New scumware - winFirewall popups

[Ed_P]

There is a new piece of spyware/malware/scumware out. If you invoke IE to any site including Windows Update you get a popup Window for winFIREWALL. And even if you don't use IE after booting after a period of time the scumware will bring up IE with the ad for you.Web searches show that the popup can be for winANTIVIRUS and winPOPUPGUARD also.While the URL in the Location window indicates www.winfirewall.c0m (intentional misspelling) moving the pointer onto the webpage's images show they link to secure.billingnow.c0m (intentional misspelling). Adding both URLs to the Restricted Zone doesn't stop the popups.In the Windows\Microsoft.Net folder you will find infops.exe plus several iterations of psofni (infops backwards) files including .ini, .dat, .bak1 and .bak2. Renaming the files results in new ones being immediately recreated. (amazing! )Adaware, SpyBot, CWShredder, SpywareBlaster and HiJackThis, each with all updates applied, all failed to remove this even when manually selected in HiJackThis. Even in Windows Safe Mode. BTW Another symptom of it's presence is repeated spikes in CPU utilization of about 30% or more at about 10 sec intervals.Removal required me to boot to Recovery Console mode (after applying the Admin Password patch to the Registry. Thank you Paracelsus ) and manually deleting the noted files from the Microsoft.Net folder. Upon rebooting and responding to the File Missing prompt (finally) running HiJackThis to clean up the Registry. I'm not sure if there is a tie between this program and ftpanti.exe but at least ftpanit.exe I was able to simply delete.

[nlinecomputers]

Ed,Any idea what you hit that installed it? Also you use Netscape don't you? Was this a Netscape exploit or was you doing something in IE when you got hit? If this is a Netscape/Mozilla exploit then we need details for a bug report. Mozilla will fix stuff like this. IE just lets you get screwed.

[zlim]

mentioned here: http://forums.us.dell.com/supportforums/bo...essage.id=22656and here http://www.dslreports.com/forum/remark,941...oot=scambusterslooks like a typing error of Symantec gets you this scumware!HiJackThis seemed to fix it here: http://www.chetnet.co.uk/portal/forum/arch...ndex.php/t-3451

[Ed_P]

Ed,Any idea what you hit that installed it?

I didn't catch it on my machine nlinecomputers. This is a client's pc, in this case my son's girlfriend who is in college. Need I say more?I restored the hd back to a point before I started making changes. The Windows\Microsoft.Net\ folder contains none of the files mentioned earlier. And the only websites I visited from the time of the backup to the time of the restore were anti-scumware related, ie HiJackTHis and etc, Windows Update, Trend Micro's HouseCall and her homepage which is a WeatherUnderground.com page for where she goes to college.When I booted to Safe Mode after the restore to apply the Registry Admin Password patch I saw my friend ftpanti was running. In Recovery Console mode I see ftpanti and another suspicious file named hostx in the Prefetch folder. I think when I initially deleted ftpanti hostx created infops. At this point I am going to just delete ftpanti and hostx and see if that stops this from redeveloping.zlim I've been to the 1st two links you posted. In fact I used the list of URLs in the 1st one to add to the IE Restricted Zone to stop the ads but it didn't stop them for long. Nothing I see in the last URL matches up with what I've seen on this pc. But the crmc seen in it appears to be fairly wide spread and the rerun parm used with it is the same parm I saw with infops.BTW With Norton Ghost's Rescue disk is it possible to restore individual partitons? Folders? 2003 version. I use Drive Image but this pc has Ghost so I'm using it.

[nlinecomputers]

Well I assume you are going to load Netscape, Mozilla, or even better Firefox on their system? Chances are this was an Active X exploit.

[epp_b]

Do as I did - after you install FireFox: - Make the "big blue E" actually link to FireFox instead of IE - Change all the HTML/URL/HTM/etc... icons to match IE - Get an IE-like theme for FireFoxShe'll never know the difference!

[Ed_P]

VERY clever guys. Thanks for the ideas.A minor update. When I went to delete ftpanti and hostx I found ftpanti to be GONE!!!! It wasn't in Prefetch, or Microsoft.NET. So I did deleted hostx and rebooted only to find the system hung after booting. Apparently hostx is used somewhere and is legit.However, and I think more importantly, with the system hung, I elected to restore it yet again. And when I rebooted Windows, no more ftpanti instead I found that svrutil is now eating up CPU usage that it and it's companions liturvs.ini and liturvs.bak1 are located in the Windows\Security\Database folder.The thing MORPHS!! Probably based on date. Unbelievable. So much talent wasted on something like this.

looks like a typing error of Symantec gets you this scumware!

