J
johngross
Some weeks ago my laptop suffered a significant infection of adware
and/or malware.
The laptop is not connected to the Internet very often at all, and even
then for only short periods (down/uploading email); I had never
suffered any more than an occasional minor virus, and so had not set up
any protection at all... to my shame, now!
After this attack, I have got serious about anti-virus, anti-ad/malware
and firewall protection. I installed Symantec AntiVirus, Comodo
Personal Firewall, and Ad-Aware SE. Ad-Aware and Symantec identified
and cleared a large number of infected files and other objects, but
seemed to be unable to get rid of several remaining problems. I also
tried running Look2Me-Removal tool and CWShredder (because some files
that appeared to have been created during the period that the laptop
was on-line looked suspiciously similar to files identified as Look2Me
and CoolWebSearch) but neither found anything more.
I was left with 4 remaining problems:
1) when I clicked Start > Search > Files and Folders, the desktop and
system tray disappeared and the svchost.exe process running RpcSs.dll
(discovered by investigating with Task Manager) began to use all spare
CPU capacity; I could still run other applications, but they were
extremely slow. I could not stop the process in any way except to power
off the laptop.
2) when I clicked Start > My Computer, the desktop and system tray
disappeared also, but reappeared a moment later; however, this made
doing any work involving Windows Explorer virtually impossible; no
method I could find would make explorer.exe behave normally.
3) when I tried to boot in Safe Mode (to attempt any corrective
action), the desktop and system tray never appeared... which made
things difficult, to say the least.
4) I still seemed to have one piece of ad/malware that resulted in
Windows Explorer.exe trying to connect to the Internet; this was
reported by my firewall (Comodo Personal Firewall) and was been
blocked... although I was not connecting the laptop to the Internet
while trying to sort out the infection.
A search of Google Groups turned up a number of threads that seemed to
be relevant, but nothing suggested there seemed to work for me. I did
find one post that referred to a CoolWebSearch infection and mentioned
Retgistry entries that looked similar to some in my Registry. (I wanted
to add a link to the relevant thread, but unfortunately I didn't record
or save it; I thought I would be able to find it easily, but have been
unable to do so.)
At this point I decided it was time to bite the bullet and take more
drastic action; rather than rebuilding WinXP from my install CD, I
decided to upgrade to SP2 (something I had planned to do for some time,
but never got around to - tut, tut, I can hear some of you saying!)
However, before doing this, I decided to get rid of a number of files
that I thought looked very suspicious (as I mentioned above); I copied
them to removable media before deleting them (in case their removal
caused something drastic to happen, in which case I could hopefully get
them back?). There were:
15 .exe files with gobbledegook-type names and zero length (some in C:\
and some in C:\WINDOWS\system32\)
2 zero-length files in system32\ with similar names (one .tmp, the
other with no extension)
7 other files that I was very suspicious of (because they had names
similar to files quarantined/deleted by Symantec or Ad-Aware AND had
apparently been created during the time(s) when the laptop had been
connected to the Internet)
Note: I still have these files and if anyone is interested, I can tell
you what their names are and/or send them for analysis.
Having completed this little orgy of deletion, I decided to boot up and
see if I had made anything worse. To my amazement, however, the first
two of my four problems seemed to have been fixed!!!... and have not
reappeared since.
I decided to make one last attempt to tackle problem 4) before
installing SP2.
In the post I referred to above that I could not find again, there was
reference to several Registry entries; I looked in my Registry and
found a set of very similar entries (but with a different CLSID and a
different .dll name). I have attached them below.
First, I submitted the byxyv.dll file to VirusTotal.com for analysis;
the report returned was as follows (positive scan results only):
-----------------------------------------------
I checked the identified names as far as I know how (even printing out
the Symantec report on the Vundo suspect), but found little of any help
at all; none of the Registry keys/values seemed to be in my Registry.
So (verrrrry carefully) I manually deleted (in Safe Mode) all these
Registry references (as below, but with a different CLSID - it seems
the CLSID entry may have been changed on every boot), and deleted the
..dll file itself (after copying it to removable media so that I can
submit it for analysis and/or reinstate it if necessary); for the file
deletion, I had to use Recovery Console, because even in Safe Mode the
file seemed to in use by some process.
Once again, I rebooted to assess if my actions had had any effect; to
my further surprise, the third and fourth problems seem now to be
fixed!
Apart from the problems going away, I have noticed one thing that may
be significant: with the byxyv.dll file deleted, Task Manager (when the
system is 'idling' shows explorer.exe using about 14,000 Kb or RAM
instead of about 23,000 Kb it seemed to show when I still had the
problems.
I feel I've been very lucky to have been able to fix these problems
(without really knowing how). From now on, I am determined to keep
AntiVirus, Ad-Aware and the firewall up-to-date and running
regularly... and SP2 and all critical Windows Updates installed!
I don't expect any reply to this post; it's just to pass on some
information that might be useful to someone.
--------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_CLASSES_ROOT\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}\InprocServer32]
@="C:\\WINDOWS\\System32\\byxyv.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}\InprocServer32]
@="C:\\WINDOWS\\System32\\byxyv.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\byxyv]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\byxyv.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
and/or malware.
The laptop is not connected to the Internet very often at all, and even
then for only short periods (down/uploading email); I had never
suffered any more than an occasional minor virus, and so had not set up
any protection at all... to my shame, now!
After this attack, I have got serious about anti-virus, anti-ad/malware
and firewall protection. I installed Symantec AntiVirus, Comodo
Personal Firewall, and Ad-Aware SE. Ad-Aware and Symantec identified
and cleared a large number of infected files and other objects, but
seemed to be unable to get rid of several remaining problems. I also
tried running Look2Me-Removal tool and CWShredder (because some files
that appeared to have been created during the period that the laptop
was on-line looked suspiciously similar to files identified as Look2Me
and CoolWebSearch) but neither found anything more.
