Super-Spider garbage!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by AA_Freeze, Sep 17, 2004.

Page 2 of 2
  1. Trysieme

    Trysieme Private E-2

    Ok you 2... I think you need a third perspective. I, too, have come across this VERY SAME problem. Let me shed some light... The company is Melkosoft Corporation... a warez "company" based in Russia. ANYTIME you use HijackThis or similar software to "Fix" the xxxxxxx.dll listed another one is "spawned" to replace IMMEDIATELY. In some cases, I have found it takes up to 15-20 seconds to do this. It CAN do this without IE open. Attempts to delete the files are futile, and only fixing the symptom...

    I don't know the exact Source, but I belive it to be a modification to an explorer file or dll... I have yet to prove this, but I plan "reinstalling' IE 6.0, to eliminate it as a possible source. More info on that can be found in the Microsoft Knowledge Base. Meanwhile, until the source is identified and cleaned... this problem will NOT go away.

    On another note... I at first debated starting a class action lawsuit against this Melkosoft Corporation until I discovered they were international. I am currently looking into international law to see if such "hacking/hijacking" as laws against it just as in the USA. If so, I will happily post more info on them and what's being done to stop things like this from happening.
     
    Trysieme, Oct 11, 2004
    #51
  2. AA_Freeze

    AA_Freeze Private E-2

    Hey Chaslang, sorry I havent posted in awhile, I FDISK'd my hardrive...lol. I was pretty fedup with the whole operation. I just put all my files on CD and it wasnt that bad...I wanted to thank you for all your help, too bad we didnt resolve the issue.

    To the guy that wanted a class action lawsuit on Melkosoft...good luck bro, right now our goverment cannot prosecute Credit Card fraud form any other country , so I doubt they would be able to do anything about this type of garbage. This is a great website and I recommend it to everyone I know for utilities and software....thanks again!! Oh..btw, I just use a garbage computer now for my internet...theres nothing on it to hurt.. I can FDISK all day long now!!!
     
    AA_Freeze, Oct 11, 2004
    #52
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 11, 2004
    #53
  4. Trysieme

    Trysieme Private E-2

    Wow.. drastic measure, but then again I can't say I blame you! I sat down and did some hardcore troubleshooting, and got his thing just about figured out...

    I used Hackthis! and had My Computer/Windows/System32 open in another window. Use hackthis a couple times to "kill" any older files that this malware has created. Sort your System32 window by Date (descending) so that you may see all new filew files created/modified at the top. First thing you should notice (might take a Refresh) is a number of those DLL files with the "random" names.

    This "order" is VERY important...

    Using Hackthis!, run a Scan. Notice the names of the BHO and the AppDLL_Init. Those should be near the top of your system32 window. If one is missing, check them all, and "Fix" them. Run Scan again. Now in your system32 window, delete the .bak files near the top (the ones with funny names). THEN rename the DLLs (I used 1, 2, 3, etc.). Now, check all items in Hackthis!, and Fix them. Wait about a minute, then Refresh your system32 window. If you got all the files, there will be no new ones appearing at the top at which point you're now free!

    If another 2 appeared (they seem to work in pairs) rename them, and go through your system32 folder... chances are you have an older file that was "missed". You'll know you found one whne the mouseover info shows the same company name as the DLLs you've been deleting.

    AA, I'm glad your ordeal is through, I just wish I found this out before you FDISK'd! Good luck to you!
     
    Trysieme, Oct 12, 2004
    #54
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's not Hackthis. The program is called HijackThis and it does not delete files. It deletes registry entries. Also, note that for many new infection types (which this one was) you cannot just simple fix the AppInit_DLLs line in HijackThis (if it even appears there) and then delete the file. There are other "super hidden" files (DLLs and EXE files) that will just recreate them. And these super hidden files do not show in HijackThis. You need other tools to find them. The will not even show in a Windows Explorer listing to try to sort them by date. And they constantly change where they are hiding too. So what I am saying is it is not always as easy as you think to fix these problems.
     
    chaslang, Oct 12, 2004
    #55
  6. AA_Freeze

    AA_Freeze Private E-2

    haha. hey bro, hope it works for you, I did similar things, but the files are hidden and run within IE, so usually when you get online they just go back into action anyways...these are a very difficult trojan to get rid of...I have another computer I am going to infect and work on a solution, so Chaslang, I should be back in a few days , let me know if you want to help.. Im sure you have similar problems all over this board, but if I find a solution I will surely let you know.

    thanks!!!
     
    AA_Freeze, Oct 13, 2004
    #56
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    AA,

    If you can get the infection again, try something like the below:

    1) Click Start, Run, and in the Open box enter "cmd" without the quotes and then click OK or press Enter. This should open up a command prompt window.
    2) Leave the command window open and then open Task Manager by pressing CTRL-ALT-DEL simultaneously. Click the "Processes" tab, and then end all instances of iexplore.exe and then explorer.exe. This will cause your desktop and icons to disappear. Don't worry that's okay, we want this to happen.
    3) Next, click on the "Applications" tab of Task Manager, and select C:\WINDOWS\System32\cmd.exe and click "Switch to".
    4) In the Command prompt window type cd c:\windows\system32 and press Enter
    5) Then type these two commands each followed by the enter key:
    attrib -r -h -s h6gp3sjkczmdr.dll
    del h6gp3sjkczmdr.dll

    Note: if you do not have the same file name just substitute what you do have.

    6) Now type in dir h6gp3sjkczmdr.dll to make sure the file is really deleted.
    7) Close the command prompt window and then switch back to Task Manager again by pressing CTRL+SHIFT+ESC simultaneously until you get back to Task Manager.
    8) Click on the "File" menu and choose "New Task"
    9) In the window type explorer and then press "OK" to reopen the Windows shell
    10) Now bring up Windows Explorer and navigate to c:\windows\system32 and check to see if the file we deleted is still gone.
    11) Run Internet Explorer and then close it, see if the file is still gone.

    Let me know if you can get re-infected and where you went to get it infected and if these steps help at all.

    If this still does not work, first use Windows Explorer to look in the c:\windows\system32 folder but have it sort everything by date. So the top shows the newest files. See if you can find other files in the same date range that may be part of this. They may also have similar strange random character names. Note: they may not all be .dll files. They could be anything. But more typical would be .exe, .dat, .bak
     
    Last edited: Oct 13, 2004
    chaslang, Oct 13, 2004
    #57
Page 2 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds