Jahewi's Anti-Malware Information
Spyberus-test 2 july 2006
Surfing some crack-sites, i got hit by Crystalys, wich is a bundle of malware (adware, toolbar and BHO), and i installed it.

The result was the installation of 2 downloaders and a attempt to install a smitfraud- or wareout-variant (file h91746.exe) on the computer, although it stopped with the MS-error (the 2nd figure). It basically translates to:
An error has occured in h91746.exe and it has to be shut down. Sorry for the inconvinience ... etc. etc.

The 2 trojans, per.exe and b2ca2177.exe, were both recognised, by online sandboxing at Norman (thru Jotti), as trojan.downloader.
Kasperski recognizes per.exe as trojan.downloader.win32.delf.zc
Also, trojan.DnsChange is present ... again

Spyberus showed a "Suspected Browser Exploit" and a Loader.cab, wich held the trojans the downloader b2ca2177.exe and per.exe

This is the HijackThis-log from that moment:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:11, on 2-7-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
c:\xxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jahewi\LOCALS~1\Temp\h91746.exe
C:\WINDOWS\Downloaded Program Files\rdgNL2511.exe
C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [b2ca2177.exe] C:\WINDOWS\System32\b2ca2177.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [b2ca2177.exe] C:\Documents and Settings\jahewi\Local Settings\Application Data\b2ca2177.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe


After removing of the package with Spyberus, including the remaining clutter, the HijackThis-log looks clean again.
Additional scans doesn't show anything out of the ordinary.


jahewi, july 4 2006