Emergency: .DLL Spyware Assault

Stealth Hunter · 01-21-08, 04:35 AM

This .DLL extension had launched a HUGE assault on Internet websites on January 17th, friends. It's called The EgodKTF, and it's a dangerous little bugger. Not much more is known about it than the fact that it modifies your Internet toolbar. To add to that, the dangerous part comes from the fact that it opens your computer immediately to viruses (as in it disables your firewall and any currently running anti-virus utilities).

The good news is it's not too hard to remove. Just search your C:/ folder (all files and hidden folders) for the term: egod. The .DLL, if you're infected, should appear. Delete it, reboot, and it's completely gone. Your system is clean. I noticed that I had it on my system a few minutes ago and finally got rid of it (2 viruses detected on my PC, too; got them off with AVG).

On a side note, no known pattern of how it strikes (i.e. porn websites, P2P sites, etc.) has been acknowledged. Note however that it does cause a yellow strip to appear at the top of your website page with something about "Spyware Detected!" (rather long note). It's complete bogus. Ignore it. If you are infected, you WILL have this bar appear.

EDIT:

I've got more word and information on the .DLL file.

It seems that it is predominately spread through porn sites and/or pop-ups, although there are some exceptions in the case of P2P programs (and before you start wondering, mine was an exception; probably came from the music I downloaded off of LimeWire). It is currently being classified as a Spyware Trojan, and it seems that NO anti-virus/anti-spyware programs are going to spot it with real-time protection turned on (I had mine off; DAMN YOU, AVG!). The main way to remove this crap from your PC is to use a program known as SmitFraud (see my post, Post #9, for the link to the web thread that contains instructions and a download link).

Unfortunately, it seems that SmitFraud does not remove the yellow bar that appears when Internet Explorer is opened (at the top of a web page; it reads: "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."). Once again, DO NOT CLICK THE "CLICK HERE" LINK. It seems that some of the infection is spread through that link. There is a way to remove the yellow bar, but I'm not sure if you want it or not (Google the text on the yellow bar and you should find a web page on the first page of search results that will contain info on how to remove it).

Also, please ignore any web pages that might appear with warnings concerning security on your system (you might have one appear that displays a list of errors; if it is a web page, ignore it). You will also be receiving desktop warnings (Windows Security Alerts), but you must always cancel these. They'll appear every 4 or 7 minutes. Please also note that this Trojan disables your task manager |to re-enable it: 1) Click "Start" 2) Click "Run" 3) Type in "gpedit.msc" [without the quotation marks] 4) Click "Administrative Templates" [the + button] 5) Click the + on "System" 6) CTRL+ALT+DELETE OPTIONS 7) Click the "Remove Task Manager" label and change it to "Disable"|

I'm still doing research into this bitchy thing, and I'll see what else I can find out on it.

EDIT: Found this for you guys:

The filename EGODKTF.DLL was first seen on Jan 17 2008 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:

The UNITED STATES on Jan 17 2008
CANADA on Jan 20 2008
BELGIUM on Jan 20 2008
GERMANY on Jan 17 2008

The filename EGODKTF.DLL refers to many versions of a dynamic link library.

The most common file size is 200,704 bytes. But the following file sizes have also been seen:

172,032 bytes
176,128 bytes

The unsafe files using this name are associated with the malware group Downloader.Zlob.SE.

These files have no vendor, product or version information specified in the file header.

EGODKTF.DLL has been seen to perform the following behavior(s):

Creates a Toolbar Extention for Internet Explorer
Enables an In Process Object/Server - Common with DLL Injections
Registers a Dynamic Link Libray (DLL) File

EGODKTF.DLL has been the subject of the following behavior(s):

Enabled as an In Process Object/Server - Common with DLL Injections
Registered as a Dynamic Link Libray (DLL) File
Deleted as a process from disk
Created as a process on disk
Registered as a Dynamic Link Library File
Executed as a Process
Created as a Toolbar Extention for Internet Explorer

EGODKTF.DLL can also use the following file names:

49039432.DLL
06419857.DLL
28964308.DLL
00028742.DLL
45607811.DLL

ACHTUNG!

I believe I have finally found a way to defeat this irritating little bastard. You will need a tool known as "Unlocker" to do this. Search your C:/ folder for the following things:

-"dopfwrllwr" (should come up as a .DLL file) [Downloader.Zlob.SN]
-"bxsnvqt" (also a .DLL) [Generic.Malware]
-"fknxwqf" (also a .DLL) [Generic.Malware]

These files are protected with an "Access Denied" message. Use the Unlocker tool to open them. Click the "Unlock All" tab on the tool and then hit the delete key over the files. Remove them from your Recycle Bin, and that MIGHT cure the problem. Note that users in the United Kingdom are at the highest risk at the moment (due to the fact that the thing was first spotted there). I don't know if this will defeat the thing for good or if it will fail, but it's worth a shot. The messages and pop-ups might appear again, but so far, I've not had a problem.

