New Spyware DLL found?

B

Bob McNair

Hi,
I just spent the best part of half a day trying to get rid
of a bad spyware infestationon one of our PC's.
Even after installing and running Microsoft AntiSpyware,
which removed 4 seperate varient of spyware, the browser
was still being hijacked.
It was an "about:blank" hijack but the DLL used appears
perhaps to be new.
It was installed on the PC on Sun 30th Jan 05 and is
called modgbb.dll.
Remomoving it, after deleting any reference to it in the
registry cured the hijack.
I have kept the DLL if anyone from Microsoft would like to
have a copy of this so it can be added to the definitions.

Bob McNair
 
S

Steve Wechsler [MVP]

Bob,

Would you compress the file to a .zip folder, name the folder sample,
and email to me ? I'll get it to MS.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server
 
G

Guest

I am having the same problem on my computer with
the "about:blank" hijack. However, I dont seem to be able
to find the modgbb.dll you have mentioned anywhere on my
system. Any other ideas?
 
B

Bill Sanderson

I haven't checked out this particular bug, but a number of such critters use
a random-naming scheme for some files on a given machine. This means that
looking things up by name is not very fruitful. Instead, you must go by
behavior, or a process of elimination.

Have you tried scanning twice in safe mode?
 
S

Steve Wechsler [MVP]

about:blank is difficult to remove because different means are used to
hide the infecting file.

1 - Check the Services to see if a phantom Service has been implemented
Stop, then disable the Service from running on Startup. Then attempt to
rename the .dll file in Normal mode, reboot to Safe Mode and delete it.

2 - Check the registry with Registrar Lite to see if AppInit_DLLs has a
hidden file. Here's a webpage that describes how to use this method :
http://www.silentrunners.org/sr_cwsremoval.html

3 - See if you can view the hidden .dll files. A hidden file may have
been injected into one of these 2 processes -
Explorer.exe or IExplore.exe :

Download ProcessViewer : http://tools.zerosrealm.com/pv.zip
Extract it to the Desktop. Open the pv folder and double-click
"runme.bat". A DOS box will open. Select Type 2 for
Internet Explorer Dll's and press Enter.
OR, Type 1 for Explorer Dll's.
Notepad will open with text in it. You'll need to know exactly which
file(s) needs to be deleted. Removing required ones can render the
system unstable.
Removing the file(s) requires using Hijack This or KillBox to do so on a
reboot. Best to let an expert at a spyware forum assist you with this.

Here's a few of the reputable spyware forums where you'll be able to
find assistance. Please read the guidelines of the one you choose prior
to posting there :

http://www.bleepingcomputer.com/forums/forum22.html
http://forums.net-integration.net/index.php?showforum=32
http://forum.aumha.org/viewforum.php?f=30
http://spywarewarrior.com/viewforum.php?f=2&sid=3ce3e4c9a40b25268d1bac3189d22184
http://computercops.biz/forum67.html


Steve Wechsler (akaMowGreen)
Windows Server
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Doesn't find "about:blank" hijacker 5
About Blank 9
New Rogue Spyware Program 9
Version has expired 3
My problems so far...!!! 6
Has Microsoft started sending out an infected file? KB896727 bak.dll 4
Microsoft is running a disreputable spyware outfit 66
Spyware support needed! Doesn't find everything 1

Top