Emergency: .DLL Spyware Assault

[Stealth Hunter]

This .DLL extension had launched a HUGE assault on Internet websites on January 17th, friends. It's called The EgodKTF, and it's a dangerous little bugger. Not much more is known about it than the fact that it modifies your Internet toolbar. To add to that, the dangerous part comes from the fact that it opens your computer immediately to viruses (as in it disables your firewall and any currently running anti-virus utilities).

The good news is it's not too hard to remove. Just search your C:/ folder (all files and hidden folders) for the term: egod. The .DLL, if you're infected, should appear. Delete it, reboot, and it's completely gone. Your system is clean. I noticed that I had it on my system a few minutes ago and finally got rid of it (2 viruses detected on my PC, too; got them off with AVG).

On a side note, no known pattern of how it strikes (i.e. porn websites, P2P sites, etc.) has been acknowledged. Note however that it does cause a yellow strip to appear at the top of your website page with something about "Spyware Detected!" (rather long note). It's complete bogus. Ignore it. If you are infected, you WILL have this bar appear.

EDIT:

I've got more word and information on the .DLL file.

It seems that it is predominately spread through porn sites and/or pop-ups, although there are some exceptions in the case of P2P programs (and before you start wondering, mine was an exception; probably came from the music I downloaded off of LimeWire). It is currently being classified as a Spyware Trojan, and it seems that NO anti-virus/anti-spyware programs are going to spot it with real-time protection turned on (I had mine off; DAMN YOU, AVG!). The main way to remove this crap from your PC is to use a program known as SmitFraud (see my post, Post #9, for the link to the web thread that contains instructions and a download link).

Unfortunately, it seems that SmitFraud does not remove the yellow bar that appears when Internet Explorer is opened (at the top of a web page; it reads: "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."). Once again, DO NOT CLICK THE "CLICK HERE" LINK. It seems that some of the infection is spread through that link. There is a way to remove the yellow bar, but I'm not sure if you want it or not (Google the text on the yellow bar and you should find a web page on the first page of search results that will contain info on how to remove it).

Also, please ignore any web pages that might appear with warnings concerning security on your system (you might have one appear that displays a list of errors; if it is a web page, ignore it). You will also be receiving desktop warnings (Windows Security Alerts), but you must always cancel these. They'll appear every 4 or 7 minutes. Please also note that this Trojan disables your task manager |to re-enable it: 1) Click "Start" 2) Click "Run" 3) Type in "gpedit.msc" [without the quotation marks] 4) Click "Administrative Templates" [the + button] 5) Click the + on "System" 6) CTRL+ALT+DELETE OPTIONS 7) Click the "Remove Task Manager" label and change it to "Disable"|

I'm still doing research into this bitchy thing, and I'll see what else I can find out on it.

EDIT: Found this for you guys:

The filename EGODKTF.DLL was first seen on Jan 17 2008 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:

• The UNITED STATES on Jan 17 2008
• CANADA on Jan 20 2008
• BELGIUM on Jan 20 2008
• GERMANY on Jan 17 2008

The filename EGODKTF.DLL refers to many versions of a dynamic link library.


The most common file size is 200,704 bytes. But the following file sizes have also been seen:

• 172,032 bytes
• 176,128 bytes

The unsafe files using this name are associated with the malware group Downloader.Zlob.SE.


These files have no vendor, product or version information specified in the file header.

EGODKTF.DLL has been seen to perform the following behavior(s):

• Creates a Toolbar Extention for Internet Explorer
• Enables an In Process Object/Server - Common with DLL Injections
• Registers a Dynamic Link Libray (DLL) File

EGODKTF.DLL has been the subject of the following behavior(s):

• Enabled as an In Process Object/Server - Common with DLL Injections
• Registered as a Dynamic Link Libray (DLL) File
• Deleted as a process from disk
• Created as a process on disk
• Registered as a Dynamic Link Library File
• Executed as a Process
• Created as a Toolbar Extention for Internet Explorer

EGODKTF.DLL can also use the following file names:

• 49039432.DLL
• 06419857.DLL
• 28964308.DLL
• 00028742.DLL
• 45607811.DLL

ACHTUNG!

I believe I have finally found a way to defeat this irritating little bastard. You will need a tool known as "Unlocker" to do this. Search your C:/ folder for the following things:

-"dopfwrllwr" (should come up as a .DLL file) [Downloader.Zlob.SN]
-"bxsnvqt" (also a .DLL) [Generic.Malware]
-"fknxwqf" (also a .DLL) [Generic.Malware]

These files are protected with an "Access Denied" message. Use the Unlocker tool to open them. Click the "Unlock All" tab on the tool and then hit the delete key over the files. Remove them from your Recycle Bin, and that MIGHT cure the problem. Note that users in the United Kingdom are at the highest risk at the moment (due to the fact that the thing was first spotted there). I don't know if this will defeat the thing for good or if it will fail, but it's worth a shot. The messages and pop-ups might appear again, but so far, I've not had a problem.

BIG THANKS TO PREVX CSI TOOL WHICH HELPED ME LOCATE THE FILES AND ELABORATED IN GREAT DETAIL AS TO THEIR IDENTITY.