Guidelines for Helpers and Advanced users

Hijacker using random named dll's, usually posing as part of another popular program:

SafeGuard aka Veevo

Log examples:

O2 - BHO: Core Library - {F281FFC7-6C63-4bf9-83F2-AB7A6157B109} - C:\WINDOWS\System32\KDP0d92.dll
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater (required)] regsvr32 /s C:\WINDOWS\System32\KDP0d92.dll

O2 - BHO: (no name) - {6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} - C:\WINDOWS\System32\veev2506.dll
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\System32\veev2506.dll

CLSID's in use and the corresponding filenames are:

{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} sfg_****.dll
{6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} sfg****.dll, veev****.dll (* = random char)
{6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} veev****.dll (* = random char)
{6E34D984-4054-45E3-8452-0159A2F0D232} Veevo.dll
{83B3E0C1-DEF1-4df5-A3F5-92D10B7A396A} sfg****.dll (*=random char)
{A23AB93D-6CFF-442c-BB8A-41F6145F47E7} PDF****.dll (* = random char)
{A44B961C-8C36-470f-8555-EDA0EFC1E710} popupblocker.dll, popupDefence.dll
{B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} Sgpopupblocker.dll
{D4D505DF-D582-400c-91B6-84921012AFE3} pdfupd.dll / PDF****.dll
{E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} kdp****.dll (* = random char)
{F281FFC7-6C63-4bf9-83F2-AB7A6157B109} kdpupd.dll, kdp****.dll (* = random char)

 

Using random filenames it downloads and installs

SaveNow

Log examples:

O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\nftvqvk.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\wgsstip.exe

Fix the Startup entries, delete the files and check under Add/Remove Programs for the presence of Save aka SaveNow aka WhenUSave and uninstall it.

 

Another downloader for adware using random filenames contacting these domains:
newupdates.lzio.com
updates.lzio.com

TROJ_VIVIA.A

Log examples:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://newupdates.lzio.com/augnew_1.htm...1086746781
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dhxpgpk.exe

O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\nmryaph.exe

 

A BHO in the Windows directory that uses random CLSID's but a fixed filename (lbbho.dll).

RelatedLinks

Log examples:

O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

O2 - BHO: C:\WINDOWS\lbbho.dll - {7FEFE602-B07B-42B7-BDB9-E321342F999B} - C:\WINDOWS\lbbho.dll

Removal instructions and write-up by Kephyr

 

Using a randomly named .dat file as a BHO, this adware logs keystrokes and displays advertising messages periodically.

VirtuMonde aka Troj/AgentSpy

Known CLSID's that are used with this BHO:

{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
{18722863-6D1D-4300-BF29-406948EDA7CB}
{2316230A-C89C-4BCC-95C2-66659AC7A775}
{2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0}
{30279F2D-1A38-4785-97D4-5C3508BDB289}
{3EC8E271-FAB9-418a-8A8E-65AEB4029E64}
{446CF8A5-617E-4D91-95AE-AE78CE0D06AF}
{44E5B409-35A2-4E8D-BF94-344222323A53}
{55E301E5-BA44-4095-BB0B-14E0123CCF71}
{60112085-E1CE-4e0e-823A-EBB1AD98804C}
{68132581-10F2-416E-B188-4E648075325A }
{6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B}
{72AC6865-B1D3-4C32-A27B-4B3BF04DE655}
{73529697-D46A-4F7D-8A93-01378FCAEDA4}
{77849D67-5672-4B68-93E2-CCEFF1E3949E}
{8109AF33-6949-4833-8881-43DCC232B7B2}
{870B70D4-F6DA-47AE-9158-D146440A0A4D}
{98BC949B-3D81-4750-836F-4BC57BD032EE}
{BB54DE33-E539-4749-BFAC-CC49617E8F2A}
{BF755B85-EA69-4F58-9A59-D85F384A15FF}
{C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B}
{D487068E-9B04-4FE5-8A83-08344F800BF5}
{D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6}
{DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F}
{ED5ABC42-8E4F-4C39-9972-F0CF619D672F}
{F32F8ECD-6CF3-459D-82F2-9738392C85A8}
{FD8609EC-7D7C-4778-AB8F-0053245550EF}
{FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E}

Log examples:

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\[username]\LOCALS~1\Temp\4dpUswodniW.dat
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\WINDOWS\TEMP\YEKCBDO.DAT

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe

( Example of O4's with * but without rerun or ren at end of file name.)
O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD\JAVAAD.EXE
O4 - HKLM\..\Run: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE

( Examples of O4's with * and rerun or ren at end of file name.)
O4 - HKLM\..\RunOnce: [*IISINFO] C:\WINDOWS\APPPATCH\IISINFO.EXE rerun
O4 - HKLM\..\RunOnce: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\SYSTEM\MUI\040B\WMSCOM.EXE ren
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\HELP\NUTHARD.EXE ren
The files with rerun or ren at the end of the file name should also be found in running processes, you should find one of each.
( If they are in the same subfolder you may only find one in running processes.)

