EasySearch PremiumSearch
November 11, 2006 on 4:17 pm | In Malware analysis | 1 CommentOriginally posted Apr 25 2005, 09:19 PM
Found at GeeksToGo a file called bootpd.exe
Identified by kaspersky as:
bootpd.exe – infected by Trojan.Win32.StartPage.vk
The file has the attributes hidden and system file.
Once run it duplicates itself in memory (running double protecting each other probably)
Nothing much happened until I tried to kill one process.
These lines were added to my HijackThis log:
O1 – Hosts: 66.180.173.39 www.google.ae
and a lot more of those, I will add the complete hosts file at the end
O2 – BHO: (no name) – {5483427F-93B8-1470-5A89-E6B56484CDB2} – C:\DOCUME~1\Pieter\LOCALS~1\Temp\ngtmbihanct.dll
ngtmbihanct.dll – infected by Trojan.Win32.StartPage.vk
O4 – HKLM\..\Run: [bootpd.exe] C:\WINDOWS\system32\bootpd.exe
The randomly named dll which has a fixed CLSID also has the attributes hidden and system file
The following IP’s were tried to contact:
62.129.131.34
69.25.75.72
66.180.173.39
Under Add/Remove Software a entry EasySearch was added with the uninstall string “bootpd.exe –uninstall”
These files were added:
C:\Documents and Settings\Pieter\Local Settings\Temp\hwjifulqzwb.html the startpage called PremiumSearch
a file C:\WINDOWS\0.log
a folder C:\Program Files\Google
C:\Windows\System32\drivers\etc\hosts
looking like this:
66.180.173.39 www.google.ae
66.180.173.39 www.google.am
66.180.173.39 www.google.as
66.180.173.39 www.google.at
66.180.173.39 www.google.az
66.180.173.39 www.google.be
66.180.173.39 www.google.bi
66.180.173.39 www.google.ca
66.180.173.39 www.google.cd
66.180.173.39 www.google.cg
66.180.173.39 www.google.ch
66.180.173.39 www.google.ci
66.180.173.39 www.google.cl
66.180.173.39 www.google.co.cr
66.180.173.39 www.google.co.hu
66.180.173.39 www.google.co.il
66.180.173.39 www.google.co.in
66.180.173.39 www.google.co.je
66.180.173.39 www.google.co.jp
66.180.173.39 www.google.co.ke
66.180.173.39 www.google.co.kr
66.180.173.39 www.google.co.ls
66.180.173.39 www.google.co.nz
66.180.173.39 www.google.co.th
66.180.173.39 www.google.co.ug
66.180.173.39 www.google.co.uk
66.180.173.39 www.google.co.ve
66.180.173.39 www.google.com
66.180.173.39 www.google.com.ag
66.180.173.39 www.google.com.ar
66.180.173.39 www.google.com.au
66.180.173.39 www.google.com.br
66.180.173.39 www.google.com.co
66.180.173.39 www.google.com.cu
66.180.173.39 www.google.com.do
66.180.173.39 www.google.com.ec
66.180.173.39 www.google.com.fj
66.180.173.39 www.google.com.gi
66.180.173.39 www.google.com.gr
66.180.173.39 www.google.com.gt
66.180.173.39 www.google.com.hk
66.180.173.39 www.google.com.ly
66.180.173.39 www.google.com.mt
66.180.173.39 www.google.com.mx
66.180.173.39 www.google.com.my
66.180.173.39 www.google.com.na
66.180.173.39 www.google.com.nf
66.180.173.39 www.google.com.ni
66.180.173.39 www.google.com.np
66.180.173.39 www.google.com.pa
66.180.173.39 www.google.com.pe
66.180.173.39 www.google.com.ph
66.180.173.39 www.google.com.pk
66.180.173.39 www.google.com.pr
66.180.173.39 www.google.com.py
66.180.173.39 www.google.com.sa
66.180.173.39 www.google.com.sg
66.180.173.39 www.google.com.sv
66.180.173.39 www.google.com.tr
66.180.173.39 www.google.com.tw
66.180.173.39 www.google.com.ua
66.180.173.39 www.google.com.uy
66.180.173.39 www.google.com.vc
66.180.173.39 www.google.com.vn
66.180.173.39 www.google.de
66.180.173.39 www.google.dj
66.180.173.39 www.google.dk
66.180.173.39 www.google.es
66.180.173.39 www.google.fi
66.180.173.39 www.google.fm
66.180.173.39 www.google.fr
66.180.173.39 www.google.gg
66.180.173.39 www.google.gl
66.180.173.39 www.google.gm
66.180.173.39 www.google.hn
66.180.173.39 www.google.ie
66.180.173.39 www.google.it
66.180.173.39 www.google.kz
66.180.173.39 www.google.li
66.180.173.39 www.google.lt
66.180.173.39 www.google.lu
66.180.173.39 www.google.lv
66.180.173.39 www.google.mn
66.180.173.39 www.google.ms
66.180.173.39 www.google.mu
66.180.173.39 www.google.mw
66.180.173.39 www.google.nl
66.180.173.39 www.google.no
66.180.173.39 www.google.off.ai
66.180.173.39 www.google.pl
66.180.173.39 www.google.pn
66.180.173.39 www.google.pt
66.180.173.39 www.google.ro
66.180.173.39 www.google.ru
