SUBSIM Radio Room Forums

SUBSIM Radio Room Forums (https://www.subsim.com/radioroom/index.php)
-   PC Hardware/Software forum (https://www.subsim.com/radioroom/forumdisplay.php?f=235)
-   -   Emergency: .DLL Spyware Assault (https://www.subsim.com/radioroom/showthread.php?t=129385)

Stealth Hunter 01-21-08 04:35 AM

Emergency: .DLL Spyware Assault
 
This .DLL extension had launched a HUGE assault on Internet websites on January 17th, friends. It's called The EgodKTF, and it's a dangerous little bugger. Not much more is known about it than the fact that it modifies your Internet toolbar. To add to that, the dangerous part comes from the fact that it opens your computer immediately to viruses (as in it disables your firewall and any currently running anti-virus utilities).

The good news is it's not too hard to remove. Just search your C:/ folder (all files and hidden folders) for the term: egod. The .DLL, if you're infected, should appear. Delete it, reboot, and it's completely gone. Your system is clean. I noticed that I had it on my system a few minutes ago and finally got rid of it (2 viruses detected on my PC, too; got them off with AVG).

On a side note, no known pattern of how it strikes (i.e. porn websites, P2P sites, etc.) has been acknowledged. Note however that it does cause a yellow strip to appear at the top of your website page with something about "Spyware Detected!" (rather long note). It's complete bogus. Ignore it. If you are infected, you WILL have this bar appear.

EDIT:

I've got more word and information on the .DLL file.

It seems that it is predominately spread through porn sites and/or pop-ups, although there are some exceptions in the case of P2P programs (and before you start wondering, mine was an exception; probably came from the music I downloaded off of LimeWire). It is currently being classified as a Spyware Trojan, and it seems that NO anti-virus/anti-spyware programs are going to spot it with real-time protection turned on (I had mine off; DAMN YOU, AVG!). The main way to remove this crap from your PC is to use a program known as SmitFraud (see my post, Post #9, for the link to the web thread that contains instructions and a download link).

Unfortunately, it seems that SmitFraud does not remove the yellow bar that appears when Internet Explorer is opened (at the top of a web page; it reads: "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."). Once again, DO NOT CLICK THE "CLICK HERE" LINK. It seems that some of the infection is spread through that link. There is a way to remove the yellow bar, but I'm not sure if you want it or not (Google the text on the yellow bar and you should find a web page on the first page of search results that will contain info on how to remove it).

Also, please ignore any web pages that might appear with warnings concerning security on your system (you might have one appear that displays a list of errors; if it is a web page, ignore it). You will also be receiving desktop warnings (Windows Security Alerts), but you must always cancel these. They'll appear every 4 or 7 minutes. Please also note that this Trojan disables your task manager |to re-enable it: 1) Click "Start" 2) Click "Run" 3) Type in "gpedit.msc" [without the quotation marks] 4) Click "Administrative Templates" [the + button] 5) Click the + on "System" 6) CTRL+ALT+DELETE OPTIONS 7) Click the "Remove Task Manager" label and change it to "Disable"|

I'm still doing research into this bitchy thing, and I'll see what else I can find out on it.

EDIT: Found this for you guys:

The filename EGODKTF.DLL was first seen on Jan 17 2008 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:
  • The UNITED STATES on Jan 17 2008
  • CANADA on Jan 20 2008
  • BELGIUM on Jan 20 2008
  • GERMANY on Jan 17 2008
The filename EGODKTF.DLL refers to many versions of a dynamic link library.


The most common file size is 200,704 bytes. But the following file sizes have also been seen:
  • 172,032 bytes
  • 176,128 bytes
The unsafe files using this name are associated with the malware group Downloader.Zlob.SE.


These files have no vendor, product or version information specified in the file header.

EGODKTF.DLL has been seen to perform the following behavior(s):
  • Creates a Toolbar Extention for Internet Explorer
  • Enables an In Process Object/Server - Common with DLL Injections
  • Registers a Dynamic Link Libray (DLL) File
EGODKTF.DLL has been the subject of the following behavior(s):
  • Enabled as an In Process Object/Server - Common with DLL Injections
  • Registered as a Dynamic Link Libray (DLL) File
  • Deleted as a process from disk
  • Created as a process on disk
  • Registered as a Dynamic Link Library File
  • Executed as a Process
  • Created as a Toolbar Extention for Internet Explorer
EGODKTF.DLL can also use the following file names:
  • 49039432.DLL
  • 06419857.DLL
  • 28964308.DLL
  • 00028742.DLL
  • 45607811.DLL
ACHTUNG!

