|
Please help! Vicious little piece of ware |
Post Reply 
|
Page 12> |
| Author | |
beirtipol 
Newbie 
Joined: 28 February 2006 Online Status: Offline Posts: 2 |
 Quote Reply
 Topic: Please help! Vicious little piece of warePosted: 28 February 2006 at 9:19am |
|
I downloaded a keygen from www.seriall.com - I know that was my first mistake...
When I ran the exe, it popped up a dialog in spanish which quickly disappeared. My modem then cut out and redialled a different number. So far, I've removed the dialer but I can't remove the files in the temp folder which duplicate themselves about 4-5 times a minute. There are thousands of files with a .tmp extension named "winXXX.tmp" where XXX is in HEX. It then creates .exe files named "winXXX.tmp.exe". These run and try to connect to www.slimfind.com. I've attached the firewall log. Today, "winlogon.exe" tried to connect to "BT2n.com, connectpt.net, and boostservice.com" They're all in the 85.255.115 subnet. The following files were created today in the system32 folder: ncompat.tlb ld607F.tmp dfrgsrv.exe I also found a suspicous dll in the registry and System32 folder named "winzjc32.dll". I've tried disabling it in "HijackThis" (Log included) and with "Autoruns" but it still comes up. I've also deleted anything from the windows prefetch folder created after the time that I ran the keygen. Noadware4 and Norton AV but i'll download some more adware programs and keep trying. This is a mischevous little bugger - any ideas? I've attached any files I can find with their addresses. Most of them won't copy as they're in use by a running process - winlogon?? DONT RUN OPERATION_FLASHPOINT_KEYGEN - thats the F*** that started this whole mess. 2006-02-28_091555_Virus_Log.rar |
|
 |
|
|
beirtipol
Newbie
Joined: 28 February 2006 Online Status: Offline Posts: 2 |
Quote Reply
Posted: 28 February 2006 at 9:28am |
|
I also think that IIS is involved as the virus became 'more active when I disabled the IIS service. I should have said earlier, I'm running WinXP Pro SP2 with Norton AV, NoAdware4 and Sygate Firewall
|
|
|
|
|
DundeeMafia
Newbie
Joined: 28 February 2006 Location: United Kingdom Online Status: Offline Posts: 1 |
Quote Reply
Posted: 28 February 2006 at 2:59pm |
|
Looks like you're going to have to get a bit more involved in the list of processes upon your machine. You should download, and use http://www.sysinternals.com/Utilities/Autoruns.html and http://www.sysinternals.com/utilities/processexplorer.html With Process Explorer you'll find a list of active processes, where you will hopefully locate the ""winXXX.tmp.exe" executable application you have mentioned above - it may not be a seperate process, but actually started by another process within the process tree. If you right-click on this process you will be able to SUSPEND it's operation. This will allow you to stop this process, and it's parent if you suspend those, from creating the new instances of the "winXXX.tmp.exe" file within the TEMP folder. Once you figure out which process is generating the "winXXX.tmp.exe" files, you'll be in a better position and be able to decide how simple it will be to remove the autostart references. If the process is not suspended, it's very likely it would recognise you have taken away the autostart entry and just put it back before you were able to blink. For easy of identifying where the process is being executed from and it's commandline parameters, you should enable to columns "IMAGE PATH" and "COMMANDLINE" from within the VIEW -> SELECT COLUMNS... dialog window. If necessary there is an option to save the output from AUTORUNS and PROCESS EXPLORER, so they could be reviewed if required. Joe. |
|
|
--- oooOOOooo ---
I am responsible for my own actions, don't blame anyone else. |
|
|
|
|
Osnail
Newbie
Joined: 28 March 2006 Online Status: Offline Posts: 1 |
Quote Reply
Posted: 28 March 2006 at 1:51pm |
|
I also had this problem but have now cleared it Here's how....
Get Avast, Ewido, Trojan Hunter and update them all... Get CCleaner and run it, then reboot into Safe mode and run avast trojan hunter and then ewido in that order all seperatly, then run CCleaner. Then go into your Prefetch folder clear it out, plus all your temp folders (Windows, local settings etc...) Ensure that the file named "winetn32.dll" has gone as that it the one which causes all the problems. Then run "Regedit" search for any entries for "winetn32.dll" and delete them. Reboot to normal and Vola!! Clean and free!! It took me all day to work that one out so please make cheques made payable to me!! ;0) Edited by Osnail - 28 March 2006 at 1:53pm |
|
|
|
|
SpannerITWks
Senior Member 
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Quote Reply
Posted: 28 March 2006 at 3:04pm |
|
You have a Very serious nasty in there which needs sorting out ASAP. You may have lots of other stuff in there too which may be different to other peoples experiences. You can do a HJT Log and get Free help from any one of the links in here - http://www.sysinternals.com/Forum/forum_posts.asp?TID=1769&a mp;a mp;a mp;a mp;PN=1 please read before posting and follow their instructions to the letter ! Afterwards you can start Securing your PC + Browser from the details in the above thread. Keeping well away from crack etc www's is always wise, which i'm sure you will from now on. That link to the RAR file doesn't work, can you upload it to - http://rapidshare.de/ - and PM me with the DL + Delete links, thanx. Spanner Edited by SpannerITWks - 28 March 2006 at 3:08pm |
|
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|
|
|
|
killerquag
Newbie
Joined: 23 April 2006 Online Status: Offline Posts: 1 |
Quote Reply
Posted: 23 April 2006 at 2:25am |
|
Just for any one else who has a done a search for this demonware and couldn't find an answer like I have done. Every search (anti-spyware and anti-virus) that I could get my hands on, could not find this or fix it. I probably wouldn't have bothered with a post, except Osnail posted about how to fix it and tells you to delete a system file.... winetn32.dll is a legit dll file. The 3 that are posted above: ncompat.tlb, ld*.tmp, and dfrgsrv.exe are not. Delete them and they will grow back, remove the folder 1024 and it will come back... However....
