ASCII Doom

Shell City and/or Daily Rotation -- Got something to say?

Postby bob » 01/22/07, 6:26 am

My apologies then to Doc -- you called it. Thanks for the heads up.

Feel free to speak up anytime you have an issue. Glad to have you around.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby SOD » 01/22/07, 6:51 am

OK tried to delete on reboot but the key to the perpetual
ShellExecuteHooks clsid is that once the DLL is booted
it can write this value back to the key if it notices its been deleted. This is the keystone to the trojan. IT then can rewrite the Winlogon/notify at boot along with the persistent handler CLSID huh just good windows programming...lol this is the real game here you know:P .....LOL I ought to do this for a living...
Will post when I discover how to stop it from loading
basically it is a parasite to the ShellExecuteHooks Key.

BRB have an idea....
It also wrote the CLSID into the BrowserHelperObjects
those bastards! :lol:
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby SOD » 01/22/07, 7:46 am

I found it the hard way anyone who dled ASCII Doom and installed it can see the offending .dll (and remember it likes to change its name) by using HijackThis and looking for something similar to this:
"Winlogon Notify: vtuts - C:\WINDOWS\SYSTEM32\vtuts.dll"
Since this "game" does install this trojan by default
you will have an entry there but there may be legitimate
entries as well as alot of dll names look like jibbersh.

Download the following file:
VirtumundoBeGone.exe
From this address:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

It will clear up the problem worked for me.
If you are handy with the regedit then search for this string: 8E13DDE1-E013-47ec-9C4C-27C2F78BDD26
and delete it it is an inert artifact that is left over.
It is however benign and will not harm anything if it is left in your registry.
I guess I have to say this: Be careful with your registry!
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby bob » 01/22/07, 4:28 pm

I posted a warning review at softpedia.... Thanks for your fine work Doc and Sod...
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby DocJon » 01/22/07, 7:38 pm

AVG let me down, too. If it weren't for Winpatrol, and my realizing that there was no reason for ASCII Doom to be installing a startup program, I'd be infected and oblivious. The 'hundreds of other complaints' that we were expecting never came, which mean hundreds of others did not protect themselves.

Winpatrol (has a freeware version)
http://www.winpatrol.com/

Spybot-Search & Destroy (donation asked, not required)
http://www.safer-networking.org/en/spybotsd/index.html

Spybot S & D's Teatimer function is also likely to have helped in this situation. I recommend that anyone reading this that does NOT have one of these programs DL one immediately. With these tools, you'll know when something tries to add itself to your startup, and when something is mucking about in your registry. Otherwise, a LOT can be happening behind the scenes that you'll never know about.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby SOD » 01/22/07, 9:08 pm

Avg did not let you down. This is not a virus by nature.
Your OS just looked at it as an application extension
In fact it was just good windows programming. It was well written attaching itself to the shell service. Thats what owned and controlled the trojan.dll. Removing it was a matter of shutting down the shell service.

It was also not in your startup as such but was started at boot by the shell service and before startup items were booted. My sound starts at the sametime.

heh they put security into XP but leave this obvious and rather simple method exposed. If you are looking for someone to blame look towards Redmond. Whats worse
is that it goes unprotected. BTW HijackThis finds stuff like this nicely. Cheers...
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Oxides » 01/26/07, 10:54 am

I got hit by this thing too. It was just luck I pulled up Sysinternals Filemon and noticed a weird dll that kept accessing the hard drive. For me it stuck winfixer in the system32 directory and mfcvc.dll in windows/java. I didn't know what they were so i had to remove them manually (boot cd recovery command prompt to delete the files).

This thing has prob infected every person who has downloaded that file. I think he should put a warning on the front page so people know, because very little seems to detect it.
Oxides
Member
 
Posts: 2
Joined: 01/26/07, 10:49 am

Postby SOD » 01/27/07, 12:01 am

Did you also take care of the reg entries?
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Mon1018 » 07/12/08, 1:31 pm

Excellent information.Many thanks!
Very informative indeed! :D
Mon1018
Member
 
Posts: 3
Joined: 07/12/08, 1:25 pm

Postby paolari » 06/03/09, 11:37 am

There is a trojan virus that keeps redirecting my page to a different site? I recently had a virus in my computer and I got rid of most of the virus. The only thing that is left now is that there is a trojan that keeps redirecting my google pages to different sites. Please, can anyone tell me how to get rid of this trojan because even through the AVG that I downloaded, it still doesn't find the trojan and my computer is running really slow. Thanks.
_______________
external keyword tool ~ keyworddiscovery.com ~ keycompete.com ~ compete.com ~ webmasterworld.com
Last edited by paolari on 06/04/09, 12:26 pm, edited 1 time in total.
paolari
Member
 
Posts: 1
Joined: 05/31/09, 5:23 am

Postby bob » 06/03/09, 6:33 pm

Paolari, you must have Gumblar:

http://www.infoworld.com/d/security-cen ... -worse-965

The standard AV programs are having a hard time with it because of its complexity.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby JohnT » 06/04/09, 7:22 am

Something I use (free version) to detect all installation processes.
http://www.tallemu.com/free-firewall-pr ... tware.html

Then if I let something slip by Revo Uninstaller does an effective job of removing it. Eoes some pretty deep cleaning.
http://www.revouninstaller.com/
"A man may be a fool and not know it, but not if he is married."
JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia

Postby bob » 06/05/09, 3:20 am

added your firewall to the list, John. Thanks.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby JohnT » 06/06/09, 1:14 am

Your welcome. Would have called attention to it sooner if I would have thought about it. :lol:
"A man may be a fool and not know it, but not if he is married."
JohnT
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 2486
Joined: 12/03/01, 12:00 am
Location: Vladivostok, Russia

Previous

Return to Site Stuff

Who is online

Users browsing this forum: No registered users and 2 guests

cron