| Author |
Topic: Q for Wiz: Nasty WinLogon Trojan |
b0b
From:
Cloverdale, CA, USA
|
Posted 12 Jan 2008 8:52 pm |
|
Wiz,
I have a Windows XP Home machine here that has aquired a nasty trojan. ZoneAlarm identifed it as Trojan-Clicker.Win32.Delf.mg but it couldn't get rid of it.
The trojan has attached itself to a Broadcom driver called ds16gti.dll. References to that DLL in the registry cannot be deleted. The registry indicates that it's being used by Winlogon.exe, and the entry there cannot be deleted either. The file itself cannot be deleted or renamed.
ZoneAlarm tried to set it to be deleted on restart, and failed. HiJackThis also indicates that the DLL is installed as an unnamed BHO.
Ug! I hate Windows! Any ideas?
_________________
-𝕓𝕆𝕓- (admin) - Robert P. Lee - Recordings - Breathe - D6th - Video |
|
|
 |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 12 Jan 2008 11:50 pm
|
|
I just got home from my gig tonight. I will research this trojan and post as much information about getting rid of it as I can, tomorrow.
In the mean time, download and install and update, Spybot Search and Destroy. Reboot into safe mode (tap F8 while rebooting), login as the Administrator, then run a spyware scan. Chances are good that Spybot will remove this threat. You should also disable System Restore to keep this threat from returning after it is neutralized.
If you have your XP CD handy I recommend that you install the Recovery Console, as it may be needed to delete this file: C:\WINDOWS\system32\dmdlgsc.dll - which cannot be deleted after Windows boots. Me thinks this is either a rootkit, or a protected malware service. I'll learn more tomorrow.
I may want to see your HJT log and might recommend other specialized removal tools for you to download and use. Post all details in this thread.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Jon Moen
From:
Canada
|
Posted 13 Jan 2008 5:58 am
|
|
I have had files that refused to be deleted etc. The solution was to close explorer.exe from Task Manager. Then delete the file from within a Command Prompt window. Then relaunch explorer.exe from the Run dialog box.
Jon |
|
|
|
John Roche
From:
England
|
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 13 Jan 2008 10:21 am
|
|
| Jon Moen wrote: |
| I have had files that refused to be deleted etc. The solution was to close explorer.exe from Task Manager. Then delete the file from within a Command Prompt window. Then relaunch explorer.exe from the Run dialog box. |
Even from the command prompt in safe mode, I get "Access denied". |
|
|
|
Jon Moen
From:
Canada
|
|
|
|
Earnest Bovine
From:
Los Angeles CA USA
|
Posted 13 Jan 2008 11:50 am
|
|
| How about booting from a Live CD of Ubuntu or whatever? Then mount your C drive (probably will happen automatically) and have at it. |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 13 Jan 2008 12:47 pm
|
|
Spybot S&D found a different problem, something called "Alexa related", keyed to C:\WINDOWS\Web\RELATED.HTM. Fixing that didn't solve the problem.
Earnest, your idea is a good one. I'll see if I can find a Ubuntu disk somewhere.
Wiz, here's my HJT log:
| Quote: |
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:01 PM, on 1/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\umonit.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {72205DCE-BFBE-4BEB-8C4F-24D6F4196D80} - c:\windows\system32\ds16gti.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E6B87842-56EB-4E4F-B071-502A1E209D30} - C:\WINDOWS\System32\BSelListu.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198041460546
O20 - Winlogon Notify: budjhyrq - C:\WINDOWS\SYSTEM32\ds16gti.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 5357 bytes
|
_________________
-𝕓𝕆𝕓- (admin) - Robert P. Lee - Recordings - Breathe - D6th - Video |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 13 Jan 2008 1:35 pm
|
|
b0b;
Highlight this entry and ask HJT to delete it, from safe mode, then reboot back into safe mode and see if it is gone.
