re: my besieged by ie pop-up ads post 01/10/2008 16:21

  • Thread starter Thread starter RJK
  • Start date Start date
R

RJK

It turned out to be:-
http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f

Multi-AV Kaspersky CLS deleted:-
c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe

Yesterday during my hotch-potch approach, PrevX had located a file that I
didn't note the name of,
there were aboout five files in that folder including one called
"FileBoob.exe" and I deleted those myself.

*boob* in a filename seems to tally with onfo on above URL

ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start it
again !

....have been reading
http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3

...not very clear.

regards, Richard
 
On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote:

>It turned out to be:-
>http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f
>
>Multi-AV Kaspersky CLS deleted:-
>c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe
>
>Yesterday during my hotch-potch approach, PrevX had located a file that I
>didn't note the name of,
>there were aboout five files in that folder including one called
>"FileBoob.exe" and I deleted those myself.
>
>*boob* in a filename seems to tally with onfo on above URL
>
>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start it
>again !
>
>...have been reading
>http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3
>
>..not very clear.
>

LOP is a very old adware that would have been intercepted if your A-V
product were not impaired or compromised in some way, either by being
blocked by other malware, turned off, or not up to date. (LOP is around 5
years old now)

The Symantec site is very clear about it's characteristics and how to
remove it. If you can't eradicate it automatically I recommend you print
the Technical Details and Removal pages and get to work in Safe Mode.

As for terminating the virus scans, I don't know why you feel you must
terminate them when you go to bed. I'd let them run overnight or get up
early and let them run while I did other things. There is no real reason to
sit there and watch them unless they are popping up so many dialogs that
you have to click them to make progress. In that case I think you are
fighting a demon and you need to format the hard drive and reinstall and
call it a lost cause. I wouldn't trust anything on that disk if such is the
case.

My wife let her brother use her notebook computer in Asia on a trip. The
A-V was not up to date. When she finally brought it home it had some 640+
infected files with all kinds of malware and viruses on it. (WANSO was main
demon) I fought with that machine for 3 days and finally got smart and
pulled the HDD out and scanned it with my computer's tools. That finally
eliminated the infection and preserved the data. I installed a better A-V
product (NOD32) and demoted her account to disallow program installations.
Anything she needs on there, I can install and test for her. :)

I strongly recommend you scan that hard disk with a known clean system
since you cannot trust A-V's on the active system since they ALL should
have detected LOP by this time.
 
Big thanx, will do (remove hd and scan as slave)

regards, Richard


"Geoff" <geoff@invalid.invalid> wrote in message
news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...
> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote:
>
>>It turned out to be:-
>>http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f
>>
>>Multi-AV Kaspersky CLS deleted:-
>>c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe
>>
>>Yesterday during my hotch-potch approach, PrevX had located a file that I
>>didn't note the name of,
>>there were aboout five files in that folder including one called
>>"FileBoob.exe" and I deleted those myself.
>>
>>*boob* in a filename seems to tally with onfo on above URL
>>
>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start
>>it
>>again !
>>
>>...have been reading
>>http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3
>>
>>..not very clear.
>>
>
> LOP is a very old adware that would have been intercepted if your A-V
> product were not impaired or compromised in some way, either by being
> blocked by other malware, turned off, or not up to date. (LOP is around 5
> years old now)
>
> The Symantec site is very clear about it's characteristics and how to
> remove it. If you can't eradicate it automatically I recommend you print
> the Technical Details and Removal pages and get to work in Safe Mode.
>
> As for terminating the virus scans, I don't know why you feel you must
> terminate them when you go to bed. I'd let them run overnight or get up
> early and let them run while I did other things. There is no real reason
> to
> sit there and watch them unless they are popping up so many dialogs that
> you have to click them to make progress. In that case I think you are
> fighting a demon and you need to format the hard drive and reinstall and
> call it a lost cause. I wouldn't trust anything on that disk if such is
> the
> case.
>
> My wife let her brother use her notebook computer in Asia on a trip. The
> A-V was not up to date. When she finally brought it home it had some 640+
> infected files with all kinds of malware and viruses on it. (WANSO was
> main
> demon) I fought with that machine for 3 days and finally got smart and
> pulled the HDD out and scanned it with my computer's tools. That finally
> eliminated the infection and preserved the data. I installed a better A-V
> product (NOD32) and demoted her account to disallow program installations.
> Anything she needs on there, I can install and test for her. :)
>
> I strongly recommend you scan that hard disk with a known clean system
> since you cannot trust A-V's on the active system since they ALL should
> have detected LOP by this time.
>
 