I missed that zlim. Where did you find it?UpdateI may have spoken too soon. I rebooted again and now the CPU hog is named sysacc and it and it's coherts are in the Windows Web folder.I'm going to bed.

[nlinecomputers]

Ed I think you done this but visithttp://aumha.org/a/quickfix.htmDo all the steps in this protocal EXACTLY and then post the hijackthis log in this thread inside of [C0DE] bracketsPersonally I wouldn't hide firefox. People have to understand what it is and how to use it.

[Ed_P]

The Recovery Console is limited by it's restricted use functions. However BAT files can overcome some of these. I need a BAT that will allow me to scan the Windows folder and it's subfolders for files and preferably more than one concurrently. Something like FINDIT *.bak1 or FINDIT scum.exe mucs.ini mucs.bak1.I thought I saw one here not too long ago that had the basics for something like this but I am unable to find it now.BTW With the last restore I have been unable to remove my nemesis. BTW2 Is CWShredder still being maintained? I thought I read this past summer that further development was being stopped.

[nlinecomputers]

BTW2 Is CWShredder still being maintained? I thought I read this past summer that further development was being stopped.

CWShredder is no longer being maintained however many parasites still use the techniques that CWShredder checks for so it is still a valid tool.

[Ed_P]

After looking at the capabilities of Recovery Console I don't think a BAT file could do what I want so I went searching. Anyone have experience with ERD Commander??

[nlinecomputers]

Ed could you please post a hijackthis log. I think you are making this more difficult then it is to remove. I kill this kind of stuff every day. Most likely have a hidden service running and Hijackthis should spot it so we can remove it.

[Ed_P]

Per your request nlinecomputers.

Logfile of HijackThis v1.98.2Scan saved at 5:51:59 PM, on 9/30/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\igfxtray.exeC:\Program Files\Common Files\Dell\EUSW\Support.exeC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINDOWS\AppPatch\waveacc.exeC:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXEC:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exeC:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEC:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\ntvdm.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Melissa A\My Documents\download\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatherunderground.com/cgi-bin/findweather/getForecast?query=Fredonia%2C+NYR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.comO2 - BHO: CATLEvents Object - {18722863-6D1D-4300-BF29-406948EDA7CB} - C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\ccaevaw.datO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startupO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /schedulerO4 - HKLM\..\Run: [*waveacc] C:\WINDOWS\AppPatch\waveacc.exeO4 - HKLM\..\RunOnce: [*waveacc] C:\WINDOWS\AppPatch\waveacc.exe rerunO4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exeO4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

In this entry the program name changes but it's location doesn't and it's always the name of the file in the next two entires spelled backward.O2 - BHO: CATLEvents Object - {18722863-6D1D-4300-BF29-406948EDA7CB} - C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\ccaevaw.datIn these two entries they always show up together and if you delete them, using HiJackThis, the 2nd one will reappear when HiJackThis is rerun. If you use Task Manager to end it it will automatically restart. If you rename it it will automatically be recreated. The file names change and the folder they are located in changes though they are always in c:\Windows. The program runs whether in normal mode of Safe mode. O4 - HKLM\..\Run: [*waveacc] C:\WINDOWS\AppPatch\waveacc.exeO4 - HKLM\..\RunOnce: [*waveacc] C:\WINDOWS\AppPatch\waveacc.exe rerunThe exe is accompanied by two hidden, system files, one an ini and the other a bak1 whose names match the exe's name backwards.The problem is not getting rid of the scumware it's finding what keeps recreating it.

[nlinecomputers]

Ok you've found the same suspected files that I would have found. So I think you got a rootkit on the system.http://bagpuss.swan.ac.uk/comms/hxdef.htmRead up on that page. Download the rootkit checker and see if that finds anything. Post back with results.Also when you are trying to remove this are you in safe mode?I would reboot into safe mode and try to delete the files there.