I believe I have finally found a way to defeat this irritating little bastard. You will need a tool known as "Unlocker" to do this. Search your C:/ folder for the following things:

-"dopfwrllwr" (should come up as a .DLL file) [Downloader.Zlob.SN]
-"bxsnvqt" (also a .DLL) [Generic.Malware]
-"fknxwqf" (also a .DLL) [Generic.Malware]

These files are protected with an "Access Denied" message. Use the Unlocker tool to open them. Click the "Unlock All" tab on the tool and then hit the delete key over the files. Remove them from your Recycle Bin, and that MIGHT cure the problem. Note that users in the United Kingdom are at the highest risk at the moment (due to the fact that the thing was first spotted there). I don't know if this will defeat the thing for good or if it will fail, but it's worth a shot. The messages and pop-ups might appear again, but so far, I've not had a problem.

BIG THANKS TO PREVX CSI TOOL WHICH HELPED ME LOCATE THE FILES AND ELABORATED IN GREAT DETAIL AS TO THEIR IDENTITY.

Kapitan_Phillips 01-21-08 08:19 AM

Thanks for the heads up :up:

Even though I havent gotten that yellow bar yet, I'm going to have a search anyway, just incase.

Jimbuna 01-21-08 08:34 AM

Hope it's not able to get past the better anti virus programmes such as Nod and Kasp etc.
Don't get me wrong, I also have a system using AVG, which seldom causes a problem.

Thanks for the warning SH :up:

Dowly 01-21-08 08:42 AM

No worries, I have Bean Raider covering my AV issues. :smug:

http://www.pozehaioase.ro/albums/per...beanraider.jpg

Stealth Hunter 01-21-08 10:25 AM

MAJOR PROBLEMS! I NEED HELP RIGHT NOW!

Task Manager has been disabled by the "System Administrator", the yellow bar is back, a bunch of bogus Windows Security Alerts pop up, several internet icons linking to protection magically appeared on my desktop, and I'm at the end of my rope.

I'm POSITIVE someone has gotten into my system and is still currently on it. I need help RIGHT NOW, PEOPLE. RIGHT NOW, GODDAMMIT!

Dowly 01-21-08 10:35 AM

I had similar virus few months back that restricted my access to any system management options. The whole control panel was missing from the start menu. I couldnt find it with Avast, AVG, search & destroy nor Ad-aware. So I had to format & do a clean reinstall. Hope it doesnt go to that on your end. :nope:

elite_hunter_sh3 01-21-08 10:41 AM

boot into safe mode, and run ad-aware and AVG. should clean it all up

lesrae 01-21-08 10:43 AM

There are doubtless many ways to sort it, I'd probably follow the info at www.majorgeeks.com - they are pretty good.

http://forums.majorgeeks.com/showthread.php?t=35407

Stealth Hunter 01-21-08 10:55 AM

Think I nabbed it. There's this cool program called SmitFraud that I used. Here's a link to the site that hosts instructions and a download mirror:

http://www.bleepingcomputer.com/forums/topic17258.html

Still have that yellow bar popping up, though. Doesn't seem to be anything else, just the damned bar... Aw well. I can live with it. However, I'm going to be calling out AVG, CA, Avast, and Spywar Doc to at least attempt to clean up whatever MIGHT be left (in the very slim chance that anything actually survived the SmitFraud run.

Stealth Hunter 01-21-08 11:10 AM

Quote:

Originally Posted by elite_hunter_sh3
boot into safe mode, and run ad-aware and AVG. should clean it all up

If the irritating little bastard decides to start up again, that's what I'll be doing.

The Munster 01-21-08 11:14 AM

Quote:

Originally Posted by Dowly
No worries, I have Bean Raider covering my AV issues. :smug:

http://www.pozehaioase.ro/albums/per...beanraider.jpg

Wow, Bean Raider, where can I get me one of them ? :hmm:

Stealth Hunter 01-21-08 11:17 AM

Lol, I've just envisioned his head on the Terminator's body!:rotfl:

The Munster 01-21-08 11:35 AM

his .. you mean it's a man ! Jeez, must have eye-strain from looking for Convoys on the Bridge in the middle of the night
:rotfl:

Stealth Hunter 01-21-08 11:38 AM

It could be a man, it could be the ugliest woman we've ever seen, and it could be a beaver. Quite frankly, though, we don't know what the hell it is. This can only be said... in The Twilight Zone.

Jimbuna 01-21-08 12:24 PM

I much prefer...............ROBOBOBBY

http://img119.imageshack.us/img119/1...bobobbyon3.jpg


All times are GMT -5. The time now is 01:00 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 1995- 2024 Subsim®
"Subsim" is a registered trademark, all rights reserved.