Here we go again, this evening I'm in a "put some effort into it mood." !!

I've pulled the hd out, and attatched it to the unused motherboard IDE port,
in my 2nd PC, and tweaked the bios so that it's in the bios list of hd's.

XP Home ed. allocated it the letter I:\ ...and AVG 8.0 full internet
security suite is doing its' "thing" on it. ...i.e. a full anti-everything
sweep ! :-)

After this, I suppose I ought to run David H. Lipmans multi-av / av-cls 4
cls's ...which should run at lightning speed seeing as my "clean" 2nd PC
is treating the infected hd as a slave drive. ...as I speak AVG 8.0 has
scanned over 133,000 files and it's only been going a few minutes !

regards, Richard

(...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that makes a
difference !


"Geoff" <geoff@invalid.invalid> wrote in message
news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...
> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote:
>
>>It turned out to be:-
>>http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f
>>
>>Multi-AV Kaspersky CLS deleted:-
>>c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe
>>
>>Yesterday during my hotch-potch approach, PrevX had located a file that I
>>didn't note the name of,
>>there were aboout five files in that folder including one called
>>"FileBoob.exe" and I deleted those myself.
>>
>>*boob* in a filename seems to tally with onfo on above URL
>>
>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start
>>it
>>again !
>>
>>...have been reading
>>http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3
>>
>>..not very clear.
>>
>
> LOP is a very old adware that would have been intercepted if your A-V
> product were not impaired or compromised in some way, either by being
> blocked by other malware, turned off, or not up to date. (LOP is around 5
> years old now)
>
> The Symantec site is very clear about it's characteristics and how to
> remove it. If you can't eradicate it automatically I recommend you print
> the Technical Details and Removal pages and get to work in Safe Mode.
>
> As for terminating the virus scans, I don't know why you feel you must
> terminate them when you go to bed. I'd let them run overnight or get up
> early and let them run while I did other things. There is no real reason
> to
> sit there and watch them unless they are popping up so many dialogs that
> you have to click them to make progress. In that case I think you are
> fighting a demon and you need to format the hard drive and reinstall and
> call it a lost cause. I wouldn't trust anything on that disk if such is
> the
> case.
>
> My wife let her brother use her notebook computer in Asia on a trip. The
> A-V was not up to date. When she finally brought it home it had some 640+
> infected files with all kinds of malware and viruses on it. (WANSO was
> main
> demon) I fought with that machine for 3 days and finally got smart and
> pulled the HDD out and scanned it with my computer's tools. That finally
> eliminated the infection and preserved the data. I installed a better A-V
> product (NOD32) and demoted her account to disallow program installations.
> Anything she needs on there, I can install and test for her. :)
>
> I strongly recommend you scan that hard disk with a known clean system
> since you cannot trust A-V's on the active system since they ALL should
> have detected LOP by this time.
>
 
mmmm... seeing as things are so fast running a clean m/c, in Windows normal
mode, with an infected hd attached as a slave hd, ...and seeing as I can
scan a "specific location or folder," ...is it as beneficial to run the
four cls's in Windows normal mode - on a slave hd I:\ - as it is running it
in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't being used
etc.), on the infected Windows hd itself, if it were running in Safe Mode
in its' normal home / system box ....if you see what I mean !