BIG THANKS TO PREVX CSI TOOL WHICH HELPED ME LOCATE THE FILES AND ELABORATED IN GREAT DETAIL AS TO THEIR IDENTITY.

Kapitan_Phillips · 01-21-08, 08:19 AM

Thanks for the heads up

Even though I havent gotten that yellow bar yet, I'm going to have a search anyway, just incase.

Jimbuna · 01-21-08, 08:34 AM

Hope it's not able to get past the better anti virus programmes such as Nod and Kasp etc.
Don't get me wrong, I also have a system using AVG, which seldom causes a problem.

Thanks for the warning SH

Dowly · 01-21-08, 08:42 AM

No worries, I have Bean Raider covering my AV issues.

Stealth Hunter · 01-21-08, 10:25 AM

MAJOR PROBLEMS! I NEED HELP RIGHT NOW!

Task Manager has been disabled by the "System Administrator", the yellow bar is back, a bunch of bogus Windows Security Alerts pop up, several internet icons linking to protection magically appeared on my desktop, and I'm at the end of my rope.

I'm POSITIVE someone has gotten into my system and is still currently on it. I need help RIGHT NOW, PEOPLE. RIGHT NOW, GODDAMMIT!

Dowly · 01-21-08, 10:35 AM

I had similar virus few months back that restricted my access to any system management options. The whole control panel was missing from the start menu. I couldnt find it with Avast, AVG, search & destroy nor Ad-aware. So I had to format & do a clean reinstall. Hope it doesnt go to that on your end.

elite_hunter_sh3 · 01-21-08, 10:41 AM

boot into safe mode, and run ad-aware and AVG. should clean it all up

lesrae · 01-21-08, 10:43 AM

There are doubtless many ways to sort it, I'd probably follow the info at www.majorgeeks.com - they are pretty good.

http://forums.majorgeeks.com/showthread.php?t=35407

Stealth Hunter · 01-21-08, 10:55 AM

Think I nabbed it. There's this cool program called SmitFraud that I used. Here's a link to the site that hosts instructions and a download mirror:

http://www.bleepingcomputer.com/forums/topic17258.html

Still have that yellow bar popping up, though. Doesn't seem to be anything else, just the damned bar... Aw well. I can live with it. However, I'm going to be calling out AVG, CA, Avast, and Spywar Doc to at least attempt to clean up whatever MIGHT be left (in the very slim chance that anything actually survived the SmitFraud run.

Stealth Hunter · 01-21-08, 11:10 AM

Quote:

Originally Posted by elite_hunter_sh3

boot into safe mode, and run ad-aware and AVG. should clean it all up

If the irritating little bastard decides to start up again, that's what I'll be doing.

The Munster · 01-21-08, 11:14 AM

Quote:

Originally Posted by Dowly

No worries, I have Bean Raider covering my AV issues.

Wow, Bean Raider, where can I get me one of them ? :hmm:

Stealth Hunter · 01-21-08, 11:17 AM

Lol, I've just envisioned his head on the Terminator's body!:rotfl:

The Munster · 01-21-08, 11:35 AM

his .. you mean it's a man ! Jeez, must have eye-strain from looking for Convoys on the Bridge in the middle of the night
:rotfl:

Stealth Hunter · 01-21-08, 11:38 AM

It could be a man, it could be the ugliest woman we've ever seen, and it could be a beaver. Quite frankly, though, we don't know what the hell it is. This can only be said... in The Twilight Zone.

