Jahewi's Anti-Malware Information
Second Spyberus-test 2 july 2006
This time, i ran into the possiblity to download a serial number for SpySheriff, on freeserials.com ... and offcourse i couldn't resist :-)
This time, i ran into the possiblity to download a serial number for SpySheriff, on freeserials.com ... and offcourse i couldn't resist :-)

, i got hit by Crystalys, wich is a bundle of malware (adware, toolbar and BHO), and i installed it.

The result was the installation of 2 downloaders and a attempt to install a smitfraud- or wareout-variant (file h91746.exe) on the computer, although it stopped with the MS-error (the 2nd figure). It basically translates to:
An error has occured in h91746.exe and it has to be shut down. Sorry for the inconvinience ... etc. etc.

The 2 trojans, per.exe and b2ca2177.exe, were both recognised, by online sandboxing at Norman (thru Jotti), as trojan.downloader.
Kasperski recognizes per.exe as trojan.downloader.win32.delf.zc
Also, trojan.DnsChange is present ... again

Spyberus showed a "Suspected Browser Exploit" and a Loader.cab, wich held the trojans the downloader b2ca2177.exe and per.exe

This is the HijackThis-log from that moment:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:11, on 2-7-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
c:\xxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jahewi\LOCALS~1\Temp\h91746.exe
C:\WINDOWS\Downloaded Program Files\rdgNL2511.exe
C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [b2ca2177.exe] C:\WINDOWS\System32\b2ca2177.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [b2ca2177.exe] C:\Documents and Settings\jahewi\Local Settings\Application Data\b2ca2177.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe


After removing of the package with Spyberus, including the remaining clutter, the HijackThis-log looks clean again.
Additional scans doesn't show anything out of the ordinary.


jahewi, july 4 2006
This time, i ran into the possiblity to download a serial number for SpySheriff, on freeserials.com ... and offcourse i couldn't resist :-)

, i got hit by Crystalys, wich is a bundle of malware (adware, toolbar and BHO), and i installed it.

The result was the installation of 2 downloaders and a attempt to install a smitfraud- or wareout-variant (file h91746.exe) on the computer, although it stopped with the MS-error (the 2nd figure). It basically translates to:
An error has occured in h91746.exe and it has to be shut down. Sorry for the inconvinience ... etc. etc.

The 2 trojans, per.exe and b2ca2177.exe, were both recognised, by online sandboxing at Norman (thru Jotti), as trojan.downloader.
Kasperski recognizes per.exe as trojan.downloader.win32.delf.zc
Also, trojan.DnsChange is present ... again

Spyberus showed a "Suspected Browser Exploit" and a Loader.cab, wich held the trojans the downloader b2ca2177.exe and per.exe

This is the HijackThis-log from that moment:
Logfile of HijackThis v1.99.1
Scan saved at 11:14:11, on 2-7-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
c:\xxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jahewi\LOCALS~1\Temp\h91746.exe
C:\WINDOWS\Downloaded Program Files\rdgNL2511.exe
C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [b2ca2177.exe] C:\WINDOWS\System32\b2ca2177.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [b2ca2177.exe] C:\Documents and Settings\jahewi\Local Settings\Application Data\b2ca2177.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe


After removing of the package with Spyberus, including the remaining clutter, the HijackThis-log looks clean again.
Additional scans doesn't show anything out of the ordinary.


jahewi, july 4 2006
As instructed by Pleks S.R.O. (a known distributor of malware-containing packages and creator of the Aze Search Toolbar) i downloaded their package Download_Crack.zip
The file Download_Crack.zipis, by the way, a widely spread malware-package, wich you can download on numerous sites, as well as on filesharing networks.
The content of the file disn't usually the same, but it always contains a Smitfraud- or a Wareout-variant and most of the time downloader- and/or backdoor-trojans as well as spy- and ad-ware).


Downloading/installing this file will absolutely infect your computer with several malware-variants!
Please, DO NOT download this file anywhere, if you want a healthy computer!!!
As soon as the file was downloaded and installed, the computer got infected with (mainly) TrustCleaner (what's in a name ...)

The Hijackthis-log looked like this:
Logfile of HijackThis v1.99.1
Scan saved at 12:06:29, on 2-7-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Robot Genius\Spyberus\RgView.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
c:\xxx.exe
C:\Program Files\TrustIn Popups\TrustInPopups.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jahewi\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll
O2 - BHO: Robot Genius - {1FD7EA94-0650-4CF5-ACFF-CDB36A6E924F} - C:\Program Files\Robot Genius\Spyberus\RgWinId.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\System32\tload.ocx
O2 - BHO: TrustIn Bar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\Program Files\trustin bar\trustin.dll
O2 - BHO: ContextualAds Class - {FE6C16C4-16AD-47B6-B250-26AD1829E49A} - C:\Program Files\TrustIn Contextual\trustincontext.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: TrustIn Bar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\Program Files\trustin bar\trustin.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [RGLauncher] C:\Program Files\Robot Genius\Spyberus\Spyberus.exe /S
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TrustIn Popups] "C:\Program Files\TrustIn Popups\TrustInPopups.exe"
O4 - HKCU\..\Run: [Trust Cleaner] C:\Program Files\Trust Cleaner\TrustCleaner.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0CF5F0B2-9F73-6658-AA97-74EA1D242C69} - http://85.255.114.166/1/rdgNL2511.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D9DEF31-37B1-7393-011D-6FA909EB6BF9} - http://85.255.114.166/1/rdgNL2511.exe
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} (WeeklyExecuter Class) - http://soft.trustincash.com/install/tload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151121794465
O17 - HKLM\System\CCS\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{E23F6C27-C4AC-4F77-8179-F2ADC9A523A1}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{B58A45F4-2642-459F-8A26-3AC3F3AE24BC}: NameServer = 85.255.115.83,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.206
O20 - AppInit_DLLs: C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll C:\PROGRA~1\ROBOTG~1\Spyberus\RGIEMon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

At this point, i wanted to stop, because i had a number of other things to do.
However, closing down the computer, the normal way, didn't work ... just nothing happened. I had to close it the hard way ...

When i restarted the computer later that day, it was very slughish.
I tried to open the taskmanager, but i got the message
        Taskmanager has been disabled by the system-administrator










Offcourse, rebooting was also out of the qeustion, so i left the computer to itself, to see what would happen.
When, after a few more minutes, with a lot of disk-activity, the desktop-icons appeared, the first thing that happened was, that TrustCleaner started to scan.
After the scan, the screen looked like the picture on the left side.

This time, i used the system-restore, to see if Spyberus would come back to life, but it didn't.


jahewi july 4, 2006