To clarify, I've done as Geoff suggested - infected hd is connected as a
slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA -
meaning an unused motherboard IDE port is available), and so, I'm now
running a David H. Lipmans Multi-av sweep on this infected slave IDE hd, and
of course it's running like lightning because the Windows platform on that
PC ....my 2nd PC, ...to which the infected hd is attached, ...is running in
Windows normal mode, ....if you see what I mean " ???

regards, Richard


"RJK" <notatospam@hotmail.com> wrote in message
news:%23MzBfsYJJHA.5992@TK2MSFTNGP04.phx.gbl...
> Here we go again, this evening I'm in a "put some effort into it mood." !!
>
> I've pulled the hd out, and attatched it to the unused motherboard IDE
> port, in my 2nd PC, and tweaked the bios so that it's in the bios list of
> hd's.
>
> XP Home ed. allocated it the letter I:\ ...and AVG 8.0 full internet
> security suite is doing its' "thing" on it. ...i.e. a full
> anti-everything sweep ! :-)
>
> After this, I suppose I ought to run David H. Lipmans multi-av / av-cls 4
> cls's ...which should run at lightning speed seeing as my "clean" 2nd PC
> is treating the infected hd as a slave drive. ...as I speak AVG 8.0 has
> scanned over 133,000 files and it's only been going a few minutes !
>
> regards, Richard
>
> (...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that makes
> a difference !
>
>
> "Geoff" <geoff@invalid.invalid> wrote in message
> news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...
>> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote:
>>
>>>It turned out to be:-
>>>http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f
>>>
>>>Multi-AV Kaspersky CLS deleted:-
>>>c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe
>>>
>>>Yesterday during my hotch-potch approach, PrevX had located a file that I
>>>didn't note the name of,
>>>there were aboout five files in that folder including one called
>>>"FileBoob.exe" and I deleted those myself.
>>>
>>>*boob* in a filename seems to tally with onfo on above URL
>>>
>>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to start
>>>it
>>>again !
>>>
>>>...have been reading
>>>http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3
>>>
>>>..not very clear.
>>>
>>
>> LOP is a very old adware that would have been intercepted if your A-V
>> product were not impaired or compromised in some way, either by being
>> blocked by other malware, turned off, or not up to date. (LOP is around 5
>> years old now)
>>
>> The Symantec site is very clear about it's characteristics and how to
>> remove it. If you can't eradicate it automatically I recommend you print
>> the Technical Details and Removal pages and get to work in Safe Mode.
>>
>> As for terminating the virus scans, I don't know why you feel you must
>> terminate them when you go to bed. I'd let them run overnight or get up
>> early and let them run while I did other things. There is no real reason
>> to
>> sit there and watch them unless they are popping up so many dialogs that
>> you have to click them to make progress. In that case I think you are
>> fighting a demon and you need to format the hard drive and reinstall and
>> call it a lost cause. I wouldn't trust anything on that disk if such is
>> the
>> case.
>>
>> My wife let her brother use her notebook computer in Asia on a trip. The
>> A-V was not up to date. When she finally brought it home it had some 640+
>> infected files with all kinds of malware and viruses on it. (WANSO was
>> main
>> demon) I fought with that machine for 3 days and finally got smart and
>> pulled the HDD out and scanned it with my computer's tools. That finally
>> eliminated the infection and preserved the data. I installed a better A-V
>> product (NOD32) and demoted her account to disallow program
>> installations.
>> Anything she needs on there, I can install and test for her. :)
>>
>> I strongly recommend you scan that hard disk with a known clean system
>> since you cannot trust A-V's on the active system since they ALL should
>> have detected LOP by this time.
>>
>
>
 
BTW, I did take on board Geoff's advice that, in as many words, the malware
could be "hiding" when av-cls is running, even in Safe Mode, on the infected
hd itself !
Having said that, and as Geoff said, the malware is 5 years old, I wonder
how it got in there, because this is a machine that I "hardened up" for
internet use !!!
Relevant of course is that the innfected owners son installed a bunch of
"free" software !!!!!

