Trojan horse downloaded small 18.T

My new laptop was strucked by virus infection or whatsoever, it changes my default homepage and etc. Don't ask me how.

The following things appeared from nowhere.
megaporn (shortcut to some sites)

I manage to download the AVG Free edition but couldn't update. Anyway, manage to run the scan and found the following.

125777.exe,Trojan.horse.dialer
cmd32.exe, trojan.horse.downloader.small.15.H
trojan.horse.downloaded.8R
sysupd.dll,trojan.horse.downloader.18.T

couldn't delete virus file,before you could complete, DDE server window interrupted and issues a windows restart.

couldn't update AVG. It seems like I am suffering from blended attack where there was a spyware intervening my path to AVG database. I used CWSShredder(sfotware downloaded) and try to some luck. It seems that it can only manage to get rid of one malicious web thingy; not sure the name. After that, I was able to update AVG.
the biggest trouble is sysupd.dll(also known as destop search), where it is located in windows32 folder. deleting it would cause a windows setup back where if you try to "end program", the system would reboot.
1.HKEY_CLASSES_ROOT/CLSID/{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}/INprocServer32/REG_SZ
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} --> IE Update Class
2.HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/SEARCH ASSISTANT/ACMru/5603/ --> I must Delete ALL of these

I traced the default web page and trace it to http://burningsearch.com.
The bigest culprit now is the following two files
desktop.exe - desktop search
ffisearch.exe - ffis

restart in safemode, msconfig.exe shows that they are malicious files.

However, upon disabling them, after restart(which is necessary to make changes), msconfig.exe shows that they have been started again. This shows that msconfig.exe dare not disable them, probably because the file names resembles other important file such as:
desktop.ini
cmd32.exe is actual the control panel program.
THere must be some glitch in msconfig algorithm where if it detects "desktop", then no disabling happened.
If I don't disabling it from msconfig, then I can't delete the entry from regedit, because msconfig is locking it. The only way out is for msconfig.exe to accept the decision to disable them.
"ffis" is probably another reserved key word for msconfig.exe
perhaps we need to disable the system restore.

Not really, I can't delete desktop.exe and ffisearch.exe because sysupd.dll is still present in
"windows/systems" folder. Most likely desktop.exe and ffisearch.exe dynamically link to sysupd.dll. I think the sysupd.dll is just something to irritate you, the main program is destop.exe and ffisearch.exe, where they are link to sysupd.dll Since sysupd.dll is present in the windows/systems folder, force deleting it would cause XP to be corrupted.

I think AVG Free edition could deal with the registry, it can only solve file-level problem but not infection. Not sure with enterprise edition. AVG Free, since it is free work best as security guard and not doctor.

I tried to figure out the possible source. They could be.
Possible source--> All added as trusted site to your IE settings.
67.19.185.246
*.blazefind.com
*.clickspring.net
*.mt-download.com
*.my-internet.info
*.searchbarcash.com
*.searchmiracle.com
*.Skoobidoo.com
*.slotch.com
*.windupdates.com
*.xxxtoolbar.com
*.ysbweb.com
it seems that even though i have deleted all registry entry from sysupd.dll but still I could manage to delete the physical file form the folder.
It seems like rebooting in diagnostic mode via configuration from msconfig.exe doesn't mean that you will reboot into safe mode. To really reboot in "safe mode", press F8 many times during PC boot up until a menu is showned, select the safe-mode.

Once i was really in "Safe Mode", I could really disable the desktop.exe and ffisearch.exe activity stub from the listing. It seems that the registry listing for desktop.exe and ffisearch.exe have been shifted to {HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Startupreg\Desktop Search\}

Thus, if we proceed to delete all relevant illegal entries from it..then i can really delete the physical folder from the drive.

Conclusion:
1. Use AVG Free as security guard.
2. Avoid infamous site by its URL to restricted site under IE settings.
3. Reboot into safe mode.
4. Run msconfig.exe/startup and look for malicous code stub. (Those checked one!). This is because WinXP doesn't recognize them as default stub and don't whether to disable them or not, it is waiting for your call.
5. Identify these malicious stub and delete all relevant entry from registry.
6. Delete the physical file from relevant drive location. (Make sure one delete the registry entry first)
p/s: AVG Free edition can't help you to clean the body when you have been infected, it can only be security guard/bouncer. You need to hire IT Executive to do the cleaning. Before he or she does anything, please refer to my blog.

Comments

Brandon Teoh said…
it seems, after having AVG setup as security guard for my Internet connection.. My laptop couldn't be affected anymore, coz everytime AVG detects a trojan file, it would be promptly deleted away.

This means that trojan horse file, even though it is an exe, doesn't required manual execution. That is why they called it trojan horse downloader or dropper... it drops and then start to execute by itself.

thus, it is very important that in order to guard against trojan trouble.. a detector has to be setup at the front line.
Brandon Teoh said…
http://securityresponse.symantec.com/avcenter/venc/data/trojan.dropper.html
Anonymous said…
Yo, you have a Terrific blog here! Lots of content means more readers, more readers means more interaction!
I'm definitely going to bookmark you!
I have a
window xp mediasite/blog. It pretty much covers window xp media related stuff.
Come take a Look when you get a chance. :-)
Anonymous said…
best regards, nice info » »