I haven’t checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure)….
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
One other note from the previous series on WMF exploit infestation cleanup. Among the multiple popups that came when launching internet explorer, most were directed at the site http://60.topnssearch.com –
Can I say enough times that after a bad trojan infestation you should format and reinstall? I’ve cleaned up the infested image that I “sacrificed” to the WMF exploit and as I’ve said you’re pestware install will likely be somewhat different. An exploit is just the road, the spyware and viruses are the cars. Once the road is built, just about any car can use it…. Hopefully the series has been helpful on working through some of the problems with a system cleaning.
Browser helper objects (BHO’s) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I’ve used BHOdemon in the past to identify and disable BHO’s and a tool like that is the preferred method. However, in my case, this is a disposable virtual machine and I used the “blunt object” approach…. regedit.
So, I’ve got most of the baddies cleaned out and I’m not getting popups anymore. No nags on boot, the boot process is quicker, but is it really clean? I found a few files (winlogon.exe, alg.exe in particular) that could be legitimate windows file names. Am I running the good one, or the trojan? That is exactly why a clean install is usually the best treatment for a badly infested system. Ultimately to trust this cleaned system a bit better I would need to. Watch it for signs of peculiar network ports open or peculiar processes…..
On the next boot I was greeted with the above message C:\windows\system32\kernels64.exe not found please make sure the path……correct…. blah blah blah. Back to msconfig. Everything there now looks clean. I check the running processes, again everything there looks clean I don’t see anything that I’ve been fighting. So, I start the registry editor (start, run and type regedit) and once that’s open a start a search for kernels64.exe
At this point, I needed to rename or delete some files that windows would not let me touch. I had this winlogon.exe running from a suspect directory c:\windows\inet20001 and windows wouldn’t let me kill it, or remove it’s start entry in the registry. So, I booted my image from a dsl linux cd and opted for command line only. Once booted, I navigated to mount the windows partition and cd’d to /mnt/hda1/windows/inet20001
OK, so, I’m busy killing off running processes and fire up MSConfig to try to keep them from coming back on the next boot. To launch msconfig go to start, run… type in msconfig and click ok. The startup tab is where we’re looking for programs running at startup (makes sense…) This is a bit easier and more straightforward than visiting the run entry in the registry. It does combine a few locations into one place.
After getting into Task Manager I saw a number of suspicious processes. There were a lot of things running as my user that I didn’t recognize. kernels64.exe, vxgame6.exe, vxgame4.exe, mm4.exe, vxh8jkdq2.exe, netsh.exe, cmd.exe, winstall.exe, vxgamet4.exe, vxgame2.exe covers most of the list of suspect entries. netsh and cmd are both legit programs, but were likely being used as remote shells. In other words they were legit, but not something that I expected to be running. (I didn’t have a cmd shell open..)
The first problem I ran into in cleaning up after my infested Windows XP image was this error message. One of the first things I do in cleaning an infested system is try to kill off running process that look suspect (or at least identify them.) On using ctrl-alt-delete I got the message “Task manager has been disabled by your administrator” To be honest I haven’t seen that one before and it sent me Googling…
Bookmark this site now by pressing Ctrl+D