regards, Richard


"RJK" <notatospam@hotmail.com> wrote in message
news:OA8sy$YJJHA.4144@TK2MSFTNGP05.phx.gbl...
> mmmm... seeing as things are so fast running a clean m/c, in Windows
> normal mode, with an infected hd attached as a slave hd, ...and seeing as
> I can scan a "specific location or folder," ...is it as beneficial to run
> the four cls's in Windows normal mode - on a slave hd I:\ - as it is
> running it in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't
> being used etc.), on the infected Windows hd itself, if it were running
> in Safe Mode in its' normal home / system box ....if you see what I mean !
>
> To clarify, I've done as Geoff suggested - infected hd is connected as a
> slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA -
> meaning an unused motherboard IDE port is available), and so, I'm now
> running a David H. Lipmans Multi-av sweep on this infected slave IDE hd,
> and of course it's running like lightning because the Windows platform on
> that PC ....my 2nd PC, ...to which the infected hd is attached, ...is
> running in Windows normal mode, ....if you see what I mean " ???
>
> regards, Richard
>
>
> "RJK" <notatospam@hotmail.com> wrote in message
> news:%23MzBfsYJJHA.5992@TK2MSFTNGP04.phx.gbl...
>> Here we go again, this evening I'm in a "put some effort into it mood."
>> !!
>>
>> I've pulled the hd out, and attatched it to the unused motherboard IDE
>> port, in my 2nd PC, and tweaked the bios so that it's in the bios list of
>> hd's.
>>
>> XP Home ed. allocated it the letter I:\ ...and AVG 8.0 full internet
>> security suite is doing its' "thing" on it. ...i.e. a full
>> anti-everything sweep ! :-)
>>
>> After this, I suppose I ought to run David H. Lipmans multi-av / av-cls
>> 4 cls's ...which should run at lightning speed seeing as my "clean" 2nd
>> PC is treating the infected hd as a slave drive. ...as I speak AVG 8.0
>> has scanned over 133,000 files and it's only been going a few minutes !
>>
>> regards, Richard
>>
>> (...there is an Athlon 64 x6000 in my 2nd PC :-) ...I suppose that
>> makes a difference !
>>
>>
>> "Geoff" <geoff@invalid.invalid> wrote in message
>> news:qcoae4hs758lertggjdck4h6tba5no13if@4ax.com...
>>> On Thu, 2 Oct 2008 23:31:03 +0100, "RJK" <notatospam@hotmail.com> wrote:
>>>
>>>>It turned out to be:-
>>>>http://www.threatexpert.com/report.aspx?uid=eb751fd2-742f-4f4b-9a11-42e9c180a17f
>>>>
>>>>Multi-AV Kaspersky CLS deleted:-
>>>>c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe
>>>>
>>>>Yesterday during my hotch-potch approach, PrevX had located a file that
>>>>I
>>>>didn't note the name of,
>>>>there were aboout five files in that folder including one called
>>>>"FileBoob.exe" and I deleted those myself.
>>>>
>>>>*boob* in a filename seems to tally with onfo on above URL
>>>>
>>>>ooooh, how I wish I'd let Kasperky cls finish its' sweep, ...had to
>>>>start it
>>>>again !
>>>>
>>>>...have been reading
>>>>http://www.symantec.com/security_response/writeup.jsp?docid=2003-092919-5421-99&tabid=3
>>>>
>>>>..not very clear.
>>>>
>>>
>>> LOP is a very old adware that would have been intercepted if your A-V
>>> product were not impaired or compromised in some way, either by being
>>> blocked by other malware, turned off, or not up to date. (LOP is around
>>> 5
>>> years old now)
>>>
>>> The Symantec site is very clear about it's characteristics and how to
>>> remove it. If you can't eradicate it automatically I recommend you print
>>> the Technical Details and Removal pages and get to work in Safe Mode.
>>>
>>> As for terminating the virus scans, I don't know why you feel you must
>>> terminate them when you go to bed. I'd let them run overnight or get up
>>> early and let them run while I did other things. There is no real reason
>>> to
>>> sit there and watch them unless they are popping up so many dialogs that
>>> you have to click them to make progress. In that case I think you are
>>> fighting a demon and you need to format the hard drive and reinstall and
>>> call it a lost cause. I wouldn't trust anything on that disk if such is
>>> the
>>> case.
>>>
>>> My wife let her brother use her notebook computer in Asia on a trip. The
>>> A-V was not up to date. When she finally brought it home it had some
>>> 640+
>>> infected files with all kinds of malware and viruses on it. (WANSO was
>>> main
>>> demon) I fought with that machine for 3 days and finally got smart and
>>> pulled the HDD out and scanned it with my computer's tools. That finally
>>> eliminated the infection and preserved the data. I installed a better
>>> A-V
>>> product (NOD32) and demoted her account to disallow program
>>> installations.
>>> Anything she needs on there, I can install and test for her. :)
>>>
>>> I strongly recommend you scan that hard disk with a known clean system
>>> since you cannot trust A-V's on the active system since they ALL should
>>> have detected LOP by this time.
>>>
>>
>>
>
>
 