Jimbuna · 01-21-08, 12:24 PM

I much prefer...............ROBOBOBBY

01-21-08, 04:35 AM	#1
Stealth Hunter Silent Hunter Join Date: Nov 2006 Location: Y'ha-Nthlei Posts: 4,262 Downloads: 19 Uploads: 0	Emergency: .DLL Spyware Assault This .DLL extension had launched a HUGE assault on Internet websites on January 17th, friends. It's called The EgodKTF, and it's a dangerous little bugger. Not much more is known about it than the fact that it modifies your Internet toolbar. To add to that, the dangerous part comes from the fact that it opens your computer immediately to viruses (as in it disables your firewall and any currently running anti-virus utilities). The good news is it's not too hard to remove. Just search your C:/ folder (all files and hidden folders) for the term: egod. The .DLL, if you're infected, should appear. Delete it, reboot, and it's completely gone. Your system is clean. I noticed that I had it on my system a few minutes ago and finally got rid of it (2 viruses detected on my PC, too; got them off with AVG). On a side note, no known pattern of how it strikes (i.e. porn websites, P2P sites, etc.) has been acknowledged. Note however that it does cause a yellow strip to appear at the top of your website page with something about "Spyware Detected!" (rather long note). It's complete bogus. Ignore it. If you are infected, you WILL have this bar appear. EDIT: I've got more word and information on the .DLL file. It seems that it is predominately spread through porn sites and/or pop-ups, although there are some exceptions in the case of P2P programs (and before you start wondering, mine was an exception; probably came from the music I downloaded off of LimeWire). It is currently being classified as a Spyware Trojan, and it seems that NO anti-virus/anti-spyware programs are going to spot it with real-time protection turned on (I had mine off; DAMN YOU, AVG!). The main way to remove this crap from your PC is to use a program known as SmitFraud (see my post, Post #9, for the link to the web thread that contains instructions and a download link). Unfortunately, it seems that SmitFraud does not remove the yellow bar that appears when Internet Explorer is opened (at the top of a web page; it reads: "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."). Once again, DO NOT CLICK THE "CLICK HERE" LINK. It seems that some of the infection is spread through that link. There is a way to remove the yellow bar, but I'm not sure if you want it or not (Google the text on the yellow bar and you should find a web page on the first page of search results that will contain info on how to remove it). Also, please ignore any web pages that might appear with warnings concerning security on your system (you might have one appear that displays a list of errors; if it is a web page, ignore it). You will also be receiving desktop warnings (Windows Security Alerts), but you must always cancel these. They'll appear every 4 or 7 minutes. Please also note that this Trojan disables your task manager \|to re-enable it: 1) Click "Start" 2) Click "Run" 3) Type in "gpedit.msc" [without the quotation marks] 4) Click "Administrative Templates" [the + button] 5) Click the + on "System" 6) CTRL+ALT+DELETE OPTIONS 7) Click the "Remove Task Manager" label and change it to "Disable"\| I'm still doing research into this bitchy thing, and I'll see what else I can find out on it. EDIT: Found this for you guys: *The filename EGODKTF.DLL was first seen on Jan 17 2008 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:* The UNITED STATES on Jan 17 2008 CANADA on Jan 20 2008 BELGIUM on Jan 20 2008 GERMANY on Jan 17 2008 The filename EGODKTF.DLL refers to many versions of a dynamic link library. *The most common file size is 200,704 bytes. But the following file sizes have also been seen:* 172,032 bytes 176,128 bytes *The unsafe files using this name are associated with the malware group Downloader.Zlob.SE.* These files have no vendor, product or version information specified in the file header. *EGODKTF.DLL has been seen to perform the following behavior(s):* Creates a Toolbar Extention for Internet Explorer Enables an In Process Object/Server - Common with DLL Injections Registers a Dynamic Link Libray (DLL) File *EGODKTF.DLL has been the subject of the following behavior(s):* Enabled as an In Process Object/Server - Common with DLL Injections Registered as a Dynamic Link Libray (DLL) File Deleted as a process from disk Created as a process on disk Registered as a Dynamic Link Library File Executed as a Process Created as a Toolbar Extention for Internet Explorer *EGODKTF.DLL can also use the following file names:* 49039432.DLL 06419857.DLL 28964308.DLL 00028742.DLL 45607811.DLL ACHTUNG! I believe I have finally found a way to defeat this irritating little bastard. You will need a tool known as "Unlocker" to do this. Search your C:/ folder for the following things: -"dopfwrllwr" (should come up as a .DLL file) [Downloader.Zlob.SN] -"bxsnvqt" (also a .DLL) [Generic.Malware] -"fknxwqf" (also a .DLL) [Generic.Malware] These files are protected with an "Access Denied" message. Use the Unlocker tool to open them. Click the "Unlock All" tab on the tool and then hit the delete key over the files. Remove them from your Recycle Bin, and that MIGHT cure the problem. Note that users in the United Kingdom are at the highest risk at the moment (due to the fact that the thing was first spotted there). I don't know if this will defeat the thing for good or if it will fail, but it's worth a shot. The messages and pop-ups might appear again, but so far, I've not had a problem. BIG THANKS TO PREVX CSI TOOL WHICH HELPED ME LOCATE THE FILES AND ELABORATED IN GREAT DETAIL AS TO THEIR IDENTITY. Last edited by Stealth Hunter; 01-21-08 at 03:59 PM.

