It's Snark hunting time again:)

[1PW]

Hmmm, maybe not. Looking at other people's logs it seems to be spelled like
that normally. Bugger.

Hello Dave:

FYI - explorer /is/ C:\WINDOWS\explorer.exe on several of my systems
and is 1,010 KB in length. HTH

Almost always, we suggest you run SAS in *Safe Mode* in conjunction
with MBAM. The freeware version my be had at:

<http://www.superantispyware.com/>

Good luck,

Pete

 

[ASCII]

http://www.superantispyware.com

If there's some name specific issue you might try:
209.62.68.168

 

[David H. Lipman]

From: "Dave Baker" <[email protected]>

| Update on progress.

| Still can't access the MBAM site so there's still a redirect in action
| somewhere although the Hosts file is ok. Managed to download the latest
| version from a mirror site but that wouldn't update either of course as it
| couldn't access the MBAM site. Managed to find the latest MBAM rules.ref
| file from a link which uses the IP address rather than the domain name. Here
| it is if it helps anyone else.

| http://74.208.12.180/malwarebytes/mbam-rules.exe

| Run the executable and it loads the Rules.ref file into the relevant place
| in Documents and Settings.

| Cool, so finally able to run MBAM with the latest update and it
| found.....absolutely nothing. Drat.

| Back to basics. Had a look through the Windows and System32 directories by
| my lonesome just to see if anything stuck out as being odd. First thing I
| found was eSellerateEngine.dll in the Windows directory. Googled it and
| definitely nasty so that got deleted but didn't solve the uploader problem.

| I've worked my way through my HijackThis logs and deleted a few Registry
| redirects and other minor oddities and the only thing I'm left with that
| looks wrong is a running process C:\Windows\Explorer.EXE spelled exactly
| like that with capitalised first letter and capitalised EXE. I think it
| should just be explorer.exe.

| So that's what I've got my hopes pinned on. Just got to find out what's
| causing it now.

| Time to ask the chaps in Bleepingcomputer I think.
| --
| Dave Baker


Please run a full scan using Gmer.

http://www.gmer.net/

 

[Leythos]

I gave you
good sound advice good luck.

You've exposed yourself as the PIRATE/THIEF we all have said you are.

The file you claim to have known about, claim to have submitted to anti-
virus sites, the file named "obatssrsghde.exe" was a marker inserted
into Stuarts batch file you stole from him, it was is a KEY that proves
you're a thief:

For those that don't know, Stuart inserted the obatssrsghde.exe marker
into his batch file to prove, to the community, that PCBUTTS1 / The Real
Truth MVP is actually a lying thief, and PCBUTTS admitted in his own
post that he created the marker and claimed to know what it was - even
claimed to have submitted the malware to anti-virus vendors, but the
joke was on him, Stuart told everyone in the community about it BEFORE
it appeared in PCBUTTS1 download.... There is no actual file named
obatssrsghde.exe in the malware community, it was a ruse.

The key is in the spelling:

obatssrsghde.exe
pcbuttsthief

If you change (add) 1 character to each letter you will see that
"obatssrsghde" is actually the marker "pcbuttsthief" - proving that
PCBUTTS1 is a thief.

Are there other markers - YES, does PCBUTTS1 know about them - know,
they've been there for a long time, but this is the most obvious one.

Face it Chris/PCBUTTS1/TRT, you've exposed yourself in public.

 

[Dave Baker]

Update 2

Think I've nailed it. Browsing through the C drive with Ztree I spotted a
dll in the system32 directory called Gremyvk.dll. Firstly it had the read
only, system and hidden attributes set which made me suspicious, the name
immediately made me think of gremlin and it wouldn't let me look inside it.
Googled it but no hits so I popped into the Recovery Console, removed the
read only and other attributes and zapped it anyway. If it was a known
useful dll you'd think there'd have been some hits on Google so I figured it
had to be brand new and potentially nasty.

Result!!! - no more background uploading going on to microsoft-ds, MBAM
updates itself quite happily again, I can get into all the antivirus
websites again with Firefox. Job's a goodun. Funnily enough I can't get into
Bleepingcomputer now to let them know I've fixed it so either they're
coincidentally down at the moment or there's a small legacy of the nasty's
presence still lurking somewhere.

Score another one for the Snark hunter

 

[FromTheRafters]

Update 2

Think I've nailed it. Browsing through the C drive with Ztree I
spotted a dll in the system32 directory called Gremyvk.dll. Firstly it
had the read only, system and hidden attributes set which made me
suspicious, the name immediately made me think of gremlin and it
wouldn't let me look inside it. Googled it but no hits so I popped
into the Recovery Console, removed the read only and other attributes
and zapped it anyway. If it was a known useful dll you'd think there'd
have been some hits on Google so I figured it had to be brand new and
potentially nasty.