From: "RJK" <notatospam@hotmail.com>

| mmmm... seeing as things are so fast running a clean m/c, in Windows normal
| mode, with an infected hd attached as a slave hd, ...and seeing as I can
| scan a "specific location or folder," ...is it as beneficial to run the
| four cls's in Windows normal mode - on a slave hd I:\ - as it is running it
| in SLooooooW Safe Mode (i.e. mobo bus master drivers aren't being used
| etc.), on the infected Windows hd itself, if it were running in Safe Mode
| in its' normal home / system box ....if you see what I mean !

| To clarify, I've done as Geoff suggested - infected hd is connected as a
| slave hd in my 2nd PC, (and luckily in my 2nd PC everything is SATA -
| meaning an unused motherboard IDE port is available), and so, I'm now
| running a David H. Lipmans Multi-av sweep on this infected slave IDE hd, and
| of course it's running like lightning because the Windows platform on that
| PC ....my 2nd PC, ...to which the infected hd is attached, ...is running in
| Windows normal mode, ....if you see what I mean " ???

| regards, Richard


There is ONE major drawback!

If you use a surrogate PC to scan a hard drive extracted from an infected PC, you may scan
and find files BUT... When it looks to the Registry to clean/fix alterations, it will be
done on the surrogate's Registry and no the Registry of the affected hard drive.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
From: "RJK" <notatospam@hotmail.com>

| BTW, I did take on board Geoff's advice that, in as many words, the malware
| could be "hiding" when av-cls is running, even in Safe Mode, on the infected
| hd itself !
| Having said that, and as Geoff said, the malware is 5 years old, I wonder
| how it got in there, because this is a machine that I "hardened up" for
| internet use !!!
| Relevant of course is that the innfected owners son installed a bunch of
| "free" software !!!!!

Easy Richard. It can be a new variant of Lop or mislabeled as a Lop trojan.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
>
> There is ONE major drawback!
>
> If you use a surrogate PC to scan a hard drive extracted from an infected
> PC, you may scan
> and find files BUT... When it looks to the Registry to clean/fix
> alterations, it will be
> done on the surrogate's Registry and no the Registry of the affected hard
> drive.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

HUGE thanx for that, I shall bear that in mind, (registry
clean/fix/alterations will be directed to surrogate PC XP registry).

