Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Please help! Vicious little piece of ware
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Please help! Vicious little piece of ware
 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Online Status: Offline
Posts: 5121 		Post Options Post Options   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Topic: Please help! Vicious little piece of ware
    Posted: 02 December 2006 at 12:25pm
Originally posted by radeonx

I got a downloader of seriall when my friend came over so i was wondering whats wrong. i did everything you guys said but none of those exist i got it from the autocad  keygen

Which simply indicates that you caught a different piece of malware and should have opened a new thread instead of reviving an old one.

You may still do so and do not forget to describe the relevant symptons, else an analysis will be pretty tough to do.

Oh yes, autoruns logfile, hijackthis logfile and/or rootkitrevealer logfile might prove helpful.

Karl

Edited by Karlchen - 02 December 2006 at 12:37pm
Back to Top
radeonx View Drop Down
Newbie
Newbie


Joined: 02 December 2006
Online Status: Offline
Posts: 1 		Post Options Post Options   Quote radeonx Quote  Post ReplyReply Direct Link To This Post Posted: 02 December 2006 at 11:45am

I got a downloader of seriall when my friend came over so i was wondering whats wrong. idid everything you guys said but none of those exist
i got it from the autocad  keygen

2nd one(im afraid to go to the site now)
Back to Top
jamescot View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2006
Online Status: Offline
Posts: 2 		Post Options Post Options   Quote jamescot Quote  Post ReplyReply Direct Link To This Post Posted: 19 May 2006 at 1:15pm
Thanks that did the trick I could not get rid of the trojan, when using no-adware or nortons why is that !
jamesscot
Back to Top
jamescot View Drop Down
Newbie
Newbie
Avatar

Joined: 19 May 2006
Online Status: Offline
Posts: 2 		Post Options Post Options   Quote jamescot Quote  Post ReplyReply Direct Link To This Post Posted: 19 May 2006 at 1:13pm
Originally posted by Osnail

I also had this problem but have now cleared it Here's how....

Get Avast, Ewido, Trojan Hunter and update them all... Get CCleaner and run it, then reboot into Safe mode and run avast trojan hunter and then ewido in that order all seperatly, then run CCleaner.

Then go into your Prefetch folder clear it out, plus all your temp folders (Windows, local settings etc...)

Ensure that the file named "winetn32.dll" has gone as that it the one which causes all the problems.

Then run "Regedit" search for any entries for "winetn32.dll" and delete them.

Reboot to normal and Vola!! Clean and free!! It took me all day to work that one out so please make cheques made payable to me!! ;0)
Thanks that did the trick for me I used noadware and spybot with nortons could not get rid of it until I used your info on how to get rid of it
jamesscot
Back to Top
LZW2006 View Drop Down
Senior Member
Senior Member


Joined: 11 February 2006
Online Status: Offline
Posts: 244 		Post Options Post Options   Quote LZW2006 Quote  Post ReplyReply Direct Link To This Post Posted: 24 April 2006 at 7:51pm
ah-ha!!!! Don't know how you spotted that but good work! Everyone has been missing that...

Now it is looking clear that this is a trojan gateway named DollarRevenue or one of it's variants! Also considered a dropper (I use the word gateway) and a web page I'm looking at says the victim should expect constant infections of the following:

  • Adware-DCToolbar
  • Adware-DFC
  • Adware-DigInk
  • Adware-Isearch
  • Adware-Look2Me
  • Adware-SurfSideKick.dr
  • Adware-Zeno
  • Downloader-ACV
  • NDotNet
  • Uploader-R
They say be on the lookout for drsmartload.exe also! and it also can infect through system restore! (that info from mcafee)

More sites:
http://194.187.45.55/
http://www.onli-ne.com/app/ADDR/
http://content.dollarrevenue.com/
c:\drsmart\load1.exe
http://promo.dollarrevenue.com/webmasterexe/drsmartload618a.exe
http://promo.dollarrevenue. com/webmasterexe/drsmartload117a.exe
http://promo.dollarrevenue. com/webmasterexe/drsmartload44a.exe
http://promo.dollarrevenue.com/webmasterexe/drsmartload229a.exe
and many more found in googer

Judging by the URL's I would say the purpose is that webmasters are suppose to sign up as advertising affiliates and place this file on their web server (or hotlink it) and then the victim should see endless advertisements served  by dolarrevenue.com and for each one the, the affiliate probably gets like a penny so if you get 100 full screen popup ads, that's like 1 dollar profit for the webmaster!!!

oh boy, some of things people do all in the name of ad revenue! (they're probably breaking a few state and federal laws in there aswell)
Back to Top
BenM View Drop Down
Senior Member
Senior Member


Joined: 21 November 2005
Location: Australia
Online Status: Offline
Posts: 169 		Post Options Post Options   Quote BenM Quote  Post ReplyReply Direct Link To This Post Posted: 24 April 2006 at 4:31pm

When downloading this file, it comes from promo.dollarrevenue.com

When you visit the site http://dollarrevenue.com/ you will see that this company is an online advertising company. Good luck with the clean-up!

 

Ben

 
Back to Top
LZW2006 View Drop Down
Senior Member
Senior Member


Joined: 11 February 2006
Online Status: Offline
Posts: 244 		Post Options Post Options   Quote LZW2006 Quote  Post ReplyReply Direct Link To This Post Posted: 24 April 2006 at 8:21am
http://www.seriall.com/download/operation_flashpoint_keygen. exe

it's the first link that comes up if you search the site for operation flashpoint!

Characteristics
- Renamed file... Web sites commonly do this, the name is similar to files found on megagames.com but they tend to use all upper case names!

- Small file... Claims that it is a keygen and the file size supports that claim!