66.180.173.39 www.google.rw
66.180.173.39 www.google.se
66.180.173.39 www.google.sh
66.180.173.39 www.google.sk
66.180.173.39 www.google.sm
66.180.173.39 www.google.td
66.180.173.39 www.google.tm
66.180.173.39 www.google.tt
66.180.173.39 www.google.uz
66.180.173.39 www.google.vg
66.180.173.39 google.ae
66.180.173.39 google.am
66.180.173.39 google.as
66.180.173.39 google.at
66.180.173.39 google.az
66.180.173.39 google.be
66.180.173.39 google.bi
66.180.173.39 google.ca
66.180.173.39 google.cd
66.180.173.39 google.cg
66.180.173.39 google.ch
66.180.173.39 google.ci
66.180.173.39 google.cl
66.180.173.39 google.co.cr
66.180.173.39 google.co.hu
66.180.173.39 google.co.il
66.180.173.39 google.co.in
66.180.173.39 google.co.je
66.180.173.39 google.co.jp
66.180.173.39 google.co.ke
66.180.173.39 google.co.kr
66.180.173.39 google.co.ls
66.180.173.39 google.co.nz
66.180.173.39 google.co.th
66.180.173.39 google.co.ug
66.180.173.39 google.co.uk
66.180.173.39 google.co.ve
66.180.173.39 google.com
66.180.173.39 google.com.ag
66.180.173.39 google.com.ar
66.180.173.39 google.com.au
66.180.173.39 google.com.br
66.180.173.39 google.com.co
66.180.173.39 google.com.cu
66.180.173.39 google.com.do
66.180.173.39 google.com.ec
66.180.173.39 google.com.fj
66.180.173.39 google.com.gi
66.180.173.39 google.com.gr
66.180.173.39 google.com.gt
66.180.173.39 google.com.hk
66.180.173.39 google.com.ly
66.180.173.39 google.com.mt
66.180.173.39 google.com.mx
66.180.173.39 google.com.my
66.180.173.39 google.com.na
66.180.173.39 google.com.nf
66.180.173.39 google.com.ni
66.180.173.39 google.com.np
66.180.173.39 google.com.pa
66.180.173.39 google.com.pe
66.180.173.39 google.com.ph
66.180.173.39 google.com.pk
66.180.173.39 google.com.pr
66.180.173.39 google.com.py
66.180.173.39 google.com.sa
66.180.173.39 google.com.sg
66.180.173.39 google.com.sv
66.180.173.39 google.com.tr
66.180.173.39 google.com.tw
66.180.173.39 google.com.ua
66.180.173.39 google.com.uy
66.180.173.39 google.com.vc
66.180.173.39 google.com.vn
66.180.173.39 google.de
66.180.173.39 google.dj
66.180.173.39 google.dk
66.180.173.39 google.es
66.180.173.39 google.fi
66.180.173.39 google.fm
66.180.173.39 google.fr
66.180.173.39 google.gg
66.180.173.39 google.gl
66.180.173.39 google.gm
66.180.173.39 google.hn
66.180.173.39 google.ie
66.180.173.39 google.it
66.180.173.39 google.kz
66.180.173.39 google.li
66.180.173.39 google.lt
66.180.173.39 google.lu
66.180.173.39 google.lv
66.180.173.39 google.mn
66.180.173.39 google.ms
66.180.173.39 google.mu
66.180.173.39 google.mw
66.180.173.39 google.nl
66.180.173.39 google.no
66.180.173.39 google.off.ai
66.180.173.39 google.pl
66.180.173.39 google.pn
66.180.173.39 google.pt
66.180.173.39 google.ro
66.180.173.39 google.ru
66.180.173.39 google.rw
66.180.173.39 google.se
66.180.173.39 google.sh
66.180.173.39 google.sk
66.180.173.39 google.sm
66.180.173.39 google.td
66.180.173.39 google.tm
66.180.173.39 google.tt
66.180.173.39 google.uz
66.180.173.39 google.vg
66.180.173.39 search.yahoo.com
66.180.173.39 ar.search.yahoo.com
66.180.173.39 br.search.yahoo.com
66.180.173.39 ca.search.yahoo.com
66.180.173.39 cf.search.yahoo.com
66.180.173.39 mx.search.yahoo.com
66.180.173.39 espanol.search.yahoo.com
66.180.173.39 au.search.yahoo.com
66.180.173.39 ct.search.yahoo.com
66.180.173.39 fr.search.yahoo.com
66.180.173.39 de.search.yahoo.com
66.180.173.39 it.search.yahoo.com
66.180.173.39 uk.search.yahoo.com
66.180.173.39 search.msn.com search.msn.at search.sympatico.msn.ca search.msn.co.za search.ninemsn.com.au
66.180.173.39 search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi search.msn.fr
66.180.173.39 search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com
66.180.173.39 beta.search.msn.com beta.search.msn.at beta.search.sympatico.msn.ca beta.search.msn.co.za
66.180.173.39 beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be
66.180.173.39 beta.search.msn.dk beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it
66.180.173.39 beta.search.msn.nl beta.search.msn.no beta.search.msn.es beta.search.msn.se beta.search.msn.ch
66.180.173.39 beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com
66.180.173.39 www.alexa.com alexa.com