....AVG 8.0 internet Security sweep "paid for version" (including
spyware/rootkit sweeps) came up with nothing.
I wonder if AVG 8.0 would have found what PrevX did yesterday - i.e. the
"Infostyle" directory containing, as PrevX labelled it, "fraudulent
software detected," ...{"pay now to fix it" LOL...just a little comment from
me} ...including a file called fileboob.exe ...I can't get at the recycle
bin on the infected drive to get the filenames, (I don't think), until it's
booted up - back in its' home system box !

regards, Richard
 
On Fri, 3 Oct 2008 22:21:34 +0100, "RJK" <notatospam@hotmail.com> wrote:

>>
>> There is ONE major drawback!
>>
>> If you use a surrogate PC to scan a hard drive extracted from an infected
>> PC, you may scan
>> and find files BUT... When it looks to the Registry to clean/fix
>> alterations, it will be
>> done on the surrogate's Registry and no the Registry of the affected hard
>> drive.
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
>HUGE thanx for that, I shall bear that in mind, (registry
>clean/fix/alterations will be directed to surrogate PC XP registry).
>
>...AVG 8.0 internet Security sweep "paid for version" (including
>spyware/rootkit sweeps) came up with nothing.
>I wonder if AVG 8.0 would have found what PrevX did yesterday - i.e. the
>"Infostyle" directory containing, as PrevX labelled it, "fraudulent
>software detected," ...{"pay now to fix it" LOL...just a little comment from
>me} ...including a file called fileboob.exe ...I can't get at the recycle
>bin on the infected drive to get the filenames, (I don't think), until it's
>booted up - back in its' home system box !
>

Hopefully the files were not deleted to the recycle bin but were deleted
forever so they can't be recovered accidentally.

I think you will find the system doesn't have the popups and malware now.
Any programs targeted to run at boot in the registry will fail. Now you can
safely clean the registry of the keys pointing to those files with
conventional scanners like CCleaner or Adaware. Don't forget to make sure
the IE or any other browser temp file folders are cleaned too.

Once you have safely killed the files that are protecting themselves and
the registry keys they depend on, the cleanup of bad keys is relatively
easy in the live system in the original machine.
 
From: "Geoff" <geoff@invalid.invalid>


| Hopefully the files were not deleted to the recycle bin but were deleted
| forever so they can't be recovered accidentally.

| I think you will find the system doesn't have the popups and malware now.
| Any programs targeted to run at boot in the registry will fail. Now you can
| safely clean the registry of the keys pointing to those files with
| conventional scanners like CCleaner or Adaware. Don't forget to make sure
| the IE or any other browser temp file folders are cleaned too.

| Once you have safely killed the files that are protecting themselves and
| the registry keys they depend on, the cleanup of bad keys is relatively
| easy in the live system in the original machine.

Maybe the easy RUN type keys but not keys such as in LSA. You also have to consider that
there are load time DLL keys that can be inserted and thus if the DLLs are removed the the
OS will no longer boot and fail in a BSoD complaining that a needed DLL could not be
found.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
On Fri, 3 Oct 2008 20:53:15 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Geoff" <geoff@invalid.invalid>
>
>
>| Hopefully the files were not deleted to the recycle bin but were deleted
>| forever so they can't be recovered accidentally.
>
>| I think you will find the system doesn't have the popups and malware now.
>| Any programs targeted to run at boot in the registry will fail. Now you can
>| safely clean the registry of the keys pointing to those files with
>| conventional scanners like CCleaner or Adaware. Don't forget to make sure
>| the IE or any other browser temp file folders are cleaned too.
>
>| Once you have safely killed the files that are protecting themselves and
>| the registry keys they depend on, the cleanup of bad keys is relatively
>| easy in the live system in the original machine.
>
>Maybe the easy RUN type keys but not keys such as in LSA. You also have to consider that
>there are load time DLL keys that can be inserted and thus if the DLLs are removed the the
>OS will no longer boot and fail in a BSoD complaining that a needed DLL could not be
>found.

