It's Snark hunting time again:)

[Dave Baker]

I've been wondering for a while now why my Torrent application seems to be
using all my upload bandwidth and slowing browsing to a crawl even when I
have the Torrent upload limit capped to a sensible level. I shut all apps
down and fired up the DSL modem meter and bugger me there's about 70kb/s of
upload ticking away in the background all the time. Me smells a Snark that's
insinuated its nasty little self onto my pc.

Nothing unusual appearing in Task Manager but then most nasties don't show
up there anyway. Fire up MBAM and it won't update itself. Hmmm. Check
firewall settings. Still no joy. Into Firefox and try to access the MBAM
website to download the current version. No joy. Hmmm. Nasty little Snark is
stopping anything MBAM related running it seems. Clever little Snark. I like
a challenge

Run "NETSTAT -B" and there's an unknown component running.

Time to dig all the Snark hunting tools out and see if I can pot myself
something tasty for lunch.

 

[Dave Baker]

I've been wondering for a while now why my Torrent application seems to be
using all my upload bandwidth and slowing browsing to a crawl even when I
have the Torrent upload limit capped to a sensible level. I shut all apps
down and fired up the DSL modem meter and bugger me there's about 70kb/s
of upload ticking away in the background all the time. Me smells a Snark
that's insinuated its nasty little self onto my pc.

Nothing unusual appearing in Task Manager but then most nasties don't show
up there anyway. Fire up MBAM and it won't update itself. Hmmm. Check
firewall settings. Still no joy. Into Firefox and try to access the MBAM
website to download the current version. No joy. Hmmm. Nasty little Snark
is stopping anything MBAM related running it seems. Clever little Snark. I
like a challenge

Run "NETSTAT -B" and there's an unknown component running.

Time to dig all the Snark hunting tools out and see if I can pot myself
something tasty for lunch.

OK I'm getting pissed off now. It's disabled System Restore, Hijackthis is
not showing anything I can spot as an immediate problem and I can't run any
anti malware programs. This little sod might actually be too clever for me.
Any suggestions?

 

[ASCII]

I can't run any
anti malware programs. This little sod might actually be too clever for me.
Any suggestions?

Are these programs already on your machine yet won't run,
or are they not available to download
because maybe your hosts file had been corrupted?

 

[Dave Baker]

Are these programs already on your machine yet won't run,
or are they not available to download
because maybe your hosts file had been corrupted?

I've got MBAM installed and the last update was a month or so ago. It won't
re-update and as far as I can see the hosts file is not corrupted so I'm not
sure how this little bastard is stopping access to the MBAM website.

I've tried turning System Restore on again and it won't let me do that
either so this thing is clever.

 

[1PW]

I've got MBAM installed and the last update was a month or so ago. It won't
re-update and as far as I can see the hosts file is not corrupted so I'm not
sure how this little bastard is stopping access to the MBAM website.

I've tried turning System Restore on again and it won't let me do that
either so this thing is clever.

Although you did mention MBAM by name, you have failed to give us any
specifics about your system OS & your antimalware.

Rename MBAM's executable to something like Baker001 and try running
the update. If that works, you'll probably be able to run a scan in
normal mode, with networking of course.

Please update this this thread with your progress.

Regards,

Pete

 

[FromTheRafters]

OK I'm getting pissed off now. It's disabled System Restore,
Hijackthis is not showing anything I can spot as an immediate problem
and I can't run any anti malware programs. This little sod might
actually be too clever for me. Any suggestions?

Download the tools using another (non-infested) machine. Rename the
tools before attempting to execute them on the affected machine.

 

[Dave Baker]

Download the tools using another (non-infested) machine. Rename the tools
before attempting to execute them on the affected machine.

If I had another non-infested machine......

 

[Leythos]

I've got MBAM installed and the last update was a month or so ago. It won't
re-update and as far as I can see the hosts file is not corrupted so I'm not
sure how this little bastard is stopping access to the MBAM website.

I've tried turning System Restore on again and it won't let me do that
either so this thing is clever.

MBAM had updates over the weekend - there is new malware that it detects
as of the Sunday update that it didn't detect on Thursday. Download a
new copy and install it again.

 

[1PW]

If I had another non-infested machine......

....and you can rename the downloaded MBAM installer file before
execution too.

/Some/ likelihood exists that HJT actually /does/ see your malware.
However, don't post your HJT log here. If it comes to it, you can
submit your HJT log to:

<http://www.bleepingcomputer.com/forums/forum22.html>

If any of your efforts produces the /name/ of the malware, please make
careful note and repost here.

Pete

 

[FromTheRafters]

If I had another non-infested machine......

See if you can FTP the tools. See if you can access the website by
putting the IP address in the address bar instead of relying on a lookup
(DNS / hosts file). Have someone you trust download the tool and host it
for your retrieval from them (HTTP/FTP/ ..or e-mail (ugh)).

....do you know any good chants or mantra's?

 

[Beauregard T. Shagnasty]

Use my stolen, pirated Remove-it software, it will remove that malware
from your system.

How can you say that? You don't even know what the malware is.

 

[1PW]

How can you say that? You don't even know what the malware is.

Maybe it's stolen malware...

Pete

 

[Ray.Milne]

Maybe it's stolen malware...

LOL.

Ray.

 

[Beauregard T. Shagnasty]

It does not matter, that's not how my software works. The malware will
be identified after the scan.