I was left with 4 remaining problems:
1) when I clicked Start > Search > Files and Folders, the desktop and
system tray disappeared and the svchost.exe process running RpcSs.dll
(discovered by investigating with Task Manager) began to use all spare
CPU capacity; I could still run other applications, but they were
extremely slow. I could not stop the process in any way except to power
off the laptop.
2) when I clicked Start > My Computer, the desktop and system tray
disappeared also, but reappeared a moment later; however, this made
doing any work involving Windows Explorer virtually impossible; no
method I could find would make explorer.exe behave normally.
3) when I tried to boot in Safe Mode (to attempt any corrective
action), the desktop and system tray never appeared... which made
things difficult, to say the least.
4) I still seemed to have one piece of ad/malware that resulted in
Windows Explorer.exe trying to connect to the Internet; this was
reported by my firewall (Comodo Personal Firewall) and was been
blocked... although I was not connecting the laptop to the Internet
while trying to sort out the infection.
A search of Google Groups turned up a number of threads that seemed to
be relevant, but nothing suggested there seemed to work for me. I did
find one post that referred to a CoolWebSearch infection and mentioned
Retgistry entries that looked similar to some in my Registry. (I wanted
to add a link to the relevant thread, but unfortunately I didn't record
or save it; I thought I would be able to find it easily, but have been
unable to do so.)
At this point I decided it was time to bite the bullet and take more
drastic action; rather than rebuilding WinXP from my install CD, I
decided to upgrade to SP2 (something I had planned to do for some time,
but never got around to - tut, tut, I can hear some of you saying!)
However, before doing this, I decided to get rid of a number of files
that I thought looked very suspicious (as I mentioned above); I copied
them to removable media before deleting them (in case their removal
caused something drastic to happen, in which case I could hopefully get
them back?). There were:
15 .exe files with gobbledegook-type names and zero length (some in C:\
and some in C:\WINDOWS\system32\)
2 zero-length files in system32\ with similar names (one .tmp, the
other with no extension)
7 other files that I was very suspicious of (because they had names
similar to files quarantined/deleted by Symantec or Ad-Aware AND had
apparently been created during the time(s) when the laptop had been
connected to the Internet)
Note: I still have these files and if anyone is interested, I can tell
you what their names are and/or send them for analysis.
Having completed this little orgy of deletion, I decided to boot up and
see if I had made anything worse. To my amazement, however, the first
two of my four problems seemed to have been fixed!!!... and have not
reappeared since.
I decided to make one last attempt to tackle problem 4) before
installing SP2.
In the post I referred to above that I could not find again, there was
reference to several Registry entries; I looked in my Registry and
found a set of very similar entries (but with a different CLSID and a
different .dll name). I have attached them below.
First, I submitted the byxyv.dll file to VirusTotal.com for analysis;
the report returned was as follows (positive scan results only):
-----------------------------------------------
-------------------------------------------------------------[ file data ]
* name: Byxyv.dll
* size: 692276
* md5.: c93df3b773ee2ee441b8463cb02868a9
* sha1: e82a3a694d712958a8d9cbc8357c48f1fc6a7dd4
[ scan result ]
AntiVir 7.2.0.46/20061204 found [TR/Vundo.Gen]
AVG 386/20061204 found [Lop.AQ]
DrWeb 4.33/20061204 found [Trojan.Virtumod]
eTrust-Vet 30.3.3230/20061204 found [Win32/Vundo]
Fortinet 2.82.0.0/20061204 found [suspicious]
Kaspersky 4.0.2.24/20061205 found [not-a-virus:AdWare.Win32.Virtumonde.fj]
McAfee 4910/20061204 found [Vundo]
Norman 5.80.02/20061204 found [W32/Vundo.gen3]
Panda 9.0.0.4/20061203 found [Suspicious file]
Sophos 4.12.0/20061204 found [Virtumundo]
Sunbelt 2.2.907.0/20061130 found [VIPRE.Suspicious]
[ notes ]
packers: PECRYPT
packers: embedded
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
I checked the identified names as far as I know how (even printing out
the Symantec report on the Vundo suspect), but found little of any help
at all; none of the Registry keys/values seemed to be in my Registry.
So (verrrrry carefully) I manually deleted (in Safe Mode) all these
Registry references (as below, but with a different CLSID - it seems
the CLSID entry may have been changed on every boot), and deleted the
..dll file itself (after copying it to removable media so that I can
submit it for analysis and/or reinstate it if necessary); for the file
deletion, I had to use Recovery Console, because even in Safe Mode the
file seemed to in use by some process.
Once again, I rebooted to assess if my actions had had any effect; to
my further surprise, the third and fourth problems seem now to be
fixed!
Apart from the problems going away, I have noticed one thing that may
be significant: with the byxyv.dll file deleted, Task Manager (when the
system is 'idling' shows explorer.exe using about 14,000 Kb or RAM
instead of about 23,000 Kb it seemed to show when I still had the
problems.
I feel I've been very lucky to have been able to fix these problems
(without really knowing how). From now on, I am determined to keep
AntiVirus, Ad-Aware and the firewall up-to-date and running
regularly... and SP2 and all critical Windows Updates installed!
I don't expect any reply to this post; it's just to pass on some
information that might be useful to someone.
--------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_CLASSES_ROOT\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}\InprocServer32]
@="C:\\WINDOWS\\System32\\byxyv.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}\InprocServer32]
@="C:\\WINDOWS\\System32\\byxyv.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{997EBC2D-58D5-4EE4-8873-8109C86B13D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\byxyv]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\byxyv.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"