[Ed_P]

The file is running and replicating in Safe Mode. The only place it isn't running is Recovery Console.

you've found the same suspected files that I would have found.

See, I'm not the dummy you think I are. I'll check out your link. Thanks.

[nlinecomputers]

See, I'm not the dummy you think I are

Never said you were. I just thought it was pointless to automatically delete files with a batch file when manually didn't work. I have no idea what your were aiming at with the Recovery Console(I'm not criticizing that. You didn't state enough for me to follow what you were attempting to do.) The reason I wanted to see the hijack logs was to see the locations of the files and the sections ex. 02 and 04 that the files were referenced from. Random names in spyware is common but most have common methods. I'll not be very surprised if that system has Hacker Defender on it.One other angle to try is to scan the system with Trend's online virus scanner or with AVG. Both are pretty good at finding HackDef. McAfee is good too. Norton still misses it.

[Ed_P]

I just thought it was pointless to automatically delete files with a batch file when manually didn't work.

No no no. That wasn't my plan for the BAT. I wanted it to be able to find the *.BAK1 files so I would know where the look for the other related files when in Recovery Console mode.

I'll not be very surprised if that system has Hacker Defender on it.

Well the ini that this piece of scumware has is not the same as the one shown in the link you gave. This one isn't even a text formated file.

One other angle to try is to scan the system with Trend's online virus scanner

Done that, no hits.She did have Norton's AV on the pc but it has been disabled.

[zlim]

AppPatch could be legitimate http://msdn.microsoft.com/library/default....ing_example.aspI don't understand this and trojans are starting to have the same names as legitimate items which makes it hard to sort out the good from the bad.On the other hand, wuauclt might be a trojan http://www.neuber.com/taskmanager/process/wuauclt.exe.htmlagain with the name the same as a legitimate process and you have two running, one might be legit, the other a trojan.

[nlinecomputers]

Well the ini that this piece of scumware has is not the same as the one shown in the link you gave. This one isn't even a text formated file.

Did you run the Rookkit scanner? It scans for any service running not just HackDef.

[Ed_P]

I did and it only listed as suspicious a DLL in System32 that is a part of Norton SystemWorks which she has. ApiTrap.dllHowever, in System32 when sorted by date I see my friend hostx.exe created today. And in AppPatch I now have a BAK2 module.My current plan is to boot up to Recovery Console and replace the suspicious files in AppPatch with dummy ones with the same name. Hopefully whatever is creating them won't check for sizes.

AppPatch could be legitimate

Not likely with this consistent series of files with forward and backward names. But thanks for looking zlim. My concern is that these are jsut the live ones and that there are others, that's why I wanted the BAT file to scan for them through Windows. At least once when I did a Search I found them in two places.

[nlinecomputers]

You might try to use http://www.iarsn.com/ They have a program called taskinfo 2003 that might show you the hidden process that is running to create all this.Have you looked in your services.msc app to see if you see any unknown services running?

[Ed_P]

Well, I think it's gone. And if not at least it's quiet.In Recovery Console mode:I renamed:System32\hostx.exe -> hostx.xxxAppPatch\waveacc.exe -> waveacc.xxxAppPatch\ccaevaw.ini -> ccaevaw.xxxAppPatch\ccaevaw.bak1 -> ccaevaw.xx1AppPatch\ccaevaw.bak2 -> ccaevaw.xx2I then renamed 5 txt files that I had created with Notepad to match the original 4 AppPatch file names plus I added one as a Read Only tmp file. I made the renamed txt files Hidden and System to match the original files' attributes. I added the Read Only tmp file because when creating the txt files in the AppPatch folder I found that a tmp file matching the name of the ini would periodically get created then disappear. AppPatch\ccaevaw.tmp -> Read onlyI then exited RC mode and came up in regular Windows mode. When I got errors about the validity of waveacc.exe I selected Ignore. With the system up and CPU usage appearing normal I went into the Document and Settings\user\Local Settings\temp folder:I renamed bkinit.exe -> bkinit.xxxDeleted all the 96K dat files that had the Hidden and System attributes.NB The bkinit file had the Hidden and System attributes set also. I ran HiJackThis and deleted the BHO and 04 entries found previously and rebooted.With Windows up again and CPU usage normal I deleted everything in the Local Settings' temp folder. I have rebooted several times including a cool boot and CPU usage continues to be normal and HiJackThis clean. I have not tried IE yet nor have I deleted the renamed AppPatch and System32 files.I will run Adaware and SpyBot one more time then partition the drive so that the data is off of c:. I will then image the drive one last time.While the pc was infected the names that were created were:basvga / agvsabascab / bacsawaveacc / ccaevawsysacc / ccasyssvrimg / gmirvsftpanti / itnaptfsvrutl / lturvsvgas / sagvmainas / saniamdldrv / vrdld BTW Adaware keeps finding Virtumundo on the machine even though I've had Adaware remove it everytime. Could that be tied to this problem? Adaware is showing the renamed System32\hostx.xxx file as being a part of Virtumundo.