Result!!! - no more background uploading going on to microsoft-ds,
MBAM updates itself quite happily again, I can get into all the
antivirus websites again with Firefox. Job's a goodun. Funnily enough
I can't get into Bleepingcomputer now to let them know I've fixed it
so either they're coincidentally down at the moment or there's a small
legacy of the nasty's presence still lurking somewhere.

Score another one for the Snark hunter

Did you try Gmer yet? Maybe you have some other hiding things...Gmer can
help.

 

[1PW]

Did you try Gmer yet? Maybe you have some other hiding things...Gmer can
help.

....and maybe a follow-up with SAS too. A new one came out today.

Pete

 

[Dave Baker]

Did you try Gmer yet? Maybe you have some other hiding things...Gmer can
help.

Gave it a go. It seems to think my entire AOL connectivity system is dodgy
but I can't blame it for that, AOL really is seriously crap these days.
There were a few registry entries pointing to where the dll I deleted had
been so I scrubbed those. Otherwise looks ok.

I do seem to be losing my internet connection a lot now but then it was
pretty flaky to start with since AOL sold out to the Carphone Warehouse. A
reboot usually gets me online again but it's hard to tell if it's me or at
the ISP's end. It had been going down at least once a day for ages,
sometimes for several hours. Now it seems to run for a few hours and then
crash but come back fairly quickly. I'm tempted to think it's just their
crap servers but I may reinstall AOL sometime.

Also System Restore is completely fried. I guess I'm just going to have to
Google to see how to reinstall it but can't be arsed just yet. I've spent
enough time on this bloody thing over the last few days. If the little shits
who keep writing this crap to screw people's pcs up would apply their
obvious intelligence to productive pursuits the world could be a happier
place.

 

[Dustin Cook]

Piss off cretin.

A wise choice sir, I salute you.

 

[Dave Baker]

Bah humbug. Noticed a programme slowing down a bit today and just on a hunch
had a look in System32 and the effing thing's back again. Same name,
Gremyvk.dll, but I'm sure the file size has changed. It used to be about
160k and now it's over 1mb. Maybe there's a little downloader still tucked
away somewhere which gets it back when I'm online. Otherwise I certainly
haven't visited any dodgy websites today, just my share dealing and news
sites and a couple of car forums.

It hadn't created any registry entries yet as far as I can see and wasn't
actually doing any uploading like it used to but I've zapped it again and
we'll see what happens. At least I know where to look now.

I've a nasty feeling this thing is morphing to block more and more antivirus
sites because it certainly changed to add Bleepingcomputer.com last time
after I'd posted my issue in there and then later couldn't access it again.
If it's now 6 times the size already god knows what it contains.

Just for now I'm sat online but with no apps running and keeping an eye on
my ADSL meter to see if anything suddenly downloads. I think it's more
likely coming from a specific website though and quite possibly a supposedly
safe one. I might check one site at a time and see if it appears immediately
afterwards until I've pinned it down.

Still no hits for it on Google other than what I'm posting in here but it
can't be long before other people start getting infected.

I think I might create a backup directory for System32 so I have a file
count and a copy of everything currently in there. If I don't add any apps I
should be able to use it as a crosscheck that nothing new has appeared.

 

[ASCII]

I think I might create a backup directory for System32 so I have a file
count and a copy of everything currently in there. If I don't add any apps I
should be able to use it as a crosscheck that nothing new has appeared.

http://www.angelfire.com/wi/wickmann/floke.html

 

[Dave Baker]

Update 3 - and hopefully finally

Damn thing kept coming back as fast as I could delete it, well within a
couple of hours usually anyway so time to get creative. There must be
another file tucked away somewhere that downloads the main Gremyvk.dll one
when it gets deleted. How to find that one now is the task. I decided to try
setting the System32 directory and its sub directories to read-only in case
the downloader wasn't quite smart enough to get round that.

Into My computer, C drive, System32, right click, properties and set it, its
subs and all files to read-only. Two files pop out that won't allow their
attribute to be changed. Haha mischievous little malware author. You've been
a bit too smart for your own good. In the attempt to enmesh things into the
disk structure and make them harder to delete you've given me a spoor to
follow. The hunter's hot on your trail now. In the System32/drivers
directory two little suspiciously named sys files called wqwvbfee.sys and
ywbqjlbb.sys with locked permissions.

No hits for either on Google so into Recovery Console and zap them. Several
hours later now and Gremyvk.dll still isn't back so it's looking good.

A pretty satisfying Snark hunt all things considered. Good fun tracking down
and deleting the nasties, no real damage done, just System Restore left to
fix when I can be bothered. So for the pros out there who might want to add
this one to their antimalware progs it basically seems to be just
Gremyvk.dll in the system32 directory and either or both of those sys files
in the System32/drivers directory plus a few registry entries in
HKLM/System/Controlset001 (plus 002 and currentcontrolset)/Services.

I'm not yet sure how the sys files were getting loaded but I'll maybe have
another dig around later. Couldn't find any reference to them in the
registry anyway.