...but only if a particular filename exists in a particular directory.

I'm sorry you are too dumb to realize that.

I'm sorry you are too dumb to realize that malware morphs.

Here is a list of everything my Remove-it will remove/Fix and all
known

What about the other thousands of malwares?

 

[David H. Lipman]

From: "Beauregard T. Shagnasty" <[email protected]>


| ..but only if a particular filename exists in a particular directory.

| I'm sorry you are too dumb to realize that malware morphs.

| What about the other thousands of malwares?

He thinks that because he *ILLEGITIMATELY includes the Microsoft Windows Malicious
Software Removal Tool, v2.11.2450.0, that it covers ALL malware.

Too bad that MS MRT also has a limited target list.

*Illegitimately because he includes a Microsoft anti malware On Demand scanner in
Remove-It and does not indicate that Remove-It uses the MS MRT nor gives any credit back
to Microsoft in violation of the Microsoft licensing agreement.

 

[Dave Baker]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://www.ms-mvp.org/

Piss off cretin.

 

[Leythos]

Use my Remove-it software

PCBUTTS1, not a single person will download your pirated code now that
you've exposed yourself as the PIRATE/THIEF we all have said you are.

The file you claim to have known about, claim to have submitted to anti-
virus sites, the file named "obatssrsghde.exe" was a marker inserted
into Stuarts batch file you stole from him, it was is a KEY that proves
you're a thief:

For those that don't know, Stuart inserted the obatssrsghde.exe marker
into his batch file to prove, to the community, that PCBUTTS1 / The Real
Truth MVP is actually a lying thief, and PCBUTTS admitted in his own
post that he created the marker and claimed to know what it was - even
claimed to have submitted the malware to anti-virus vendors, but the
joke was on him, Stuart told everyone in the community about it BEFORE
it appeared in PCBUTTS1 download.... There is no actual file named
obatssrsghde.exe in the malware community, it was a ruse.

The key is in the spelling:

obatssrsghde.exe
pcbuttsthief

If you change (add) 1 character to each letter you will see that
"obatssrsghde" is actually the marker "pcbuttsthief" - proving that
PCBUTTS1 is a thief.

Are there other markers - YES, does PCBUTTS1 know about them - know,
they've been there for a long time, but this is the most obvious one.

Face it Chris/PCBUTTS1/TRT, you've exposed yourself in public.

 

[Leythos]

Remove-it is way beyond that

You've exposed yourself as the PIRATE/THIEF we all have said you are.

The file you claim to have known about, claim to have submitted to anti-
virus sites, the file named "obatssrsghde.exe" was a marker inserted
into Stuarts batch file you stole from him, it was is a KEY that proves
you're a thief:

For those that don't know, Stuart inserted the obatssrsghde.exe marker
into his batch file to prove, to the community, that PCBUTTS1 / The Real
Truth MVP is actually a lying thief, and PCBUTTS admitted in his own
post that he created the marker and claimed to know what it was - even
claimed to have submitted the malware to anti-virus vendors, but the
joke was on him, Stuart told everyone in the community about it BEFORE
it appeared in PCBUTTS1 download.... There is no actual file named
obatssrsghde.exe in the malware community, it was a ruse.

The key is in the spelling:

obatssrsghde.exe
pcbuttsthief

If you change (add) 1 character to each letter you will see that
"obatssrsghde" is actually the marker "pcbuttsthief" - proving that
PCBUTTS1 is a thief.

Are there other markers - YES, does PCBUTTS1 know about them - know,
they've been there for a long time, but this is the most obvious one.

Face it Chris/PCBUTTS1/TRT, you've exposed yourself in public.

 

[Dave Baker]

Update on progress.

Still can't access the MBAM site so there's still a redirect in action
somewhere although the Hosts file is ok. Managed to download the latest
version from a mirror site but that wouldn't update either of course as it
couldn't access the MBAM site. Managed to find the latest MBAM rules.ref
file from a link which uses the IP address rather than the domain name. Here
it is if it helps anyone else.

http://74.208.12.180/malwarebytes/mbam-rules.exe

Run the executable and it loads the Rules.ref file into the relevant place
in Documents and Settings.

Cool, so finally able to run MBAM with the latest update and it
found.....absolutely nothing. Drat.

Back to basics. Had a look through the Windows and System32 directories by
my lonesome just to see if anything stuck out as being odd. First thing I
found was eSellerateEngine.dll in the Windows directory. Googled it and
definitely nasty so that got deleted but didn't solve the uploader problem.

I've worked my way through my HijackThis logs and deleted a few Registry
redirects and other minor oddities and the only thing I'm left with that
looks wrong is a running process C:\Windows\Explorer.EXE spelled exactly
like that with capitalised first letter and capitalised EXE. I think it
should just be explorer.exe.

So that's what I've got my hopes pinned on. Just got to find out what's
causing it now.

Time to ask the chaps in Bleepingcomputer I think.

 

[Dave Baker]

I've worked my way through my HijackThis logs and deleted a few Registry
redirects and other minor oddities and the only thing I'm left with that
looks wrong is a running process C:\Windows\Explorer.EXE spelled exactly
like that with capitalised first letter and capitalised EXE. I think it
should just be explorer.exe.

Hmmm, maybe not. Looking at other people's logs it seems to be spelled like
that normally. Bugger.