"Your computer might be at risk"

Hi,

I tried to reply to a message from Chaslang, but apparently I am not autorized to reply in that thread. I wanted to reply, because the problem which is described there resembles a very nasty problem that I fixed on the computer of a friend of mine. This piece of spyware is very hard to find. None of the scanners I tried could find this spyware. It couldn't even be detected with HijackThis.

The symptoms:

Every few minutes a fake Security-Center-icon shows up in the systemtray with a balloon saying 'Your computer might be at risk' etc. It also shows a link which will open a help file which will give you wrong info about how to solve the problem. This spyware will also try to download other spyware and virusses. These new spyware and virusses may or may not be detected by your antivirus or antispyware. But even if they are detected and cleaned the original spyware will reside in memory and keep popping up the balloon. It may even do other harm, which I am not aware of.

Finding the problem:

Searching through forum I found a lot of people trying to defeat this one. But most people were trying to clean the virusses which were downloaded by the 'invissible' spyware. The spyware seems to be downloading different types of virusses and spyware so everybody was talking about different infected files, which makes it even more difficult to get a grip on. There were two files that seem to be really connected to our enemy:

C:\Windows\Balloon.wav
C:\Windows\Rdt.ini

I used some tools to do memory dumps and then pattern-match with files on the harddisk I traced it back to the file:

C:\Windows\System32\csgpz.exe

This is a very weird file. It is about 50KB in size. If you try to copy it, you can't delete it anymore. When I tryed to find any references in the registry or HijackThis, I couldn't find anything. My guess is that the contents of this file cause a bufferoverflow in some part of Windows (probably the Explorer). This will also occur on boot of the system. And it will get in memory by using the bufferoverflow as an exploit. That's why you won't see the file in memory either. When I searched on the forums I didn't see this file in any log-dumps of other victims, but I did see an exe-file starting with 'cs', followed by three other, random characters in some cases.

Resolving:

Reboot in safe-mode (press F8 when boot-sequence begins). Delete the files Balloon.wav and Rdt.ini. Look in the Windows\System32 folder and locate an exe-file, beginning with 'cs' and having size of 50KB. Also delete this one (use shift-delete, to be sure it's really gone!) Now reboot. Go to Control Panel \ System \ System Restore. Turn off system restore on all drives. Do a full virus-scan and full spyware-scan with reliable and fully updated programs. Turn on system restore again.

After this the balloon did not come back and no new virusses were downloaded anymore. On my friends machine there was still one more problem. I don't know if it is related to the problem described here. When I used explorer to navigate through folders on harddisk, the explorer would freeze and crash occasionally. If this also happens to you I recommend ExploreXP: http://www.explorerxp.com/ Use this for as long as this problem isn't solved.

Good luck! I hope you can fix this now.
May all spyware-programmers burn in hell!

Heathcliff