Sunbeltblog comments
Just had it on a customer's PC. Owner had XP/SP2 without recent patches.
A dialup AOL user so anyone can get it. Not a heavy user, older retired couple.
Had to go to both User accounts to remove it. The key to watch for is the Red X in the Taskbar in addition to the big warning plastered on the Desktop. I think, (repeat, "I think"), a trial copy of Counterspy removed it. I tried so many different methods to remove it is the reason for the indecision. All I know is that its gone.
Ouch, that's a real nasty one. And an unwelcome return for that hideous YOU HAVE TEH SPYWARES background, too 
SANS says it downloads Winhound - a recent addition to the Rogue Anti-spyware page.
http://isc.sans.org/diary.php?st...php?
storyid=972
Isn't it
http://www.microsoft.com/technet...n/MS05-
053.mspx
dated November,8?
Anyone have a url with this actual exploit
Just found my notes from working on the above PC.
Here's what the PC was infected with:
sachostx.exe
batserv2.exe
kernels64.exe
stb2.dll
inetp60.dll
vsgame1 (or l).exe
Don't know which one eliminated the bastard but when these were cleared, all OK.
And if I recall, something in this mess referred to "winhound".
OH MY GOD! This just happened to me 2 nights ago and I had to reformat my comp. I could not remove the virus. I installed SpySweeper, AdWare, SpyBot, and I installed norton 2006 - and all were non-effective. The only way I could even use the system is to unplug the network cable. The virus kept tyring to send emails and norton kept scanning them, like 30 at a time! It was insane. I went to a questionable site looking for a crack so I kinda deserved it (I guess) but DAMN. I'm no comp guru but i've been around the block I consider myself a intermediate-advance computer person and NEVER have I send such a dominate virus reek havok on a system. BEWARE!!!!!!!
Just another reason not to use Internet Explorer.
Bob, some versions of Firefox are vulnerable too. Read all the links.
http://www.f-secure.com/weblog/
had it on a users machine last night. was not able to remove it using ms antispyware or lavasoft in normal mode or in safemode. Had to boot off of miniPe and do it at the level, and run hijack this after
I got hit with this one awhile back.
The background on your desktop gets set to an html file rather than a .bmp or .jpg
Find that file and delete it and you are on your way to recovery.
There were some registry entries that had to be cleaned as well but it went pretty smooth once I got on that track.
Is this something that requires the user to have Administrator priveleges? Would be nice to know if limited user accounts are vulnerable.
Here's a quick fix to patch up the vulnerability. From the command prompt:
REGSVR32 /U SHIMGVW.DLL
Can someone confirm this with an exploitable WMF file?
I need a URL to the exploit to get a utility to remove.
I just had this same thing hit my pc a couple of nights ago. It took me almost 4 hours to find all of the comoponents and get them removed. None of the normal routes for clearing spyware, adware, malware, etc worked completely. They would get rid of portions of the malware, but it always regenerated itself. It took lots of registry editing to get this one cleaned up. I've removed some pretty evil spyware from client computers in my time, but nothing as persistent as this one. I found lots of good postings in forums to help clean it up...thanks God for google.
I have been hit here at our site on one system. Trend Micro would detect files but could not clean. I downloaded and ran Mcafee Stinger and it did not see it at all. I then tried Ad-aware and it found things that may or may not have been related to this exploit. After all these attempts I rebooted the system. It would come up and give me the ctrl-alt-del prompt but nothing after that. None of the recovery methods worked. Right now I have the drive out getting the data transferred to DVD disk. I am going to format and reinstall because I think its too late to use an upcoming fix on that drive.
If you are a professional security researcher, contact me offline for a sample URL. We have provided samples to CERT, etc.
Marc is looking for a URL. Called my customer and the only thing he could tell me was that it hit when he clicked on a pop-up advising him he had Spyware and to click to get rid of it.
This was done while on AOL 9.0, customer doesn't even know what Internet Explorer is.
Uses nothing but dialup AOL.
I saw this happen on 12/23, I thought it was an older exploit cause the system didn't have all MS patches. I think the user got it from cracks.ws that day. It installed "Spy Sheriff" which was non-removable after some serious efforts, system had to be restored from backup (isn't tape wonderful).
No matter whether it's software or hardware failure, backups are the only thing that can save you sometimes.
JC
my brother got infected with this last night, trying to download a crack and was stupid >_> it was a really messy exploit, took about 4 reboots and some extra applications [sysinternal's process manager, i believe it's called, is a godsend] to fully clean it up. crafty exploit, though
Had this one on my moms machine, norton internet security couldnt get it, but a simple system restore fixed it up, no critical losses, but its a pain, and my mom was pissed lol.