Connections found in firewall log.
virtumonde.com [209.123.150.14]
updates.virtumonde.com [208.48.15.13] or [208.48.15.11]
scripts.affiliatefuture.com [80.253.103.154]

Additional methods of infection and removal are described here:
http://securityresponse.symantec.com/avcenter/venc/data/pf/adware.virtumonde.html
http://www.pestpatrol.com/pestinfo/v/virtumonde.asp
http://www.giantcompany.com/antispyware/research/spyware/spyware-VirtuMonde.aspx
http://www.kephyr.com/spywarescanner/library/virtumonde/index.phtml
http://www.sophos.com/virusinfo/analyses/trojagentspyb.html
http://vil.nai.com/vil/content/v_127690.htm

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html <= with a link to a removal tool

Special credits to Trpm

 

Using a randomly named dll, it Registers itself as a Browser Helper Object, connects to a preset remote server, downloads and executes other files from there.

Troj/Dloader-NL

Log examples:

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\System32\kuzok.dll

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINNT\system32\aouox.dll

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\hadicuie.dll

The CLSID is a constant.

For more information:
http://www.sophos.com/virusinfo/analyses/trojdloadernl.html

 

A hijacker that tries to install itself as the default browser, using random filenames.

Adware.Inetex

Description and removal instructions:
http://sarc.com/avcenter/venc/data/pf/adware.inetex.html

Also using randomly named BHO's

Log example:

O2 - BHO: WSearch - {4EB644C7-A12A-409A-8304-DC16E87D48C2} - C:\Program Files\WebSearch\Util\84IQEVLF.dll

 

Adware using random filenames for BHO's and executables.

AdBlaster

HijackThis log examples:

OLD versions

O2 - BHO: (no name) - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - c:\windows\ngpw34.dll

O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - C:\WINDOWS\NGSW31.DLL

New version

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\43152.dll

and a running process called adprot.exe

Removal:

- Stop adprot.exe as a running process
- Have HijackThis fix the line with the BHO (called ngsh33.clsIS) with al IE windows closed.
- Find and delete *****.dll and *****.exe after a reboot. * are numbers that are the same for the dll and the exe.

 

A hijacker that modifies the hosts file and adds favorites, a BHO and a Toolbar.

The Simple Toolbar aka TROJ_FAVADD.C

It will show up in a log looking like:

O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\system32\3kuubuqrhi.dll

O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\gm2v6xjqnl.dll

The CLSID's are fixed, the filenames are random.

For more information:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_FAVADD.C

 

A trojan using a random CLSID and a partly random filename as a BHO.

Trojan.Eman

Trojan.Eman is a Browser Helper Object which attempts to download and execute arbitrary code from a predetermined website.
The filename consist of msxxx.dll where xxx are three random lower case letters.

It can be recognized because it adds the value:
"emandislc"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

logexample:
O2 - BHO: Name - {9CCA572C-7BBF-4D12-B5BF-F6AA6EE098A9} - C:\WINNT\system32\msfxj.dll
O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL

More information and removal instructions

 

A Startpage trojan which registers as a COM object and a Browser Helper Object (BHO) under a random clsid.

Trojan.Win32.StartPage.xb aka Troj/StartPa-FR

When the Trojan is installed it creates the file <Windows system folder>\spqap.dll. which is registered as a COM object and a Browser Helper Object (BHO) for Microsoft Internet Explorer is registered under a random clsid.

However, reference to the random clsid can be found at
HKLM\SOFTWARE\Microsoft\Internet Explorer\cslnam

Where corresponding clsid can be found in:
HKCR\CLSID\{clsid}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{clsid}

Write-up by Sophos

 

Using a few CLSID's, foldernames and filenames, displays advertisements on the infected computer.

MSEvents aka Trojan Vundo.B

Log examples:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\ServicePackFiles\fontsrv.dll

Symantec offers a removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

Attached to this post find a regfile (I stole from dvk01) to remove some more registry entries.