Security Software newdll2.exe

A

AlbertPacino

Skilled
I got a link yesterday from a friend of mine, so i clicked only to find out it installed a trojan...i ask him whats this link, and he has no idea, yes its an MSN worm/trojan that auto sends itself.

here my log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:39:13, on 27-6-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\newdll2.exe
C:\WINDOWS\system32\newdll2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\newdll2.exe
D:\Disk Defragmentar\DkService.exe
C:\WINDOWS\system32\svchost.exe
D:\Skype\Phone\Skype.exe
D:\Firefox\firefox.exe
D:\Mozilla Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.showmyip.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118;https=localhost:8118
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - D:\ReGet Deluxe\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] C:\WINDOWS\system32\newdll2.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] C:\WINDOWS\system32\newdll2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] C:\WINDOWS\system32\newdll2.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - D:\Jpeg Compresor\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: wbsys.dll MsgPlusLoader.dll
O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Disk Defragmentar\DkService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Kaspersky Anti Virus\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - c:\program files\common files\symantec shared\script blocking\sbserv.exe (file missing)

Kasperky cant delete it, abcdefg.exe was part of it, i did manage to delete it, but what are these newdll2.exe?
 
boot in safe mode and delete the file

C:\WINDOWS\system32\newdll2.exe
check windows folder and system32

run av, spyware etc as well after that

dont mean to sound priggish but never click on links that lead to .exe files.

edit: follow sunnys link , they seem to have a few fixes as well :)
 
showmyip.com as startup in ur browser ... did u set that ?
if u dint... im guessing what it does is start up the browser,get the ip from showmyip.com ,parse that,and send it across to the client of the trojan where he can then control ,blah blah .

so chk it out along with the what the guys have suggested.
 
New log file.

Logfile of HijackThis v1.99.1
Scan saved at 13:29:50, on 27-6-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Disk Defragmentar\DkService.exe
C:\WINDOWS\system32\svchost.exe
D:\Firefox\firefox.exe
D:\Mozilla Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.showmyip.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118;https=localhost:8118
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - D:\ReGet Deluxe\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Kaspersky Anti Virus\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - D:\Jpeg Compresor\Advanced JPEG Compressor\ajcieex.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} - https://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: wbsys.dll MsgPlusLoader.dll
O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Disk Defragmentar\DkService.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Kaspersky Anti Virus\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - c:\program files\common files\symantec shared\script blocking\sbserv.exe (file missing)
Ok i cleaned it out from the regsitry.

@Sunny,
Yep i saw that link before posting, its a very very new trojan, as you can see that in google it directs you to only one website & the date that the post is made is 24/06/2005.

@bottle,
Well the amazing thing it wasnt a an .exe, its my first ever trojan, about "showmyip" yes thats my start up page for IE & maxthon.
How did i solve it?

Well i just came back from work, started the pc, started kaspersky & updated it, voila he found him immeditly, bear in mind just hours before updatating kaspersky he didnt find it, altought he couldnt totally remove them.

I started in safe mode.

Disabled "System restore"

Found the files (after enabling show hidden files)

Went to the registry had to remove abcdefg.exe & newdll2.exe (i had to search for them everytime i deleted one cuz there was 2 abcdefg.exe & 3 newdll2.exe entries)

Everything looks fine now,lets if it stays that way...

Thnx for the fast replies & help! much apprecited
 
Last edited by a moderator:
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

The log is clean except for these ..
 
Nah .. Those files are missing so these entries are not needed .. Either remove the entries or reinstall the software that put those entries ..
 
Back
Top