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted May 29 2005, 09:48 AM
The fix (still being tested, but it should work ate least for XP)
Showing up in HijackThis log with lines like these:
O1 – Hosts: 66.180.173.39 http://www.google.tm Lots of these
O2 – BHO: (no name) – {5483427F-93B8-1470-5A89-E6B56484CDB2} – C:\DOCUME~1\Pieter\LOCALS~1\Temp\gjuhmzuhyzm.dll random filename
O4 – HKLM\..\Run: [scrsvc] C:\WINDOWS\system32\scrsvc.exe
O4 – HKLM\..\Run: [bootpd.exe] C:\WINDOWS\system32\bootpd.exe
Proposed fix:
Step 1
CODE
[b]*IMPORTANT*[/b] Be sure you know how to [url=http://www.xtra.co.nz/help/0,,4155-1916458,00.html]VIEW HIDDEN FILES[/url]
Download and unzip http://metallica.geekstogo.com/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.
************************************
**These are the hidden files found**
************************************
De volumenaam van station C is BOOT
Het volumenummer is 88CF-B644
Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp
27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
1 bestand(en) 50.688 bytes
0 map(pen) 27.520.708.608 bytes beschikbaar
************************************
**These are the system files found**
************************************
De volumenaam van station C is BOOT
Het volumenummer is 88CF-B644
Map van C:\DOCUME~1\Pieter\LOCALS~1\Temp
27-05-2005 22:33 50.688 gjuhmzuhyzm.dll
1 bestand(en) 50.688 bytes
0 map(pen) 27.520.704.512 bytes beschikbaar
STEP2
CODE
*[URL=http://www.geekstogo.com/modules.php?modid=5&action=download&id=4]Click Here[/URL] to download Killbox by Option^Explicit.>>>>>>>>>>>>>>>>>>>>>>>>>
*Close all Internet Explorer windows
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Standard File Kill and put a checkmark in the “End Explorer Shell While Killing File” box.
<<<<<<<<<<<<<<
*Click the red-and-white “Delete File” button.
*Your taskbar will disappear for a short while
*In the killbox program, select the [b]Delete on Reboot[/b] option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
[b]C:\WINDOWS\system32\bootpd.exe
C:\WINDOWS\system32\scrsvc.exe[/b]
*Return to Killbox, go to the File menu, and choose “Paste from Clipboard”.
*Click the red-and-white “Delete File” button. Click “Yes” at the Delete on Reboot prompt. Click “No” at the Pending Operations prompt.
After the reboot run HijackThis and put checkmarks in front of he following items.
Close [b]all[/b] windows except HijackThis and click Fix checked:
O2 – BHO: (no name) – {5483427F-93B8-1470-5A89-E6B56484CDB2} – C:\DOCUME~1\Pieter\LOCALS~1\Temp\gjuhmzuhyzm.dll
O4 – HKLM\..\Run: [scrsvc] C:\WINDOWS\system32\scrsvc.exe
O4 – HKLM\..\Run: [bootpd.exe] C:\WINDOWS\system32\bootpd.exe
Download, install, and run [url=http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe][b]CleanUp![/b][/url]
Download and unzip the hosts file from http://www.mvps.org/winhelp2002/hosts.htm to the folder that is right for your Windows version.
Acknowledge that you want to overwrite the hosts file that is present [b]except[/b] if you were using the hosts file for sonmething usefull before this happened.
This often is true in corporate newtworks, if you are not sure ask the System Administrator.
If you do not have the Google Toolbar installed, you can delete this folder:
c:\program files\google
If you are running Windows XP SP2, copy the part in bold below into Notepad and save it as AUenabled.reg
[b]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
“AntiVirusDisableNotify”=dword:00000001
“FirewallDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\\WINDOWS\\system32\\scrsvc.exe”=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremiumSearch Startpage]
[/b]
To re-enable Automatic Windows Updates, reset the Security Center settings to default and remove PremiumSearch Startpage from Add/Remove Software, doubleclick that file and confirm you want to merge it with the registry.
To remove PremiumSearch StartPage from Add/Remove Software if you are running a different version of Windows you can use HijackThis.
Click Config > Misc Tools > Open Uninstall Manager > Select PremiumSearch Startpage and click Delete
Comment by metallica — November 11, 2006 #