Which is why I recommended Autoruns in the first place since it allows easy
access to and backup of such keys. You can even turn them off with a
checkbox before deleting the key itself if you find you need to restore it.
Autoruns even works in Safe Mode so if it did BSOD he would still be able
to fix it there. There are actually very few DLLs that, if missing, will
cause a BSOD or that couldn't be properly reinstalled with their authentic
executables by running "SFC /scannow" in safe mode or command line only
mode. If it gets that bad, a relevel and reinstall was in the making
anyway. If that were the case, slaving it, pulling off any user essential
data and programs would be a necessary part of the process since a known
clean system would be needed to be sure the backup was trustworthy.
 
From: "Geoff" <geoff@invalid.invalid>


| Which is why I recommended Autoruns in the first place since it allows easy
| access to and backup of such keys. You can even turn them off with a
| checkbox before deleting the key itself if you find you need to restore it.
| Autoruns even works in Safe Mode so if it did BSOD he would still be able
| to fix it there. There are actually very few DLLs that, if missing, will
| cause a BSOD or that couldn't be properly reinstalled with their authentic
| executables by running "SFC /scannow" in safe mode or command line only
| mode. If it gets that bad, a relevel and reinstall was in the making
| anyway. If that were the case, slaving it, pulling off any user essential
| data and programs would be a necessary part of the process since a known
| clean system would be needed to be sure the backup was trustworthy.

The key I am thinking about will not be shown in AutoRuns. The DLL would be named such
as base????32.dll (ex. basevml32.dll)
This is a SubSys trojan and with this trojan, it would be inserted into the following
registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
and would become part of a DLL load chain. The name of malware DLL would be inserted ito
the registry key (such as ServerDll=basevml32) . If you deleted the trojan by putting
the drive in a surrogate PC or by using the Recovery Console the PC would boot into a BSoD
complaining that the DLL could not be found.

Example NT Stop Error:
STOP: c0000135 {Unable To Locate Component}
This application has failed to start because basevml32 was not found.
Re-installing the application may fix this problem.

It loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows


Example of text in an infected PC:
-----------------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basevml32,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16


Example of correct text:
----------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16

The above is a real world example taken from my notes. AutoRuns and the System File
Checker are useless in the above scenario. The ONLY way to fix it is either copy
basesrv.dll to basevml32.dll in the Recovery Console or preferrably load the infected OS
and edit the registry and reboot then delete basevml32.dll.

I mention the above because many presume placing an affected drive in a surrogate PC is
one of the best ways to deal with removing malware that may be loaded at run-time.
However, if you do, when you run the Anti malware software it will not correct the
registry of the OS of the affected drive and may leave the OS of the affected drive
impotent. I am NOT saying placing an affected drive in a surrogate PC is not a good
methodology. I am saying that it can have drawbacks and you *must* be prepared for them.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Hello there ! ...after a considerable number of anti-malware sweeps, all
seems fine. I know this will sound daft but, early on, (on this particular
machine), I "sensed" that this was a "not too dangerous" ad-ware payload,
that had been installed alongside some downloaded "free" application
software. i.e. A little bit of knowledge and a good sixth sense goes a
LONG way !!!!!

I didn't fancy zero filling the hd, and installing from scratch - I would
have been on that machine forever, and there is a "son" involved that' is
going to destroy my work, come what may, ...on the aforementioned PC !!!
I did have a full Symantec Norton Ghost backup in place, on his 2nd hd,
and could easily have restored that. This backup was only a few weeks old
but, would have meant the loss of some work that the owners wife had done,
on the PC.
....so I pondered on running the XP "Transfer My Files and Setting" wizard,
out to 2nd HD, restoring the aforementioned Norton BU and then restoring the
aforementioned wizards' archive, but, I didn't fancy doing that either !!!

