automatically tries to repair prevailing errors. So it can turn "google" into "www.google.com" automatically.
One of the names that IE automatically tries is placing the domain name setting, you have given in, automatically behind the internet address.
If a spyware program also does this, these links will redirect through a spyware website.
 
Code       Explanation
O17        LOP.com Domain Hijacks
 
How it looks:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
 
If the domain name is not that of your ISP or the firm where you work ,
let HJT fix this.
Also for SearchList-entries. For the NameServer (DNS-server) entries google for your ISP to see if they are good or bad.
 
O18 - Extra protocols and protocol hijackers

What to do:

Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks'
(Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed)
by spyware. In the last case, have HijackThis fix it.
O18 - Extra Protocols and Protocol Hijackers

The standard Protocols are being changed by the protocol used by the hijacker.
In this way the hijacker gets control over certain methods of data exchange with the Internet.
Hijackthis reads the protocols-section in the registry for non-standard protocols.
When something is found up it gives the CLSID and the file path.
Keys that are found there can not always be trusted, and delivers too many FPs to just blindly rely on.

 
Code     Explanation
O18       Extra protocols and protocol hijackers
 
What they look like:
O18 - Protocol: relatedblinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
 
There is only a restricted number of hijackers, Known abusers are:

    * cn (CommonName)
    * ayb (Lop.com)
    * relatedlinks (Huntbar)

Other cases found have not been affirmed as secure or as hijacked (CLSID has been changed) by spyware.
iF SO HAVE hjt FIX THIS. Hijackthis does not remove the registry key and the additional file.
Meer info vind je hier.
 
Used registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler       
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter
 
 
019 - User Style sheet hijack
A style sheet is determining how a total webpage will appear, as well as the various elements in it,

The standard style sheet can be overwritten by a hijacker.
 
Code     Explanation
O19       User style sheet hijack
 
How it looks:
O19 - User style sheet: c:\WINDOWS\Java\my.css
 
If the browser slows down, or you are experiencing regular pop-ups, you better fix this.
These issues are caused by coolwebsearch and are best repair using CWShredder.

Download CWShredder.
HijackThis does not remove the affiliating file.
Used registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\: User Stylesheets
 
 
020 - AppInit_DLLs Register value: starting automattically - Keys under Notify
The values mentioned in the registry key AppInit_DLLs are being loaded whenever user32.dll is being loaded.
Most executables (exe's) use user32.dll. This means that the dll files found  in the registry key Appinit_DLLs
also will be loaded. The user32.dll file is also being used by automatic processes automatically started by the system on log-on.
This means that files inside AppInit_DLLs are being loaded in a very early stage.
The files loaded via AppInit_DLL's stay in memory until log-off.
 
Code     Explanation
O20      AppInit_DLLs Registry value: starting automatically
O20      Keys under Winlogon\Notify
 
How it looks:
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\f40o0ed3eh0.dll
 
AppInit_DLLs: Few legit applications use it (Norton CleanSweep uses APITRAP.DLL),
but they are more seen by trojans and aggressive browser-hijackers (e.g. CoolWebSearch).
The DLL files mentioned here can be found in the system32-folder as a rule.
The reason is that only the first 32 characters are being read from this registry key by the system,
and when these file are in the system32-folder the full path does not need to be given.
The files are hidden for Windows explorer.
When you have these item fixed by HJT, the affiliating files is not being removed.
More info is being found here.
 
Notify: Since the 1.99.1 version also extra keys appear under Notify in combination with O20,
HijackThis uses a whitelist to do so. Standard keys under Notify with affiliating dll are:

    * crypt32chain   (c:\windows\system32\crypt32.dll)
    * cryptnet   (c:\windows\system32\cryptnet.dll
    * cscdll   (c:\windows\system32\cscdll.dll)
    * ScCertProp   (c:\windows\system32\wlnotify.dll)
    * Schedule   (c:\windows\system32\wlnotify.dll)
    * Sclgntfy   (c:\windows\system32\sclgntfy.dll)
    * SensLogn   (c:\windows\system32\WlNotify.dll)
    * Termsrv   (c:\windows\system32\wlnotify.dll
    * wlballoon   (c:\windows\system32\wlnotify.dll)

HijackThis removes the registry key, but not the affiliating file.
An infection using this method is VX2.
Not all keys appearing under Notify are malicious.
 
Used registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

In case of a 'hidden' DLL loading from this Registry value (only visible when
using 'Edit Binary Data' option in Regedit) the dll name may be prefixed with
a pipe '|' to make it visible in the log.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: How to better write your malware-fix and using hijackthis!
« Reply #5 on: October 25, 2008, 11:24:26 PM »
Hi malware fighters, a new example is cleansing a computer of a LOP infection:

LOP and Messengerplus
Messengerplus you may install in two fashions: with sponsors and without sponsors.
Install the program with sponsors will give you a LOP infection.
Characteristics of such an infection with LOP are:

    * Blue toolbars.
    * Another default start page (cannot be altered).
    * Shortcuts onto your Desktop: Casino Online, Internet, Poker, Printer · Cartridges, Travel, Website Hosting.
    * New folders / shortcuts in your Favorites: Casino Online, Computers, Cool Stuff, Games, Internet, Movie, Online Gaming, Shopping Gifts, Travel, Web Hosting.

