PDA

View Full Version : Anyone ever heard of spyburner?



maxporter
2008-02-15, 12:54
Yesterday my sister had an 'interesting' piece of software on her desktop: spyburner. It changed the desktop with a mywallpaper.bmp picture (stating a huge warning that spyware is on the desktop) and placed a microsoft security icon on the taskbar (when clicked started iexplorer with spyburner.com, a professional looking website). Also when running spybot, I noticed a large amount of malware (108). I tried to remove this spyburner junk, but this was pretty difficult. In safe mode I removed the software, any entry in the registry and the spyburner.exe at startup (msconfig). This was however not sufficient. When restarting the computer and opening iexplorer it downloaded the mywallpaper.bmp and the microsoft security icon popped up again.:mad: I ran spybot again: 33 malware. After some further investigation I found several files in c:\windows with the same timestamp which seems a bit suspicious:

wmstrbum.exe
winstrse.exe
win32st.exe
tromomwin32.exe
sysobjwertb.dll
shellexcon.exe
hllibex.exe
cracrwinz.exe
config.ini
comsysobj.exe

I searched the internet for more information about this spyburner, but didn't find much.

- Anyone ever heard of this junk?
- I changed the executables above, it seems to solve the problem for now. But my guess is that there is more, how can I clean her desktop?
- I did found some info about spyburner in a forum. A post that 'it went alive ' which was posted 13 February 2008. It was a site called roguenet, does this ring a bell?

Note: I tried to identify/remove spyburner with McAfee and AVG, but both didn't found it.

PS. contents of config.ini:

[General1]

URL=http://theonlybookmark.com/in.cgi?11&group=adv001
[General2]
URL1=http://theonlybookmark.com/in.cgi?6
URL2=http://theonlybookmark.com/in.cgi?12
URL3=http://safe-strip-download.com/soft/in.cgi?11&group=4TimeMinutes1=30
TimeMinutes2=20
TimeMinutes3=70
[General3]
MsgTitle = Warning - Error
MsgText = If you computer has been suffering from frequent crashes, instability or slow PC speeds, you may have critical errors on you computer. To scan your computer for critical errors, click OK below.

url = http://safe-strip-download.com/soft/in.cgi?11&group=3timeMinSec = 10800
timeMaxSec = 18000
dir = %programfiles%\SystemErrorFixer
[General4]
BalloonTitle = Warning: Your computer is infected
BalloonText = Windows has detected spyware infection! Click this message to install the last update of Windows security software..
MsgBoxTitle = Security Monitor: WARNING!
MsgBoxText = Attention! System detected a potential hazard (TrojanSPM/LX) on your computer/n that may infect executable files. Your private information and PC safety is at risk./n To get rid of unwanted spyware and keep your computer safe you need to update your current security software./n Click Yes to download official intrusion detection system (IDS software)

url1 = http://safe-strip-download.com/soft/in.cgi?11&group=1
url2 = http://safe-strip-download.com/soft/in.cgi?11&group=2time1Sec = 120
time2Sec = 3600
[General5]
BalloonTitle = Warning: Hard disk full
BalloonText = Undesired files detected on your hard disk. Click here to install cleaning software..

url = http://safe-strip-download.com/soft/in.cgi?11&group=4timeSec = 8000
dir = %programfiles%\PCPrivacyTool

Thnx in advance!

ken545
2008-02-15, 23:29
Hello maxporter

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.