Quantcast

Saturday, September 13, 2008

Go.Google - Trojan - Malwarebytes - link replacement

There seems to be a new malware player that hasn't been very well documented yet. This Trojan replaces hyperlinks in Internet Explorer so that when you click on a link you are redirected to a site of their choosing (or an error page). I think the links contain a code that gives the creator of the Trojan a pay-per-click reward. At least this one has a motive.

By the time I got the PC with this Trojan, it had been infected with hundreds of spyware items and the AVG antivirus was compromised. After a couple of passes with SuperAntiSpyware, SpyBot and AdAware the PC was behaving normally except for the redirected links. I manually removed or renamed dozens of suspicious files in the System32 directory, removed all suspicious files with HijackThis, checked the Hosts file and monitored activity with Process Explorer and still couldn't get rid of the Trojan. I also installed Bit Defender after reading some articles stating that they had discovered such a Trojan a few months ago. It turns out that their discovery was just a Host file attack and their product also failed to get rid of the real culprit.

I usually credit a Forum or Blog with helping me find the solution but this time it was just a matter of seeing the same name come up several times across many sites; Malwarebytes' Anti-Malware. I'm reluctant to try new 'free' software because it has cost me lots of time sifting thru the buggy and bogus products that are available but this Trojan had me stumped. I ran the Malwarebytes product and it found and removed the offending files and registry entries. It turns out that I missed them when looking for 'dll's' to delete in the System32 folder. In order to help others find this article and compare their problem with the one I had, I'll post part of the Malwarebytes' log. This is now going to be one of my standard tools as it really worked in this tough situation.

Registry Keys Infected:
HKEY_CLASSES_ROOT\oberontb.band (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oberontb.band.1 (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Application Data\wsnpoem\video.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mari\Application Data\temp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Posted by John at 10:12:55 AM in PC Maintenance (8)
---

Comments

1. Sanjay said...

John,

Your posting of GREAT help to me this morning when my IE7 got infected by this malware.

I removed it manually, and all seems fine now.

Delete these files: c:\program files\altcmd\altcmd32.dll c:\program files\altcmd.inf c:\program files\altcmd\uninstall.bat

The DLL had the following class IDs: 2A8D06B4-1B40-009F-E531-629A59080F43 A8954909-1F0F-41A5-A7FA-3B376D69E226

I found and removed the first from my registry. The 2nd wasn't there but was in the DLL.

Also removed the following from the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare

Thanks for your help. I really thought that I would have to rebuild my PC again.

10/4/2008

2. John+Dykstra said...

I'm glad it helped. Thanks for the comment.

10/4/2008

3. jenny said...

I had the same problem too. but do you know where the trojan came from? and what it does exactly?

10/5/2008

4. John+Dykstra said...

I don't know where it came from. It appears that the writer of the Trojan may be getting paid a few cents each time one of their victims gets redirected to the sites built into the nefarious code.

10/5/2008

5. Mr B J Evans said...

Had similar trouble, every time f-secure done scan picked up REGKEY HKCR typelib+REGKEY HKCR interface+REGDATA hku, quarantined. I would delete but they would be there on next scan. Contacted f-secure they told me to delete restore points, to no avail still there. Told to delete all other antivirus programs due to one counteracts with the other. Done scan still there. In the end found folder in c:drive altcompare - deleted this got rid of all the hkey malware.

Hope this helps someone.

10/12/2008

6. Bharat said...

Thanks,

It helped, yes I also got rid of the malware.

I deleted the folder altcompare in c:program files, then deleted the registry through regedit running in the run panel by going to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare

Bharat

10/22/2008

7. Curtis said...

Makes you wonder if this isn't a scheme by Malwarebytes to gain fast popular interest

1/26/2009

-- Add Your Comment --
Name
URL
Email
Email address is not published
Remember Me
Comments

CAPTCHA
Write the characters in the image above
Things to Do
John's business web site
  
Google RSS and Gadget

Visit or Join Blog Catalog
Things to Buy

Nice tool to speed up your PC

Look for Pocket Controller Pro
Things to Read
Mezzanine View
Politics - Environment - Technology
Bridging the Gap...
to better writing
Autorotate's Flying Circus
Politics with humor - enjoy
Things to Buy

Best for Windows on Mac

Great backup software - low price
'Who sent you' top 10
Shameless Plugs
VBS Reachout Adventures
Vacation Bible School Program
Keep'n' Safe
Good deals on gun safes
Screw Outfitters
Complete line of Faspac fasteners
Tom Haseltine Photography
Note cards and more
East Point Seafood
Order canned seafood from cannery