O2 - BHO: (no name) - {72205DCE-BFBE-4BEB-8C4F-24D6F4196D80} - c:\windows\system32\ds16gti.dll
If it is still there you will have to take the fight to DOS. Install the Recovery Console thusly:
Insert your Windows XP CD in the CD tray
Click Start > Run
Type in, or copy and paste this command, assuming the CD is drive D:
D:\i386\winnt32.exe /cmdcons
Press Enter
A box will popup asking you to say yes, etc, to setting up the Recovery Console and check for updates to it. Say Yes/Ok and it will proceed. You will get a box telling you that this was successfully installed.
Go back to the Run box and type this: Regedit and press Enter. The Reg editor will open. Navigate here: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Setup
There are two sub keys there, inb the right pane. Edit each one, by double clicking on them, to change them from a value of 0 to 1.
Look farther down the WindowsNT\CurrentVersion tree to Winlogon and click on it. Find the key in the right pane labeled Shell and see if it's value is anything more than Explorer.exe. If it is more, your desktop has been hijacked.
Reboot the computer and select Recovery Console. Logon to #1.
If you use an admin password, type it when asked for it.
When you get a command prompt, see if you are at C:\System32\. If so, type this: DEL ds16gti.dll and press Enter. The file will be removed.
Reboot into safe mode and scan again with Spybot and your other security programs.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 14 Jan 2008 9:47 am
|
|
Earnest: I tried the Ubuntu disk, but it doesn't support accessing Windows partitions unless you install an NTFS driver. You can't install anything in a "run from CD" session, because there's no disk space assigned to Linux.
Wiz: The "Recovery Console" method worked! I still have references in the Registry that can't be deleted, but the actual files containing the trojan have been destroyed.
"Recovery Console" - what a scary, high-tech name for what is basically good old COMMAND.COM. I would have never guessed without your instructions. BTW, what do those two registry switches actually do?
Thanks a lot, Wiz! You really got me out of the doghouse at home with this one. 
_________________
-𝕓𝕆𝕓- (admin) - Robert P. Lee - Recordings - Breathe - D6th - Video |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 14 Jan 2008 12:01 pm
|
|
| Quote: |
| Wiz: The "Recovery Console" method worked! I still have references in the Registry that can't be deleted, but the actual files containing the trojan have been destroyed. |
b0b;
Try deleting those references in the Registry from a Safe Mode reboot, into the Administrator account. If you are denied access to delete them you may be able to "take possession" of that key, by right-clicking on it and making the Administrator the owner of that key and the elements it contains. After that they should be deletable.
| Quote: |
| BTW, what do those two registry switches actually do? |
Those aren't switches, but they do a similar job. The two entries are found under this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
The DWords are labeled as follows and have default values of 0 (disabled):
SecurityLevel - Allow or disallow login without password
SetCommand - Allow overriding the default SET commands
Changing these to 1's allows you to login without the Admin password and to change the SET environment to AllowAllPaths and AllowWildCards which is usful in fighting off malware attacks.
The Recovery Console can also be used to disable startup "services," some of which might be malware applications and rootkits. Use Google to search for advanced Recovery Console commands and usage.
Sometimes, when a file or Registry entry cannot be deleted it is because that file/data has a big brother watching over it. You may have to find and disable that service before the dependent files can be delete for good.