[nlinecomputers]

http://pestpatrol.com/pestinfo/v/virtumonde.asp

[nlinecomputers]

http://computercops.biz/postlite75734-virtumundo.htmlLooks to be a good thread on this. (Note the settings for Ad-Aware in the thread AA will not remove this using the default settings.)

[Ed_P]

http://computercops.biz/postlite75734-virtumundo.htmlLooks to be a good thread on this.  (Note the settings for Ad-Aware in the thread  AA will not remove this using the default settings.)

Wow!!! Great thread indeed nlinecomputers. Thanks!! It's the same situation I had. Note the references to LOCALS~1\Temp\evawalue.dat & eulawave.exe and evawbac & cabwave and their different locations. I had used the KillFile utility that they referenced but I think I did it for only 1 file at a time and they show doing it for several at one time. That may have been the difference.I will study it in more detail later. I definitely want to finish removing Virtumundo now. I'm imaging her hard drive right now and it takes a while when using a USB 1.1 drive.Thanks again nlinecomputers.

[nlinecomputers]

I had used the KillFile utility that they referenced but I think I did it for only 1 file at a time and they show doing it for several at one time. That may have been the difference.

Indeed. As you have seen these little buggers recreate the missing parts so if you don't kill it all it just grows back. Like a freeken weed. Get me the Roundup!

[Flaxen]

I saw a guide on removing this:> How to remove Virtumonde DEL-457 Host.exe malwareHope this helps

[JeffGoneMad]

Same problem, right down to the fact that it's my neighbors daughter who has been away at school.Differences:1. None of the file names were the same as what you posted. BKINIT in my case was BKINST. No other file names were even close. (This thing morphs like a Yaki indian on peyote)2. There were tons of dat files, but the first time I thought I whacked this mole, it was in winnt\registration. The next time I rebooted, it was in winnt\help. The next time it was in winnt\fonts. Each time, the name BKINST was the same, and it was in the system32 folder.3. I don't have much time before she leaves, and I doubt I can fix this in time. I have taken the following workaround:Create a file in the root of C:, named killit.bat.Killit.bat just has one command: "del c:\winnt\system32\bkinst.exe" (without quotes).Create a string value in the HKLM\...\Run called murderGive the string value: "c:\killit.bat" (without the quotes).This causes the bkinst.exe to get deleted before it can start the process.What I have done is provide a workaround that lets her machine behave normally, but I'm only treating the symptom here. I don't feel good about it, but I have only a couple hours with the machine. It goes back to So Cal in the morning. I have setup remote access, and she has agreed to allow me to login and work on this later, but only according to her schedule. Help is invited.JeffGoneMad

[Ed_P]

I suspect the scumware mothership will note the missing file and create a new one. While the files that create the ads can be deleted something else, hostx I believe, keeps track of them and replaces them when they are deleted.Keep us updated as to your progress. Especially using the remote approach.

[JeffGoneMad]

There is no file named hostx.* on her machine. I looked for hidden, system, etc. It's not there, and all the files I have identified as related have totally different names than what you found. Then only one that was even similar is the bkinst.exe. This file seems to get created at shutdown, and deleting it at startup does prevent the cycle of horror from starting. That said, does anybody know where the shutdown version of HKLM\...\Run is? I know UNIX has shutdown scripts. I never looked for the equivalent in Windows. If I'm correct in assuming that the file is created at shutdown, I may be able to find the process that creates it.Note: I miss-spoke in my previous post when I said bkinst.exe had been moving. It was the other files that were changing location. bkinst.exe is always in the system32 directory.