 
In a HijackThislog you would see the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = htxp://www.hebpzgppdmcvvkxolwsemyymm.org/Vgphr21hygEpijzFdJP36tdGhOtNQ6Wuf41DysyWb7Ef6km1SVuZftsQ3kmJbKgd.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = htxp://www.epxecirbtjumy.uk/Vgphr21hygHow4_WlYqSGCX9Qa53kzYt6MxWoMxzxkw.html
O2 - BHO: (no name) - {9C134485-ACC7-E857-CFC6-91A7FBF80B9C} - C:\DOCUME~1\Pol\APPLIC~1\SCRHOL~1\IntraHide.exe
O4 - HKLM\..\Run: [new bolt log bone] C:\Documents and Settings\All Users\Application Data\proxy chic new bolt\browsetitle.exe
O4 - HKCU\..\Run: [SpamDate] C:\DOCUME~1\Pol\APPLIC~1\COPYUP~1\bone corn soap.exe
 
These are only examples. The entries you will see in a hijackthislog may differ, because they are unique/random. The CLSID's and the filenames that LOP uses are randomly generated.
 
How to delete:
To get rid of this infection, act accordingly:
Go to Configuration Screen - Software - Change or delete programmes. Uninstall Messengerplus.
Reboot your computer.
 
If the infection reappears, you may have the latest form of LOP. This infection uses planned tasks.
A possibility to remove the infection is to install Messengerplus again WITH sponsors and then uninstall.
During uninstall you should give in a security code. Do so.
 
When that does not cure it, better make a hijackthis startup list.
Look if you will find a job for Enumerating Task Scheduler - a job (.job) has a name made up from (16?) random numbers and letters. (e.g.. A4476F8291C4E84E.job)
When a random job.name is being found there, then that is the cause of the re-infection.
This .job is a hidden file name and can be found inside the folder c:\windows\tasks.
Removal is best performed using Pocket Killbox.
 
If you want to keep using je Messengerplus, install it again , but now choose the option 'without sponsors',

polonus
« Last Edit: October 25, 2008, 11:45:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

enen

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #6 on: November 15, 2008, 12:51:06 PM »
sir, gud day, im an avast user but unfortunately i have been affected by a malware, wdp-ash-updscript.vbs ,is is located at the program file folder of avast... i have try anything inable to delete and fix this one... but i cant able to find a remedy... and i have found an article bout this one here it is,http://www.avast.com/eng/avast_plus_wdp.html... sir i also use hijack this and here is my log files... hope u figure this one out.. thank you sir i appreciate your help! thank you very much in advance..
--------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:58 PM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ikernel.exe
C:\WINDOWS\SYSTEM32\NET.exe
C:\WINDOWS\SYSTEM32\NET.exe
C:\WINDOWS\SYSTEM32\net1.exe
C:\WINDOWS\SYSTEM32\net1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [UberIcon] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.196.182.244/activex/AMC.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7313 bytes

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: How to better write your malware-fix and using hijackthis!
« Reply #7 on: November 15, 2008, 12:55:03 PM »
Please post the log in your own thread:

http://forum.avast.com/index.php?topic=40088.0
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

enen

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #8 on: November 15, 2008, 01:08:52 PM »
sir wat is secure web gateway... its the only one that detect this malware..

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: How to better write your malware-fix and using hijackthis!
« Reply #9 on: November 15, 2008, 01:10:11 PM »
Please post in your own thread.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

twoferz

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #10 on: January 07, 2009, 10:59:09 PM »
 :'( My computer is infected with three viruses that I know of.  ???
Spyware.IEMonster.b, Zlob.PornAdvertiser.xplisit & Trojan.InfoStealer.Banker.s

Presently I can not do anything on that computer without the following things happening: various pop-ups open, my document folder opens, & many random webpages (blank & advertisements) restrict and ultimately freezes my computer. After restarting it my active desktop is disabled (which I can not get it too return) and after several minutes a blue screen telling me to reboot my system.

Can anyone help me

CharleyO

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #11 on: January 08, 2009, 09:17:19 AM »
***

Welcome to the forums, twoferz.   :)

Please post your problem in it's own thread.

To others who think of posting in this thread, please read the title of the thread again. This thread is an instructional thread and not a help thread. Please start your own thread so that help can be given to your particular problem.


***

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: How to better write your malware-fix and using hijackthis!
« Reply #12 on: May 04, 2009, 08:52:29 PM »
Hi CharleyO and other malware fighters,

I will give this link here, because it is a more recent (2009) long tutorial for us:

http://www.aumha.org/a/hjttutor.php

Also consider these instructions:
http://forums.majorgeeks.com/showthread.php?t=38752

And these 3 long instructions: http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
and  http://www.malwarehelp.org/understanding-and-interpreting-hjt2.html
and http://www.malwarehelp.org/understanding-and-interpreting-hjt3.html

And how to make a safe windows folder for hjt: http://russelltexas.com/malware/createhjtfolder.htm
N.B. here you have to translate this info for the most recent HJT version, e.g. 2.0.2

enjoy,

polonus

« Last Edit: May 04, 2009, 09:19:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CharleyO

  • Guest
Re: How to better write your malware-fix and using hijackthis!
« Reply #13 on: May 05, 2009, 07:39:23 AM »
***

Thanks for the links, Polonus.   :)


***

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Malware fixes and work-arounds!
« Reply #14 on: October 27, 2009, 06:31:58 PM »
Hi malware fighters,

One uses MBAM and it immediately shuts down upon opening and/or
one uses HJT and it immediately shuts down upon opening
This is being cause by a Coolwebsearch Trojan (CWS) variant.

To solve this problem: Download the CoolWWWSearch.SmartKiller removal tool :
http://www.safer-networking.org/files/delcwssk.zip
After running this tool HJT and MBAM should be right functioning again,

polonus
 
« Last Edit: December 24, 2009, 08:29:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!