I own a retail store that does spyware/ antivirus/ removal and O/S repairs. I need to see what this thing does so I can figure out how to remove it.
I dont know how to contact you Alex. I got to this page via a link which led to another link several hours ago.
Just email me a site that uses this exploit that is still up and ill try to duplicate.
my msn is marc@jungle.net or AIM Dialsoft
My email is alexe(at)sunbelt-software.com if you ever need to reach me.
Alex Eckelberry
Jon --
Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE (AFAIK you can still download the file and execute it and get smoked, but you won't get hit by a "drive-by" download with this workaround.)
Thanks for mentioning it.
Got infected yesterday with this one and AVG Home addition was able to stop most of the issues. I then was able to remove it by using System Restore from the day before the infection. Also installed MS SpamBlocker prog and found that the hosts file had been hammered with a number of sites pointing at "127.0.0.5".
Scanned with AVG several times and found some nasties but everything looks clean now.
Man, am I glad I use a Mac!
Good luck, guys.
hey, i found that desktop walpaper on my friend's computer!
Um, that's not a Good Thing.
glad i run linux!
this is insane .. god damn spyware makers and Microsoft. I got infected with this spyware two days ago. My system suddenly became slow and I saw Windows Picture Viewer open up from no where .. and then .. there were various msgs of spyware .. icons on the desktop and this and that ..
I have MS Anti Spyware and Windows XP SP2 Firewall and Norton Anti Spyware .. but it passed through all of them.
I tried to run spyware search and destroy but it couldn't find it .. then i did a norton scan and all was ok .. but still the msgs kept coming and the IE homepage changed to some anti spyware website ..
well then ofcourse I did a system restore and all seems to be good now ..
Anyone has any info about certain file I should look for or still delete .. let me know ..
If you did a System Restore, you're probably ok. But run our free CounterSpy trial (www.ihatespyware.com). Detections are being updated frequently, so check it for the next week to be sure.
Also, you should run a two-way firewall, as the XP firewall is only inbound. I (of course) recommend mine, the Sunbelt Kerio firewall. Free.
To those saying the Windows is secure as long as you update. LOL. The Linux fans can enjoy this one.
I just got hit by this one and have the URL where I received my wonderful gift if you have interest. I also captured a few screens - it disables task manager and theres a different background screen. It installed WinHound and another spyware program that ran immediately. It also dropped a ton of icons on my desktop and looks like it may have installed other software as well. I also noticed it was utilizing my Internet connection but did not capture any of the traffic before I disconnected the machine.
System restore seems to be the fastest way to recover from this infection. I'll be running a scan to check it out for any latent infection.
Thanks for posting this - I noticed it earlier today and would have been lost without it. 
This virus took down my win2k machine sunday. I'm quite properly surprised at how quickly it took control.
Visiting crackzc[dot]ws will lead you to a few pops or something which then will lead you to see two instances of a *.wmf file being downloaded from: Careful://iframeurl.biz/dl/xpladv470.wmf
and
Careful://beehappyy.biz/parthner3/xpl.wmf
Yikes..pretty nasty.
Thanks for these warnings.
If I come across this Virus/Spyware, I'll system restore to a few days before.
I'm also getting that CounterSpy.
Hi all, I got infected yesterday. I saw the topic of this new exploit on Bugtraq. And I was actually so stupid that I intentionally downloaded the .wmf file. I didn't had the intention to execute it and I was "trying" to be careful, but I had no idea the virus executed itself by just openig the folder that contains the virus.
Anyhow, so I got infected. My screen started flickering, and I immediately pulled out my network cable. But, here's the weird thing. I have "none" of the above descriptions happening on my WinXp system. The background, the desktop icons, disabled task manager, etc.. none of those. I also did a system scan with TrendMicro's Housecall, but found nothing. So am I infected or what??
Just done a controlled infection of a virtual machine running the latest AVG updates and it detected the trojan loaded onto the system and disposed of it accordingly :D
Well,
Just saw it on a discussion forum. Setup a box and went and got it, trashed it quite effectively.
Thing is,
it's being used for petty stuff now. Wait til real viruses hook onto this thing, we'll all be buggered.
Regsrv32 disablein effect on all machines in my grasp.
