Persistant trojan

[smlunatick]

I am helping someone with a persistant trojan that causes Internet Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active. This "pops
up" another IE windows and re-directs his Internet to other sites. I have
successfully cleaned up his XP Home with Spyware Terminator and Spybot but
the infestation returns. I have not noticed any "suspect" activity.

Aside from a re-install, what can I do?

 

[Malke]

I am helping someone with a persistant trojan that causes Internet
Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active. This
"pops
up" another IE windows and re-directs his Internet to other sites. I have
successfully cleaned up his XP Home with Spyware Terminator and Spybot
but
the infestation returns. I have not noticed any "suspect" activity.

Aside from a re-install, what can I do?

It is common for current variants of malware to respawn, use rootkits, and
in general be very difficult to remove. At this point your friend (or you)
should get guided help. Choose one of the specialty forums listed below (in
no particular order). Register and read its posting FAQ. You will generally
be asked to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/

Malke

 

[smlunatick]

It is common for current variants of malware to respawn, use rootkits, and
in general be very difficult to remove. At this point your friend (or you)
should get guided help. Choose one of the specialty forums listed below (in
no particular order). Register and read its posting FAQ. You will generally
be asked to:

1. Download and execute HiJack This! (HJT) -http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe;  Format --> uncheck; "Word
wrap"

3. Download/run Deckard's System Scanner -http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.ziphttp://www.aumha.org/a/hjttutor.htm- HijackThis tutorial by Merijnhttp://www.bleepingcomputer.com/forums/index.php?showtutorial=42- another
tutorialhttp://aumha.net/- Click on the HijackThis forum. Read the announcement and
the stickies *first*.http://www.atribune.org/forums/inde...php?f=5http://forums.techguy.org/54-security/

Malke

I've done this already and the HjT log show noting out of the
ordinary.

 

[Temujin]

Dnia Fri, 2 May 2008 11:17:35 -0400, smlunatick napisa³(a):

I am helping someone with a persistant trojan that causes Internet Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active. This "pops
up" another IE windows and re-directs his Internet to other sites. I have
successfully cleaned up his XP Home with Spyware Terminator and Spybot but
the infestation returns. I have not noticed any "suspect" activity.

Aside from a re-install, what can I do?

Rootkit or a buddy-kit trojan?

Manual Crap Handling Guide

My toolkit of choice: download from sysinternals.com
Autoruns+Proccess Explorer+Proccess Monitor+Rootkit Revealer

Using Autoruns (Check the options menu choices: Verify Code Signatures and
Hide Signed MS Entries) - than refresh - will locate the subject. Or at
least multiple suspects. Some dll and some sys file I presume - when in
doubt google their names (but NOT with IE) - after checking the intel on
them it is the BEST time for DC'ing the net. Launch Process Explorer, find
and SUSPEND all the suspects you can (RMB on the proccess, context menu) -
do not kill. Yet. When it comes to drivers, sometimes you have to use the
option "Find handle or DLL" to locate witch proccess is using
"malware.sys". Check that all IE instances are closed, locate the suspects
image paths (both Autoruns and Procexp will show you the path) - like:
C:\WINDOWS\System32\Iamaverycunninglydisguisedpieceofmalware.dll and RENAME
- changing the extension to *.crap for example. You will not be able to
delete them. Yet.
Kill the scum in Proccess Explorer without unsuspending. If another,
similar proccess pops up as soon as you kill the suspect there is yet
another buddy proccess covering their back. Find it, suspend, rinse,
shower, repeat. After all names are changed and all suspects are dead,
delete their startup entries in Autoruns. Reboot and delete the *.crap.

The rootkits/ADS' are extensively more fun to cope with, as the safest way
is by running a scan with rootkit reaveler, writing them down on a
old-fashioned sheet of paper and than deleting the suspects using a boot CD
similar to UBCD4WIN. On a sad note: The Windows reg Security keys, many
virtual/emulated device drivers and a bunch of security software suites
use rootkit mechanisms in a completly legitimate way themselves.
Again, when in doubt, google.