....I suspect that the PC will be coming back to me, infested with more
malware, ..though the owner has been supplied with several printouts on
safe-web surfing practices, an instrucitons on how to control his offspring
:-)

regards, Richard


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eBR9CshJJHA.1968@TK2MSFTNGP06.phx.gbl...
> From: "Geoff" <geoff@invalid.invalid>
>
>
> | Which is why I recommended Autoruns in the first place since it allows
> easy
> | access to and backup of such keys. You can even turn them off with a
> | checkbox before deleting the key itself if you find you need to restore
> it.
> | Autoruns even works in Safe Mode so if it did BSOD he would still be
> able
> | to fix it there. There are actually very few DLLs that, if missing, will
> | cause a BSOD or that couldn't be properly reinstalled with their
> authentic
> | executables by running "SFC /scannow" in safe mode or command line only
> | mode. If it gets that bad, a relevel and reinstall was in the making
> | anyway. If that were the case, slaving it, pulling off any user
> essential
> | data and programs would be a necessary part of the process since a known
> | clean system would be needed to be sure the backup was trustworthy.
>
> The key I am thinking about will not be shown in AutoRuns. The DLL would
> be named such
> as base????32.dll (ex. basevml32.dll)
> This is a SubSys trojan and with this trojan, it would be inserted into
> the following
> registry key
> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
> and would become part of a DLL load chain. The name of malware DLL would
> be inserted ito
> the registry key (such as ServerDll=basevml32) . If you deleted the
> trojan by putting
> the drive in a surrogate PC or by using the Recovery Console the PC would
> boot into a BSoD
> complaining that the DLL could not be found.
>
> Example NT Stop Error:
> STOP: c0000135 {Unable To Locate Component}
> This application has failed to start because basevml32 was not found.
> Re-installing the application may fix this problem.
>
> It loads via...
> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
>
>
> Example of text in an infected PC:
> -----------------------------------
> %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
> SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basevml32,1
> ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
>
> Example of correct text:
> ----------------------------
> %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
> SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basesrv,1
> ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
> The above is a real world example taken from my notes. AutoRuns and the
> System File
> Checker are useless in the above scenario. The ONLY way to fix it is
> either copy
> basesrv.dll to basevml32.dll in the Recovery Console or preferrably load
> the infected OS
> and edit the registry and reboot then delete basevml32.dll.
>
> I mention the above because many presume placing an affected drive in a
> surrogate PC is
> one of the best ways to deal with removing malware that may be loaded at
> run-time.
> However, if you do, when you run the Anti malware software it will not
> correct the
> registry of the OS of the affected drive and may leave the OS of the
> affected drive
> impotent. I am NOT saying placing an affected drive in a surrogate PC is
> not a good
> methodology. I am saying that it can have drawbacks and you *must* be
> prepared for them.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
From: "RJK" <notatospam@hotmail.com>

| Hello there ! ...after a considerable number of anti-malware sweeps, all
| seems fine. I know this will sound daft but, early on, (on this particular
| machine), I "sensed" that this was a "not too dangerous" ad-ware payload,
| that had been installed alongside some downloaded "free" application
| software. i.e. A little bit of knowledge and a good sixth sense goes a
| LONG way !!!!!

| I didn't fancy zero filling the hd, and installing from scratch - I would
| have been on that machine forever, and there is a "son" involved that' is
| going to destroy my work, come what may, ...on the aforementioned PC !!!
| I did have a full Symantec Norton Ghost backup in place, on his 2nd hd,
| and could easily have restored that. This backup was only a few weeks old
| but, would have meant the loss of some work that the owners wife had done,
| on the PC.
| ...so I pondered on running the XP "Transfer My Files and Setting" wizard,
| out to 2nd HD, restoring the aforementioned Norton BU and then restoring the
| aforementioned wizards' archive, but, I didn't fancy doing that either !!!

| ...I suspect that the PC will be coming back to me, infested with more
| malware, ..though the owner has been supplied with several printouts on
| safe-web surfing practices, an instrucitons on how to control his offspring
::-)

| regards, Richard


Best 'o luck with them Richard. :-)

All the best to you as well.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Back
Top