I have found some sort of new malware [Archive]

View Full Version : I have found some sort of new malware

xeons

2006-10-29, 14:00

Alright, I've ran almost every tool imaginable to try to remove this adware that keeps popping up some popup with the following URL.

So I decided to try running RunAlyzer as a last futile attempt to find where this thing is hiding, and I found something interesting inside

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\srvinet

It points to this suspicious DLL file inside
C:\WINDOWS\inf\srvinet.dll

On further investigation I decided to disassemble the DLL in IDA to see if it was really a Windows DLL, or something more sinister.

It appears to have some DEEP SEEDED system hooks and I'm a little afraid to try to remove it...its some sort of dynamic root kit.

I found the following strings in it which lead me to believe it tries to somehow stop you from running HijackThis

.data:10087354 ; char aHjt_mutant[]
.data:10087354 aHjt_mutant db 'hjt_mutant',0 ; DATA XREF: .text:10004810o
.data:10087354 ; sub_10006470+A5o ...
.data:1008735F align 10h
.data:10087360 ; char aHijackthis_exe[]
.data:10087360 aHijackthis_exe db 'hijackthis.exe',0 ; DATA XREF: .text:10004833o
.data:10087360 ; sub_10006470+C4o ...

After seeing the following strings I am 100% certain it is not a native windows DLL. Just wondering if anyone else has encountered this malware...I'm not entirely sure what its from. Or if this is the specific thing that's causing my problem at the moment.

If anyone else wants to investigate it I have uploaded it to my server
edited by illukka

links to malware removed to protect our members/users
interested people may contact me for details

illukka

2006-10-29, 16:32

hi

looks like a downloader trojan.
to run hijackthis on the infected computer rename it to for example scanner.exe

then run it, do a scan and save a log file
post that here

xeons

2006-10-29, 16:47

hi

looks like a downloader trojan.
to run hijackthis on the infected computer rename it to for example scanner.exe

then run it, do a scan and save a log file
post that here

Well I was finally able to remove it, apparently it had an uninstall tool in the add/remove programs called "Advanced Browser". Which is odd because I still have no idea what it did or anything. From what I can gather so far its some sort of tracking software. And as for having HijackThis references, apparently the malware did not properly code a way to stop it from running because I was still able to run it. I now believe my system to be clean, if anything does come back up then I will notify you all.

illukka

2006-10-29, 16:59

ok, i'm submitting the nasty to various anti malware vendors to add detection
do some online scans to make sure it didnt install anything of stealthier nature

lets close this topic then, if there are no further problems

xeons

2006-10-31, 23:11

Just giving you a go ahead to close the thread, I have not seen the pesky pop up come up since I have gotten it removed.

illukka

2006-11-02, 23:14

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :)

thank you :)