 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
ipl_001
SWW Graduate
Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France
|
 Posted: Sat Dec 16, 2006 3:15 pm Post subject: CurePCSolutions |
 |
|
Hi everyone,
We've got 3 cases of CurePCSolutions on Zebulon (my French forum) so far!
For example CurePCSolutions, ads .exe to files
Oodles of files (.AVI, .MP3, .DOC, etc.) are renamed to .ext.EXE (ext being the former extension).
Renamed files show the same special icon.
| Quote: |
| "when i opened them, it would open the eror message "possible virus warning" and then go to the CurePCsolutions site." |
Renaming the files doesn't solve the problem.
IE start page becomes blank.mht
There's a .DLL file in System32, the name of which is similar to 1A9BDAF.dll or F9428.dll
Removing the DLL, restoring IE start page and double-clicking a renamed file leads to a system message "no acces to the file" and the same warning and CurePCSolutions site display.
In the HJT log, we get several Rx lines:
| Quote: |
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = E:\WINDOWS\blank.mht |
and an O2 one:
| Quote: |
| O2 - BHO: E:\WINDOWS\System32\1A9BDAF.dll - {947254B5-96F3-4A9D-FF34-8466477D897C} - E:\WINDOWS\System32\1A9BDAF.dll (file missing) |
(the DLL was effectively removed by the victim)
No interesting links by Google :
- links to CurePCSolutions website
- a link to a board discussion on Zebulon
- a link to a discussion on trojaner-board
- some links to discussions on Czech and arabic forums
- a link to pctools ( http://www.pctools.com/mrc/infections/id/Adware.CurePCSolutions/ ) speaking about Spyware Doctor 4.0 removing the malware but it didn't!
- a link to a crack website
No interesting links by Yahoo!:
- same links as Google's
- oodles of links to crack websites
- a link to CC ( http://www.castlecops.com/p869054-www_updatestate_dot_com.html ), a discussion about www.updatestate dot com by negster22, Nick-YF19 and others.
This problem makes me think of "Virus verschlüsselt Daten und verlangt Lösegeld", this hijack with file encryption and ransom request!
_________________
Gérard   Don't give up... that is what they want us to do... Budfred!
Last edited by ipl_001 on Sun Dec 17, 2006 2:25 am; edited 2 times in total |
|
| Back to top |
|
 |
~Mark
Newbie
Joined: 16 Dec 2006
Last Visit: 10 Jan 2007
Posts: 2
Location: Québec
|
| Posted: Sat Dec 16, 2006 10:38 pm Post subject: |
|
|
Hi Gérard, everyone;
I think it is a "ransomware" redesign, from what I read here :
http://info.drweb.com/show/2747
That was written last January. From what I can see this time around, the "ransom" has been dropped in favor of a rogue...
Dr.Web released a free decoder for the variant that came out almost a year ago, based on the RSA algorithm which was used to encrypt the files. They now detect this latest one as "Trojan.Encoder.10", and it will be interesting to see if the algorithm is the same ; if it is a new encrytion method, then I hope we'll see a new tool out very soon, so that people infected with this don't go running to buy CurePCSolutions 
Cheers all,
Mark. |
|
| Back to top |
|
|
ipl_001
SWW Graduate
Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France
|
| Posted: Sun Dec 17, 2006 2:23 am Post subject: |
|
|
Hi Mark,
Nice to see you here! Thanks for your post!
Welcome to SWW!
To SWW members: ~Mark is an ASAP member and very generous and talented warrior whom we can meet at several big boards like G2G, SWI, Atribune and at the forum he heads Newbie.org
He is also present in France, particularly at Zebulon where he helps me lead the Security board!
Thanks again Mark! 
_________________
Gérard Don't give up... that is what they want us to do... Budfred!
Last edited by ipl_001 on Wed Dec 20, 2006 1:38 pm; edited 2 times in total |
|
| Back to top |
|
|
ipl_001
SWW Graduate
Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France
|
| Posted: Sun Dec 17, 2006 8:42 am Post subject: |
|
|
Hi everyone,
Nasty beast! 
There's another discussion with the same malware (plus others) at TechSupportGuy ( http://forums.techguy.org/security/526934-blank-htm-hijacker-advanced-keylogger.html ) and Derek asks for reformatting!
| Quote: |
1 Hour Ago
dvk01
Moderator
We have been looking at this one & the considered opinion is format & reinstall windows
the damage thus one does is so destructive that we are just wasting our time trying to fix it |
_________________
Gérard Don't give up... that is what they want us to do... Budfred! |
|
| Back to top |
|
|
dvk01
SWW Expert
Joined: 17 Nov 2006
Last Visit: 16 Jan 2010
Posts: 15
|
| Posted: Wed Dec 20, 2006 11:17 am Post subject: |
|
|
it wasn't the curepc & mht entries that suggested format as any encrypted files do, stand a chance of decrypt & the av companies should be able to deal with it but
O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\Run: [MSConfig]
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
which really muck up system settings & file associations etc and testing by others on a vm prove that reinstallation seems the only way to go
syspools.exe on it's own is bad enough but mstds is worse |
|
| Back to top |
|
|
ipl_001
SWW Graduate
Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France
|
| Posted: Wed Dec 20, 2006 1:07 pm Post subject: |
|
|
Hi Derek, hi everyone,
Phew!
Thanks a lot for your response here, Derek!
Thanks a lot for your explanations which relieve us as, obsessed by the .mht, I didn't see the other lines and didn't understand the sudden post saying to reformat.
~~ edit: A victim of ours uploaded the .DLL file to TheSpyKiller (of course, you know as you came here).
I'm asking him to, if possible, upload a file before and after being renamed.
I hope he also wrote to DrWeb and we count on them to help us decrypt the files.
_________________
Gérard Don't give up... that is what they want us to do... Budfred! |
|
| Back to top |
|
|
~Mark
Newbie
Joined: 16 Dec 2006
Last Visit: 10 Jan 2007
Posts: 2
Location: Québec
|
| Posted: Wed Jan 10, 2007 6:29 pm Post subject: |
|
|
Hello Gérard, Derek, all ;
Some good news, finally 
We never did hear back from the Dr.Web support people, after one of our visitors contacted them directly (and uploaded a file). Our second active visitor was prescribed a few tools for other infections, and files were eventually sent for analysis. Some of those files were related to the CurePCSolutions situation, so we got the ball rolling again. My thanks to AndyManchesta on this one
It turns out the files weren't totally encrypted, as I first suspected from reading on older variants. After testing by some kind experts, it was discovered that the Dr.Web CureIt tool was able to repair the files almost completely. The user does need to manually rename/remove the extra .exe extension, on each file, after running CureIt. Since the number of infected files on the PCs doesn't appear to be too large, this technique is viable.
To those involved who might read this : Thank You 
Cheers,
Mark.
_________________
Member of ASAP
 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
