Spyware hiding from all forms of detection

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a client computer suffering from "inconspicuous" popups. Counterspy,
MS Antispyware, Spybot, Adaware, Webroot all find nothing. Process Explorer
and task manager show nothing. Hijack this is clean. BUT I did find two
"rogue" processes by running aports.exe (which shows winsock ports and
associated processes). These two processes and their PID do not show up in
Process Explorer. The filesystem locations they are reported to exist in do
not exist, and I cannot find the actual executables on the hard drive. I can
terminate them via aports.exe, and when I then browse, they relaunch and I
get popups again. Any thoughts on finding these things and getting rid of
them? The processes are hyppxmib.exe & wuaskdll.exe, although I'm not
confident the names will remain the same between sessions.
 
Try PC-Cillin2006 and Ewido. They usually pick up items that other Spyware
programs miss.
Ira
: Hello TechDesign,
:
: did you try a virus/trojan scanner???
: also try:
: http://www.hackercheck.com/?mode=c
: to look for open ports!
:
: Regards >*< TOM >*<
:
: TechDesign schreef:
: > I have a client computer suffering from "inconspicuous" popups.
Counterspy,
: > MS Antispyware, Spybot, Adaware, Webroot all find nothing. Process
Explorer
: > and task manager show nothing. Hijack this is clean. BUT I did find two
: > "rogue" processes by running aports.exe (which shows winsock ports and
: > associated processes). These two processes and their PID do not show up
in
: > Process Explorer. The filesystem locations they are reported to exist in
do
: > not exist, and I cannot find the actual executables on the hard drive. I
can
: > terminate them via aports.exe, and when I then browse, they relaunch and
I
: > get popups again. Any thoughts on finding these things and getting rid
of
: > them? The processes are hyppxmib.exe & wuaskdll.exe, although I'm not
: > confident the names will remain the same between sessions.
 
Hi TechDesign

Have you enabled hidden files and folders before searching for the files
assuming they havent changed names.

To Enable Hidden Files and Folders

Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have checked for the files by opening the same page
and pressing "Restore Defaults"

If you can then find the files upload them at Jotti's site to find out what
infection they relate to http://virusscan.jotti.org/

If you still have problems try F-Secure's Blacklight to check for RootKit's

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

Instructions can be found here:

http://www.f-secure.com/blacklight/help/

Let us know if the problems continue and we use other tools

All The Best

Andy
 
If you still have problems try F-Secure's Blacklight to check for RootKit's

Didn't try this one, but it did turn out to be spyware hidden via rootkit
methods. Rootkit Revealer from SysInternals showed my wingenerics.dll,
ace.dll and several other files related to apropos spyware. Guess I'll start
using Active Ports (aports.exe) and other rootkit tools more often...
 
Hi again

Glad you found the solution, Blacklight is a beta version but is easier for
Novice users as it has a feature to rename the hidden files so that they can
be found when the system reboots so I usually start with that to see if there
is a Rootkit present. Rootkit Revealer is excellent but the results can be
confusing to some users but Its good to hear you was able to solve the issue
without any problems.

The Apropos Rootkit as you probably know uses a Kernel-Level Driver which is
installed into the windows/system32/drivers folder to hide files in Normal
Mode, If you still have a problem with this rootkit remove the .sys file in
safe mode that is shown in the Rootkit Revealer log and then use the sc
delete command on the cmd screen to remove the service. Next export the
registry software folder with the random name to find out what other files it
has on the system.

Here's a example although these are random named so yours will be different :

This is the driver that hides the files:

C:\WINDOWS\system32\drivers\lrprwavd.sys

If shown reboot into safe mode and delete the .sys file as it will not show
in normal mode.

This is the folder to export:

[HKEY_LOCAL_MACHINE\Software\CpPVvAGRKU35]

Go to start > run and copy and paste next command in the field , change the
random name to match the name shown in Rootkit Revealer:

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CpPVvAGRKU35"

Click OK.

Search on your C:\ for look.txt and open it which will show details similar
to this:

[HKEY_LOCAL_MACHINE\Software\CpPVvAGRKU35]
@="7Ny\\S\\UfggfgghgwTYAx2zfggfvigB\\2w3B7gXdXYJRmlgIWNaJWXgGWNTXIaIhXdX"
"Device"="\\\\.\\DotVENG"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\lrprwavd.sys"
"DriverName"="SiFInIp"
"HideUninstallerName"="C:\\Program Files\\Obtadzbe\\mdpst570.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\lantsvrp.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{E2C57D8F-5433-4B94-B42E-2E5C058E4E17}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\snpbview.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="h**p://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X7240830-c113-56df-3dab-1d154a6f0b54}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Obtadzbe\\shmdfapi.exe"

Then you can remove the files and folders shown in the look.txt , for the
above example you would open cmd screen (Start > Run > cmd) and type

sc delete SiFInIp

press ok to remove the service,

Delete the folder in Program files which will contain the wingenerics.dll &
ace.dll files :

C:\Program Files\Obtadzbe

Delete the files in system32

C:\WINDOWS\system32\snpbview.dll
C:\WINDOWS\system32\lantsvrp.exe

And finally remove the folder from the registry :

[HKEY_LOCAL_MACHINE\Software\CpPVvAGRKU35]

Regards

Andy
 
Back
Top