I downloaded a file that had a pretty nasty virus that immediatly changed my desktop, installed spy sherrif, and took away my most trusted tool, my taskmanager that I use for everything. I got lucky when my AVG Free edition started to isolate and kill it, but Avg wa no match. I decided to tell Avg to do a full scan and then I started Microsoft Antispyware and told it to start hunting using a quick search. It finished and asked if I wanted to remove the threats. Avg continued for another hour and then asked if I wanted to kill or isolate. 3 system restores and 2 hours later, my computer was back to normal.
It worked for me so if you are having trouble I recomend this approche to reformatting your computer.
Good luck
Got hit with this one last week, after downloading a "patch" for some software I downloaded. Had to re-install to get rid of it.
Very nasty!
Brad, fwiw, CounterSpy is a dedicated antispyware program and is not really designed to stop exploits. For this type of exploit, an AV program (like AVG's free one) is probably better suited.
One thing -- one can set our free Kerio Firewall to block this thing -- see http://sunbeltblog.blogspot.com/...mf-
exploit.html
See my other writeup on workarounds here http://sunbeltblog.blogspot.com/...mf-
exploit.html
In the end, of course, the real solution is for Microsoft to patch this thing.
Way I fixed it, Start Menu Button > Help and Support > Pick a Task > Undo changes with System Restore.
Took windows xp to the day before. All the chaos stopped then I deleted the files that it put on the desktop manually, then ran McAffee's free Stinger download, can't remember what it found but it removed it all. Everything fixed.
Can someone please, please help me.
I think I might have it. It's only happened twice on small images but the screen has flickered. When I start my PC up I get (usually 1, but I got 3 this time) MS Dos prompts for .exe's that I'v e never heard of.
I tried doing system restore to 2 days ago but nothing happened.
Can someone please tell me what's going on I'm getting worried. :/
P.S. I'm not getting that desktop wallpaper.
I'm trying to explain on an email list I frequent, frequently, why unregistering the DLL is so much more important than doing nothing and waiting for antivirus programs to update. I'm a little unclear on why they don't catch it, so could someone explain it to me so I can in turn explain it to the masses?
Just don't allow IE to call CreateProcessW
Uh.. I didn't on my system restore for like ages and i got hit by this. Anyone have any ideas how to clear it w/o system restore or reformatting?
It's going to take some work but it's do-able.
I would do multiple passes with one or two AV programs followed by scans with a couple of antispyware programs. All these can be free ones -- see http://snipurl.com/hckp
Cleaning in safe mode is recommended.
Then a rigorous scrubbing with Hijack This.
You can always make a plea for help at spywarewarrior.com.
Now ... Many more people realize the benefit to run computer in low privileged account. This spyware is a good reminder.
Yesterday I got the xpl[1].wmf trojan. My AVG-Free couldn't get rid of it but gave me where it was on the hard disk. I knew the address but was not able to see the file. So I setup an old version of ACDSee file program and finally saw the trojan. The rest was very easy; just erased the trojan. After checked with AVG-Free again, there was no trojan any more.
If you want the old version of ACDSee, I'm uploading it to the net. Be sure to make it see the hidden files.
Here's the link:
http://rapidshare.de/files/
11481...c32241.exe.html
Quit using IE.
Well I recently am dealing with this worm on a friend's computer heres what it did in order,
first I found the virus on a customer's website embeded on around 37 index.html's every image directory and every single possible directory that had a index.html had this code appended to to it. I wont write the whole thing down but it is javascript after the part it has the variable being defined like var k= and a bunch of letters, next parts of the lines would be this
var k='I wont put the code',t=0,h='';
while(t
ok apparently that cut me off this is what it looks like
type="text/javascript">
var k='I wont put the real code',t=0,h='';
while(t
Hello all,
I think I got this bug from using a free online hover ad creator. It is a site that generates JS code for a dhtml hover ad.
I was working with my webpage when cmd windows started appearing. I killed my internet connection and tried to access task manager which, of course, was disabled. I waited a few seconds and saw more pop-ups so I hit the reset button and loaded in safe mode.
A scan with AVG Free seemed to find everything.
I am not 100% sure these sites are bad, but I am putting them here for you guys to watch out for.
(NOTE: I was also trying several other automatic genereators on this site)
badsite://www.tamingthebeast.net/generators/popup-
hover-ad.htm
badsite://popup-toolkit.com/free-webmaster-tools/
hover-ad-generator/
badsite://popup-toolkit.com/free-webmaster-tools/
pop-up-generator/
BTW, the JS code created by these generators is scrambled, so it's hard to tell what it's doing.
Thanks for these great information's
Commenting by HaloScan