1. Reboot in safe mode. 2. Nuke those 3 files in the system32 directory 3. Nuke the dir 1024 in system32 4. run Regedit and search for dfgsrv.exe 5. Nuke any keys referencing it. 6. Reboot and enjoy. The .tmp file wil start with ld and end with .tmp the number involved with it depends on it's current iteration of establishing or trying to establish contact with the web. winetn32.dll is just the windows file that starts running the file to attach itself to winlogon.exe. (in normal mode) Once it attaches and runs itself, it will keep the other files from being deleted and recreate and modifications to the registry that it needs to keep itself alive. Enjoy. |
|
|
|
|
Fyyre
Senior Member
Joined: 12 April 2006 Online Status: Offline Posts: 225 |
Quote Reply
Posted: 24 April 2006 at 2:00am |
|
don't trust your a/v program. best method to get rid of whatever malware is in the keygen (link is dead, can you pm it to me? i'd like to decompile it.) is just to format the drive and reinstall.
or if is only file based, delete the files that reappear, run a hash or crc on %windir% and subdirectories, reboot, run hash after files come back, diff the output.. load into windows pe or alternate os and remove them that way, could also create dummy files with DACL Everyone:Deny, i suppose. -fyyre
|
|
|
|
|
LZW2006
Senior Member
Joined: 11 February 2006 Online Status: Offline Posts: 244 |
Quote Reply
Posted: 24 April 2006 at 8:21am |
|
http://www.seriall.com/download/operation_flashpoint_keygen. exe
it's the first link that comes up if you search the site for operation flashpoint! Characteristics - Renamed file... Web sites commonly do this, the name is similar to files found on megagames.com but they tend to use all upper case names! - Small file... Claims that it is a keygen and the file size supports that claim! - EXE file... Very suspicious here! Most web sites pack downloads into zips! Even if they are renamed! They can then use automated utilities to add their own TAG to the DIZ and that sort of stuff - No docs... Bad sign! Such files normally come with an NFO or DIZ file (again inside of a zip) declaring what it is and who made it... - No icon... Unussual, not heard of these days! The game scene groups are proud of their work with trainers, keygens, etc, and although it would be normal for a DOS file not to have an icon, I've not seen those used since the 90's and this is a full blown windows GUI application! - ShellExecuteExa... I did not decompile the file but I poked around at the insides a little and I believe it uses this shell32.dll function to launch CMD.EXE or RUNDLL32.EXE (not sure which) and then do what, I dunno... but there is no function of a key generator that would need to shell execute stuff! Details operation_flashpoint_keygen.exe Windows PE 13042 Bytes B7D657C3 CRC32 E768B53FCFB5752DE21A2181956EA7AE MD5 3C61E8CB3299E6EA1BDB71A2051BD463D38F2BB4 SHA1 Exports: NONE Imports: SHELL32.DLL SUSPECT: Mess up my computer style trojan! |
|
|
|
|
BenM
Senior Member
Joined: 21 November 2005 Location: Australia Online Status: Offline Posts: 169 |
Quote Reply
Posted: 24 April 2006 at 4:31pm |
|
When downloading this file, it comes from promo.dollarrevenue.com When you visit the site http://dollarrevenue.com/ you will see that this company is an online advertising company. Good luck with the clean-up!
Ben
|
|
|
|
|
LZW2006
Senior Member
Joined: 11 February 2006 Online Status: Offline Posts: 244 |
Quote Reply
Posted: 24 April 2006 at 7:51pm |
|
ah-ha!!!! Don't know how you spotted that but good work! Everyone has been missing that...
Now it is looking clear that this is a trojan gateway named DollarRevenue or one of it's variants! Also considered a dropper (I use the word gateway) and a web page I'm looking at says the victim should expect constant infections of the following:
More sites: http://194.187.45.55/ http://www.onli-ne.com/app/ADDR/ http://content.dollarrevenue.com/ c:\drsmart\load1.exe http://promo.dollarrevenue.com/webmasterexe/drsmartload618a.exe http://promo.dollarrevenue. com/webmasterexe/drsmartload117a.exe http://promo.dollarrevenue. com/webmasterexe/drsmartload44a.exe http://promo.dollarrevenue.com/webmasterexe/drsmartload229a.exe and many more found in googer Judging by the URL's I would say the purpose is that webmasters are suppose to sign up as advertising affiliates and place this file on their web server (or hotlink it) and then the victim should see endless advertisements served by dolarrevenue.com and for each one the, the affiliate probably gets like a penny so if you get 100 full screen popup ads, that's like 1 dollar profit for the webmaster!!! oh boy, some of things people do all in the name of ad revenue! (they're probably breaking a few state and federal laws in there aswell) |
|
|
|
|
Post Reply
|
Page 12> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options