b0b;
I forgot to warn you to disable System Restore! Please do that now. Then scan for threats that may have been "restored" when you rebooted. When you are reasonably certain that the computer is clean you can turn on System Restore again.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 14 Jan 2008 12:14 pm
|
|
| I always have System Restore disabled. Thanks. |
|
|
|
Earnest Bovine
From:
Los Angeles CA USA
|
Posted 14 Jan 2008 12:36 pm
|
|
| b0b wrote: |
| I always have System Restore disabled. Thanks. |
What gets disabled when you do that? The automatic creation of restore points? |
|
|
|
John Roche
From:
England
|
Posted 14 Jan 2008 2:21 pm
|
|
| The Recovery Console and system restore are not the same |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 14 Jan 2008 7:39 pm
|
|
| Earnest Bovine wrote: |
| b0b wrote: |
| I always have System Restore disabled. Thanks. |
What gets disabled when you do that? The automatic creation of restore points? |
I don't really know. It just seemed like a "feature" that I shouldn't need, so I don't have it enabled. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 14 Jan 2008 8:02 pm
|
|
| Earnest Bovine wrote: |
| b0b wrote: |
| I always have System Restore disabled. Thanks. |
What gets disabled when you do that? The automatic creation of restore points? |
That assumption is correct Earnest. When you turn off System Restore you cannot create or restore any Restore Points, as their files and settings are deleted. Turning it back on allows you to create new restore points and use them, if necessary.
The reason that I and most other security gurus tell our "helpees" to turn off System Restore during spyware/virus removal, is because malware from the System directories is frequently backed up in restore points, probably from the time it entered your computer. If you don't disable it before cleaning malware infections, they will probably reinfect the computer as soon as you reboot.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Don Lanier
From:
Illinois, USA
|
Posted 15 Jan 2008 7:42 pm System Restore
|
|
I always tell folks to be sure and use the setting that uses the LEAST amount of restore points, you can set that amount in the System restore setup panel.
Wiz what do you hear about the JAVASCRIPT rootkit thats making the rounds and what do you think is the best way to prevent these.
And doing a BACKUP externally of your computer to a CD or external Hard Drive can help you recover from damaged files in the event you have to get real hairy with these intruders. Backing up or copyingyour documents, Photos, etc onto a CD can really help.
_________________
Don Lanier
Pearl Pro Audio
https://www.facebook.com/pages/Pearl-Pro-Audio/122348871157879
https://www.facebook.com/Pearlprocase |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 16 Jan 2008 12:40 pm Re: System Restore
|
|
| Don Lanier wrote: |
Wiz what do you hear about the JAVASCRIPT rootkit thats making the rounds and what do you think is the best way to prevent these. |
Don;
Which JS rootkit are you referring to? There are many in the wild. Some affect the Linux Kernel, which then infects every hosted website on that server, while others only infect individual websites that run vulnerable scripts, but not the entire shared server. Still other JavaScript exploits are run from Storm Trojan infected zombie computers, which are being used to host JavaScript exploit web pages, running on a hidden Nginx server.
Tell me which type you are thinking about and I'll give you more details about it.
You asked, "what is the best way to prevent these JavaScript exploits?" Well, I have just posted an article on my blog, outlining the 10 steps that Windows PC owners can take to protect their computers, particularly from all JavaScript exploits. It should make a good read!
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Earnest Bovine
From:
Los Angeles CA USA
|
Posted 9 Nov 2008 12:20 am
|
|
| b0b wrote: |
Earnest: I tried the Ubuntu disk, but it doesn't support accessing Windows partitions unless you install an NTFS driver. You can't install anything in a "run from CD" session, because there's no disk space assigned to Linux.
|
FWIW, it works now in Ubuntu 8.10. You can boot from a Live CD, and read/write Windows NTFS partitions, without having to install anything more, or manually mount anything etc. |
|
|
|
Jim Peters
From:
St. Louis, Missouri, USA, R.I.P.
|
Posted 9 Nov 2008 4:52 pm
|
|
Bob, where how did you get the trojan? jp
/?
/
/
_________________
Carter,PV,Fender |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 9 Nov 2008 10:19 pm
|
|
I would like to remind everybody who may be reading this thread and replying to it, in November 2008, that b0b started the topic in January, 2008, almost 10 months ago to the day. This is a dead topic that has somehow been revived. Perhaps, due to the convergence of forces beyond our comprehension, this topic was squirted through a Stargate, back into our Universe, to be discussed again.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
b0b
From:
Cloverdale, CA, USA
|
|
|
|
