Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

CurePCSolutions

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
ipl_001
SWW Graduate


Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France

PostPosted: Sat Dec 16, 2006 3:15 pm    Post subject: CurePCSolutions Reply with quote

Hi everyone,

We've got 3 cases of CurePCSolutions on Zebulon (my French forum) so far!
For example CurePCSolutions, ads .exe to files

Oodles of files (.AVI, .MP3, .DOC, etc.) are renamed to .ext.EXE (ext being the former extension).
Renamed files show the same special icon.
Quote:
"when i opened them, it would open the eror message "possible virus warning" and then go to the CurePCsolutions site."

Renaming the files doesn't solve the problem.
IE start page becomes blank.mht
There's a .DLL file in System32, the name of which is similar to 1A9BDAF.dll or F9428.dll

Removing the DLL, restoring IE start page and double-clicking a renamed file leads to a system message "no acces to the file" and the same warning and CurePCSolutions site display.



In the HJT log, we get several Rx lines:
Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = E:\WINDOWS\blank.mht
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = E:\WINDOWS\blank.mht

and an O2 one:
Quote:
O2 - BHO: E:\WINDOWS\System32\1A9BDAF.dll - {947254B5-96F3-4A9D-FF34-8466477D897C} - E:\WINDOWS\System32\1A9BDAF.dll (file missing)

(the DLL was effectively removed by the victim)



No interesting links by Google :
- links to CurePCSolutions website
- a link to a board discussion on Zebulon
- a link to a discussion on trojaner-board
- some links to discussions on Czech and arabic forums
- a link to pctools ( http://www.pctools.com/mrc/infections/id/Adware.CurePCSolutions/ ) speaking about Spyware Doctor 4.0 removing the malware but it didn't!
- a link to a crack website
No interesting links by Yahoo!:
- same links as Google's
- oodles of links to crack websites
- a link to CC ( http://www.castlecops.com/p869054-www_updatestate_dot_com.html ), a discussion about www.updatestate dot com by negster22, Nick-YF19 and others.



This problem makes me think of "Virus verschlüsselt Daten und verlangt Lösegeld", this hijack with file encryption and ransom request!
_________________
Gérard Don't give up... that is what they want us to do... Budfred!


Last edited by ipl_001 on Sun Dec 17, 2006 2:25 am; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
~Mark
Newbie


Joined: 16 Dec 2006
Last Visit: 10 Jan 2007
Posts: 2
Location: Québec

PostPosted: Sat Dec 16, 2006 10:38 pm    Post subject: Reply with quote

Hi Gérard, everyone;

I think it is a "ransomware" redesign, from what I read here :

http://info.drweb.com/show/2747

That was written last January. From what I can see this time around, the "ransom" has been dropped in favor of a rogue...

Dr.Web released a free decoder for the variant that came out almost a year ago, based on the RSA algorithm which was used to encrypt the files. They now detect this latest one as "Trojan.Encoder.10", and it will be interesting to see if the algorithm is the same ; if it is a new encrytion method, then I hope we'll see a new tool out very soon, so that people infected with this don't go running to buy CurePCSolutions Evil or Very Mad

Cheers all,

Mark.
Back to top
View user's profile Send private message
ipl_001
SWW Graduate


Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France

PostPosted: Sun Dec 17, 2006 2:23 am    Post subject: Reply with quote

Hi Mark,

Smile

Nice to see you here! Thanks for your post!

Quote:
Posts: 1
Welcome to SWW!

To SWW members: ~Mark is an ASAP member and very generous and talented warrior whom we can meet at several big boards like G2G, SWI, Atribune and at the forum he heads Newbie.org
He is also present in France, particularly at Zebulon where he helps me lead the Security board!
Thanks again Mark! Wink
_________________
Gérard Don't give up... that is what they want us to do... Budfred!


Last edited by ipl_001 on Wed Dec 20, 2006 1:38 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
ipl_001
SWW Graduate


Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France

PostPosted: Sun Dec 17, 2006 8:42 am    Post subject: Reply with quote

Hi everyone,

Nasty beast! Sad

There's another discussion with the same malware (plus others) at TechSupportGuy ( http://forums.techguy.org/security/526934-blank-htm-hijacker-advanced-keylogger.html ) and Derek asks for reformatting!
Quote:
1 Hour Ago
dvk01
Moderator

We have been looking at this one & the considered opinion is format & reinstall windows

the damage thus one does is so destructive that we are just wasting our time trying to fix it

_________________
Gérard Don't give up... that is what they want us to do... Budfred!
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
dvk01
SWW Expert


Joined: 17 Nov 2006
Last Visit: 26 Nov 2014
Posts: 15

PostPosted: Wed Dec 20, 2006 11:17 am    Post subject: Reply with quote

it wasn't the curepc & mht entries that suggested format as any encrypted files do, stand a chance of decrypt & the av companies should be able to deal with it but

O4 - HKLM\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe
O4 - HKLM\..\Run: [MSConfig]
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe
O4 - HKCU\..\Run: [system spool] C:\WINDOWS\System32\syspools.exe

which really muck up system settings & file associations etc and testing by others on a vm prove that reinstallation seems the only way to go

syspools.exe on it's own is bad enough but mstds is worse
Back to top
View user's profile Send private message
ipl_001
SWW Graduate


Joined: 17 Oct 2005
Last Visit: 30 May 2009
Posts: 19
Location: Paris, France

PostPosted: Wed Dec 20, 2006 1:07 pm    Post subject: Reply with quote

Hi Derek, hi everyone,

Phew!
Thanks a lot for your response here, Derek! Smile

Thanks a lot for your explanations which relieve us as, obsessed by the .mht, I didn't see the other lines and didn't understand the sudden post saying to reformat.

~~ edit: A victim of ours uploaded the .DLL file to TheSpyKiller (of course, you know as you came here).
I'm asking him to, if possible, upload a file before and after being renamed.
I hope he also wrote to DrWeb and we count on them to help us decrypt the files.
_________________
Gérard Don't give up... that is what they want us to do... Budfred!
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
~Mark
Newbie


Joined: 16 Dec 2006
Last Visit: 10 Jan 2007
Posts: 2
Location: Québec

PostPosted: Wed Jan 10, 2007 6:29 pm    Post subject: Reply with quote

Hello Gérard, Derek, all ;

Some good news, finally Very Happy

We never did hear back from the Dr.Web support people, after one of our visitors contacted them directly (and uploaded a file). Our second active visitor was prescribed a few tools for other infections, and files were eventually sent for analysis. Some of those files were related to the CurePCSolutions situation, so we got the ball rolling again. My thanks to AndyManchesta on this one Wink

It turns out the files weren't totally encrypted, as I first suspected from reading on older variants. After testing by some kind experts, it was discovered that the Dr.Web CureIt tool was able to repair the files almost completely. The user does need to manually rename/remove the extra .exe extension, on each file, after running CureIt. Since the number of infected files on the PCs doesn't appear to be too large, this technique is viable.

To those involved who might read this : Thank You Big Thumb Up

Cheers,

Mark.
_________________
Member of ASAP
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group