01-21-08, 08:19 AM	#2
Kapitan_Phillips Silent Hunter Join Date: Jul 2005 Location: Swansea Posts: 3,902 Downloads: 203 Uploads: 0	Thanks for the heads up Even though I havent gotten that yellow bar yet, I'm going to have a search anyway, just incase. __________________ Well, here's another nice mess you've gotten me into.

01-21-08, 08:34 AM	#3
Jimbuna Chief of the Boat Join Date: Feb 2006 Location: 250 metres below the surface Posts: 181,217 Downloads: 63 Uploads: 13	Hope it's not able to get past the better anti virus programmes such as Nod and Kasp etc. Don't get me wrong, I also have a system using AVG, which seldom causes a problem. Thanks for the warning SH __________________ Wise men speak because they have something to say; Fools because they have to say something. Oh my God, not again!! GWX3.0 Download Page - Donation/instant access to GWX (Help SubSim)

01-21-08, 11:35 AM	#13
The Munster Ace of the Deep Join Date: Jul 2006 Location: Deepest Dumbria Posts: 1,243 Downloads: 2 Uploads: 0	his .. you mean it's a man ! Jeez, must have eye-strain from looking for Convoys on the Bridge in the middle of the night :rotfl: __________________ *GWX Team Member; Retired* GWX Home Page

01-21-08, 12:24 PM	#15
Jimbuna Chief of the Boat Join Date: Feb 2006 Location: 250 metres below the surface Posts: 181,217 Downloads: 63 Uploads: 13	I much prefer...............ROBOBOBBY __________________ Wise men speak because they have something to say; Fools because they have to say something. Oh my God, not again!! GWX3.0 Download Page - Donation/instant access to GWX (Help SubSim)

01-21-08, 08:42 AM	#4
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,005 Downloads: 32 Uploads: 0	No worries, I have Bean Raider covering my AV issues.

01-21-08, 10:25 AM	#5
Stealth Hunter Silent Hunter Join Date: Nov 2006 Location: Y'ha-Nthlei Posts: 4,262 Downloads: 19 Uploads: 0	MAJOR PROBLEMS! I NEED HELP RIGHT NOW! Task Manager has been disabled by the "System Administrator", the yellow bar is back, a bunch of bogus Windows Security Alerts pop up, several internet icons linking to protection magically appeared on my desktop, and I'm at the end of my rope. I'm POSITIVE someone has gotten into my system and is still currently on it. I need help RIGHT NOW, PEOPLE. RIGHT NOW, GODDAMMIT!

01-21-08, 10:35 AM	#6
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,005 Downloads: 32 Uploads: 0	I had similar virus few months back that restricted my access to any system management options. The whole control panel was missing from the start menu. I couldnt find it with Avast, AVG, search & destroy nor Ad-aware. So I had to format & do a clean reinstall. Hope it doesnt go to that on your end.

01-21-08, 10:41 AM	#7
elite_hunter_sh3 The Old Man Join Date: Nov 2005 Posts: 1,376 Downloads: 6 Uploads: 0	boot into safe mode, and run ad-aware and AVG. should clean it all up

01-21-08, 10:43 AM	#8
lesrae Grey Wolf Join Date: Feb 2004 Location: Somerset, UK. Posts: 931 Downloads: 31 Uploads: 0	There are doubtless many ways to sort it, I'd probably follow the info at www.majorgeeks.com - they are pretty good. http://forums.majorgeeks.com/showthread.php?t=35407

01-21-08, 10:55 AM	#9
Stealth Hunter Silent Hunter Join Date: Nov 2006 Location: Y'ha-Nthlei Posts: 4,262 Downloads: 19 Uploads: 0	Think I nabbed it. There's this cool program called SmitFraud that I used. Here's a link to the site that hosts instructions and a download mirror: http://www.bleepingcomputer.com/forums/topic17258.html Still have that yellow bar popping up, though. Doesn't seem to be anything else, just the damned bar... Aw well. I can live with it. However, I'm going to be calling out AVG, CA, Avast, and Spywar Doc to at least attempt to clean up whatever MIGHT be left (in the very slim chance that anything actually survived the SmitFraud run.

01-21-08, 11:17 AM	#12
Stealth Hunter Silent Hunter Join Date: Nov 2006 Location: Y'ha-Nthlei Posts: 4,262 Downloads: 19 Uploads: 0	Lol, I've just envisioned his head on the Terminator's body!:rotfl:

01-21-08, 11:38 AM	#14
Stealth Hunter Silent Hunter Join Date: Nov 2006 Location: Y'ha-Nthlei Posts: 4,262 Downloads: 19 Uploads: 0	It could be a man, it could be the ugliest woman we've ever seen, and it could be a beaver. Quite frankly, though, we don't know what the hell it is. This can only be said... in The Twilight Zone.