 

[pcbutts1 [MS MVP]]

Use my free Remove-it software, it will remove that malware from your
system. Download it here http://pcbutts1.com/downloads/tools/tools.htm


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell

It is common for current variants of malware to respawn, use rootkits, and
in general be very difficult to remove. At this point your friend (or you)
should get guided help. Choose one of the specialty forums listed below
(in
no particular order). Register and read its posting FAQ. You will
generally
be asked to:

1. Download and execute HiJack This!
(HJT) -http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
wrap"

3. Download/run Deckard's System
Scanner -http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at
the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.ziphttp://www.aumha.org/a/hjttutor.htm-
HijackThis tutorial by
Merijnhttp://www.bleepingcomputer.com/forums/index.php?showtutorial=42-
another
tutorialhttp://aumha.net/- Click on the HijackThis forum. Read the
announcement and
the stickies
*first*.http://www.atribune.org/forums/inde...php?f=5http://forums.techguy.org/54-security/

Malke

I've done this already and the HjT log show noting out of the
ordinary.

 

[smlunatick]

Never trust downloads from a site that has hosted p0rnographic materials
and is also blocked using the MCP Host file, it's not worth the risk.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

As I rememberd and feared. I went to check out site and found no link
on the main web page back to the downloads.

 

[Kayman]

I am helping someone with a persistant trojan that causes Internet Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active. This "pops
up" another IE windows and re-directs his Internet to other sites. I have
successfully cleaned up his XP Home with Spyware Terminator and Spybot but
the infestation returns. I have not noticed any "suspect" activity.

Aside from a re-install, what can I do?

1. CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...
http://www.filehippo.com/download_ccleaner/
If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender".

2. Download David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe {Note: You must use the default folder C:\AV-CLS}
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{or Double-click on 'Start Menu' in C:\AV-CLS}

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your FireWall to allow it to download the needed AV vendor
related files.

C:\AV-CLS\StartMenu.BAT -- {or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.
You can choose to go to each menu item and just download the needed files
or you can download the files and perform a scan in Normal Mode. Once you
have downloaded the files needed for each scanner you want to use, you
should reboot the PC into Safe Mode [F8 key during boot] and re-run the
menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm

3. Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of
detection/removal tools; You are encouraged to try all of them (join
relevant fora for additional support i.e. interpretation of scan results):

DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18

F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php

RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersilberman/RAIDE_BETA_1.zip
http://www.rootkit.com/boardm.php

Rootkit Revealer
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15

RootKit Hook Analyzer
http://www.softpedia.com/get/Security/Security-Related/RootKit-Hook-Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/net...irewalls/113585-free-sophos-anti-rootkit.html

System Virginity Verifier
http://www.softpedia.com/get/System/System-Info/System-Virginity-Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25

System Virginity Verifier
http://www.antirootkit.com/software/System-Virginity-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25

VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php

"Make sure you always read the current user instructions for your scanning
tools to see what special steps you need to take before, during and after
the clean-up process. Then, after you've found and cleaned a rootkit,
rescan the system once you reboot to double-check that it was fully cleaned
and the malware hasn't returned."

4. Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

AntiHook
http://www.infoprocess.com.au/AntiHook.php

DiamondCS ProcessGuard
http://www.diamondcs.com.au/processguard/
http://www.diamondcs.com.au/processguard/download.php

5. Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

 

[smlunatick]

I am helping someone with a persistant trojan that causes Internet Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active.  This "pops
up" another IE windows and re-directs his Internet to other sites.  I have
successfully  cleaned up his XP Home with Spyware Terminator and Spybot but
the infestation returns.  I have not noticed any "suspect" activity.

Aside from a re-install, what can I do?

I've narrowed down the trojan and it is the "BitDownload" which do not
get removed with Spybot, Ad Aware or Spyware Terminator.

How can I remove this "sticky" trojan?

 

[Nonny]

I've narrowed down the trojan and it is the "BitDownload" which do not
get removed with Spybot, Ad Aware or Spyware Terminator.

How can I remove this "sticky" trojan?

BitDownload is NOT a trojan.

It is part of the BitTorrent client.

(Google is your friend)

If you don't like having it on your system, you need to uninstall
BitTorrent.

 

[smlunatick]

BitDownload is NOT a trojan.

It is part of the  BitTorrent client.

(Google is your friend)

If you don't like having it on your system, you need to uninstall
BitTorrent.

BitDownload is not in "Add/Remove Programs" and it shows up as a
virus / spyware trojan in AVG and Spybot.

 

[Nonny]

BitDownload is not in "Add/Remove Programs" and it shows up as a
virus / spyware trojan in AVG and Spybot.

But it's not. You obviously haven't Googled it.