- EXE file... Very suspicious here! Most web sites pack downloads into zips! Even if they are renamed! They can then use automated utilities to add their own TAG to the DIZ and that sort of stuff

- No docs... Bad sign! Such files normally come with an NFO or DIZ file (again inside of a zip) declaring what it is and who made it...

- No icon... Unussual, not heard of these days! The game scene groups are proud of their work with trainers, keygens, etc, and although it would be normal for a DOS file not to have an icon, I've not seen those used since the 90's and this is a full blown windows GUI application!

- ShellExecuteExa... I did not decompile the file but I poked around at the insides a little and I believe it uses this shell32.dll function to launch CMD.EXE or RUNDLL32.EXE (not sure which) and then do what, I dunno... but there is no function of a key generator that would need to shell execute stuff!

Details
operation_flashpoint_keygen.exe
Windows PE
13042 Bytes
B7D657C3 CRC32
E768B53FCFB5752DE21A2181956EA7AE MD5
3C61E8CB3299E6EA1BDB71A2051BD463D38F2BB4 SHA1
Exports: NONE
Imports: SHELL32.DLL
SUSPECT: Mess up my computer style trojan!
Back to Top
Fyyre View Drop Down
Senior Member
Senior Member
Avatar

Joined: 12 April 2006
Online Status: Offline
Posts: 227 		Post Options Post Options   Quote Fyyre Quote  Post ReplyReply Direct Link To This Post Posted: 24 April 2006 at 2:00am
don't trust your a/v program.  best method to get rid of whatever malware is in the keygen (link is dead, can you pm it to me?  i'd like to decompile it.) is just to format the drive and reinstall.

or if is only file based, delete the files that reappear, run a hash or crc on %windir% and subdirectories, reboot, run hash after files come back, diff the output.. load into windows pe or alternate os and remove them that way, could also create dummy files with DACL Everyone:Deny, i suppose.

-fyyre
Originally posted by beirtipol

I downloaded a keygen from www.seriall.com - I know that was my first mistake...

When I ran the exe, it popped up a dialog in spanish which quickly disappeared. My modem then cut out and redialled a different number.

So far, I've removed the dialer but I can't remove the files in the temp folder which duplicate themselves about 4-5 times a minute. There are thousands of files with a .tmp extension named

"winXXX.tmp" where XXX is in HEX. It then creates .exe files named "winXXX.tmp.exe". These run and try to connect to www.slimfind.com. I've attached the firewall log. Today, "winlogon.exe" tried to

connect to  "BT2n.com, connectpt.net, and boostservice.com" They're all in the 85.255.115 subnet.

The following files were created today in the system32 folder:
ncompat.tlb
ld607F.tmp
dfrgsrv.exe

I also found a suspicous dll in the registry and System32 folder named "winzjc32.dll". I've tried disabling it in "HijackThis" (Log included) and with "Autoruns" but it still comes up. I've also

deleted anything from the windows prefetch folder created after the time that I ran the keygen. Noadware4 and Norton AV but i'll download some more adware programs and keep trying.

This is a mischevous little bugger - any ideas?

I've attached any files I can find with their addresses. Most of them won't copy as they're in use by a running process - winlogon??

DONT RUN OPERATION_FLASHPOINT_KEYGEN - thats the F*** that started this whole mess. 2006-02-28_091555_Virus_Log.rar
Back to Top
killerquag View Drop Down
Newbie
Newbie


Joined: 23 April 2006
Online Status: Offline
Posts: 1 		Post Options Post Options   Quote killerquag Quote  Post ReplyReply Direct Link To This Post Posted: 23 April 2006 at 2:25am
Just for any one else who has a done a search for this demonware and couldn't find an answer like I have done.  Every search (anti-spyware and anti-virus) that I could get my hands on, could not find this or fix it.  I probably wouldn't have bothered with a post, except Osnail  posted about how to fix it and tells you to delete a system file.... winetn32.dll is a legit dll file.  The 3 that are posted above: ncompat.tlb, ld*.tmp, and dfrgsrv.exe are not.  Delete them and they will grow back, remove the folder 1024 and it will come back... However....

1.  Reboot in safe mode.
2.  Nuke those 3 files in the system32 directory
3.  Nuke the dir 1024 in system32
4.  run Regedit and search for dfgsrv.exe
5.  Nuke any keys referencing it.
6.  Reboot and enjoy.

The .tmp file wil start with ld and end with .tmp  the number involved with it depends on it's current iteration of establishing or trying to establish contact with the web.

winetn32.dll is just the windows file that starts running the file to attach itself to winlogon.exe.  (in normal mode) Once it attaches and runs itself, it will keep the other files from being deleted and recreate and modifications to the registry that it needs to keep itself alive.

Enjoy.
Back to Top
SpannerITWks View Drop Down
Senior Member
Senior Member
Avatar

Joined: 14 August 2005
Location: United Kingdom
Online Status: Offline
Posts: 896 		Post Options Post Options   Quote SpannerITWks Quote  Post ReplyReply Direct Link To This Post Posted: 28 March 2006 at 3:04pm

You have a Very serious nasty in there which needs sorting out ASAP.

You may have lots of other stuff in there too which may be different to other peoples experiences.

You can do a HJT Log and get Free help from any one of the links in here - http://www.sysinternals.com/Forum/forum_posts.asp?TID=1769&a mp;a mp;a mp;a mp;PN=1 please read before posting and follow their instructions to the letter !

Afterwards you can start Securing your PC + Browser from the details in the above thread.

Keeping well away from crack etc www's is always wise, which i'm sure you will from now on.

That link to the RAR file doesn't work, can you upload it to -  http://rapidshare.de/ - and PM me with the DL + Delete links, thanx.

Spanner



Edited by SpannerITWks - 28 March 2006 at 3:08pm
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down