Monday, March 16, 2009

Nasty Trojan - Spyware Protect 2009

Nasty Trojan - Spyware Protect 2009 on Windows XP SP2

Spyware Protect 2009 comes on a computer with a single purpose: to get your money and possibly hijack your online banking account. SpywareProtect 2009 is presented as anti-spyware as you may guess by reading its name. Spyware Protect 2009 is not anti-spyware although it is able to mimic some actions performed by security applications.

Not sure how this trojan was acquired.

At 2:40 PM local time (the time the HOSTS file was modified) - Backdoor Trogan file captured and modified the following:
1. Placed sysguard in C:\Windows
2. Registered iehelper.dll with the registry and placed in c:\windows\system32\
3. Modified hosts file and added a fake entry.
4. Added registry settings for Browser Helper.

Symptom:
Everytime Windows Explorer or IE would go to website or change folder, the following website would pop up:

http://browser-security.microsoft.com/block.php?r=17.2

I took the following actions:

1. Terminated sysguard out of Tasks List
2. Deleted sysguard.exe out of c:\windows\
3. Deleted iehelper.dll out of c:\windows\system32\

4. Deleted following entry out of HOSTS file c:\windows\system32\drivers\etc\

195.245.119.131 browser-security.microsoft.com

5. Deleted the following registry settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}\InProcServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}


Reference:
http://www.threatexpert.com/report.aspx?md5=f42ecaab6442d21e4beba274875d882b

Rebooted workstation and now verified that all is working.

If the user was running an iMac or Linux this problem wouldn't happen. ;-)




12 comments:

Anonymous said...

This just happened to me. The only difference was the IP in the corrupted hosts file (91.212.65.122 in my case). Both your IP and mine are hosted somewhere in the Ukraine.

I think it was installed via a hacked PDF I carelessly opened (around 5k, uncharacteristically small for a PDF — I checked its size when it didn't display anything in Acrobat Reader).

The iehelper DLL makes Explorer direct the browser to a phony Microsoft security site hosted at the IP in the hosts file.

Anonymous said...

Hi, I have the same problem .However my error is http://browser-security.microsoft.com/block.php?r=21.1 . I could not find the hosts files with any of the information that you mentioned. Can you please help ? or is it a differnt error from what you had as mentioned by you.

Abhi (Denver) said...

Thank you ..thank you so much.....it worked for me. A trick though if you are not able to delete the iehelper.dll then rename it {iehelper.dll.old). Reboot the machine and then find the renamed file and delete it.

Anonymous said...

I had the 21.1 problem, but with the help of this entry, booting in safe mode, and along with the reference link you posted, I was able to delete out most of the files causing this awful virus to run. No problems as of yet.

Anonymous said...

Thank you ..thank you so much.....it really worked for me.

xInfern0x said...

how do i delete the rigistry settings? is it different if it is 21.1 instead of 17.2? THANKS!

Jigar Dave said...

I had similar problem today.
The browser was redirecting to something like "security.microsoft.com/block.php?r=21.1".

I followed all steps given by you.

However, I encountered two problems.

My registry entries were different from yours.

I went first to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelper Objects and found two entries there. I noted down these entries and went to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ and deleted them here. After this, I deleted entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelper Objects.

On the way to removing this virus, I was not able to delete iehelper.dll before deleting the registry entries. Once I removed the registry entries, I restarted the machine and after that I could delete them.

Also Windows Exploer was not allowing me to delete the sysguard.exe file. So I went to command prompt and from there I deleted the file. (This was the second step that I took after terminating the sysguard.exe process from Task Manager.

I hope it helps others as well.

Anonymous said...

Thanks for posting this Bucky - this problem happened to me and your instructions did the trick!

Jon said...

Bucky, I had the same problems. Your blog saved the day. You rock!

Jon

Hapos said...

I also had this problem, I never thought that a pdf file could bring such havoc. In my case I was able to eradicate sysguard from my system using two utilities called Unlocker Assistant and hijackthis. The first one is useful to close any application that cant be deleted because it is being used. The second one is to check all processes that are being invoked.

I was able to delete the majority but I kept getting the microsoft url redirect. Thanks to this website I found that the problem was the iehelper.dll which already looked suspicious but didnt bother to delete it. Hopefully that was the last of it.

Besides the above, my firewall noticed a file called e.exe attempting to access the the internet. I was able to delete it. You guys should also check your prefetch directory, as I always find copies of the trojans in there.

James said...

Wow that's great. Could it also work on windows vista. Xoftspyse

Anonymous said...

Interesting blog you got here. I'd like to read something more about that matter. The only thing your blog misses is some photos of such devices as gps blocker.