Report New Spyware Here

Here is a file that I would like to report as a possible new detection.

Once analysed, this file on a system may not be to difficult to detect, but removal may be another story.

Here's a little bit of what I have been able to uncover...

The file was located here on a Windows XP machine:

   c:\windows\system32\gebcy.dll

The date and time that the machine became infected was:

   Jan 6, 2006, 8:41 pm

Nothing that I used seemed to detect this file, including fully up to date versions of Spybot S&D, Adaware SE Personal, AntiVir, AVG, CWShredder, and an assortment of other various tools.

HijackThis indicated that this file was injecting itself as a BHO as well as being hooked in via the Winlogon appinit; this in particular ensured that it was always running, even in Safe Mode Command Prompt and therefore could not simply be deleted. I tried unregistering the DLL with regsvr32 and then used HijackThis' delete file on reboot option... but it was hooked by the Winlogon appinit so early that this did not work.

I was able to stop the process by using Cedrick Collomb's Unlocker and move the file to another folder at the moment that the file was unlocked (by Explorer.exe and two instances of Winlogon.exe). At this point I restarted the machine and removed its registry entries (BHO & Winlogon appint) with HijackThis. I also performed a manual search of the registry to see if any other references showed up... didn't find any.

When this file was actively running on the system, it tried to open up no fewer than four Internet Explorer windows pointing to a remote host. It also causes Internet Explorer, Windows Explorer, and various other random program crashes to occur.

It could easily be removed from a system with a FAT32 partion and a Win9x boot disk, but for the average user running Windows on an NTFS partition, this file would be a nasty head-ache to try and remove (although still not really all that difficult for an experienced vetran at removing this kind of junk).

[Safe Mode]

cwtxx2, welcome.

Please print out these instructions then read and follow them all:
http://boards.cexx.org/viewtopic.php?t=11523
Use a pencil and check off each item when completed.

How to start Windows in Safe Mode:
http://www.bleepingcomputer.com/forums/tutorial61.html

How to view hidden files and folders:
http://www.bleepingcomputer.com/forums/tutorial62.html

Once the infections are removed then insure you install WinXP Service Pack 2 and ALL  Critical Updates.[/size]
In Internet Explorer go to Tools then Windows Update.

gebcy.dll Virtumondo is the infection:

http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=145817&messageID=1631840
http://www.bleepingcomputer.com/forums/topic18610.html

Quickest and safest way to get rid of the infection:
* Download ZoneAlarm and burn its installation file to a CD
* Disconnect the system from the Internet
* Backup all important data to CDs
* Boot the Windows CD and FORMAT the hard drive then re-install Windows
* Defrag the hard drive
* Enable the WinXP firewall
* Install ZoneAlarm and enable it
* Connect to the Internet then insure you install WinXP Service Pack 2 and ALL Critical Updates.[/b]
* In Internet Explorer go to Tools then Windows Update.
* Install needed applications
* Defrag the hard drive
* Restore needed data to the needed Folders
* Install ALL prevention protection

Thank you for the thoughtful write up Ken, but I think you may have misunderstood my initial posting as I have already removed the infection as mentioned in my synopsis.

I posted this message in the hopes that I may be able to help others... I was not actually asking for any help at all.

There is a manual registry manipulation method that likely would have worked too, but the method that I had used would likely be of greater appeal to a mass audience.

Its quite simple really... here is how I managed to kill it:

1. Open a command prompt window and navigate to c:\windows\system32
2. Run the follwing command:

     attrib -h -r -s gebcy.dll

3. Use Windows Explorer to navigate to the System32 folder
4. Right click on gebcy.dll and select 'Unlocker'
5. Select the option to move the file, select a folder to move it to and then click the 'Unlock All' button
6. Restart the machine. You can now delete the file from the location that you moved it to and use HJT to clean-up the registry entries.

I used a program called Unlocker to assist in the removal, this program is available as freeware here:

   http://www.topdrawerdownloads.com/download/104402

There is a short article about this program here:

http://www.jakeludington.com/ask_jake/20051018_unlocking_cannot_delete_file_or_folder_error.html

If a system is running on a FAT partitioned hard drive, the removal would likely be even easier... It would probably go something like this:

1. Use a Win9x boot disk to start the machine to a command prompt
2. Navigate to c:\windows\system32
3. Run the follwing command:

     attrib -h -r -s gebcy.dll

4. Delete (or rename for now) the gebcy.dll file
5. Restart the machine and use HJT to clean-up the registry

Good news regarding this file (or possible new variant that I had encountered). I sent a sample to Grisoft and they have already written back:

--- START CUT ---
Dear Sir/Madam,

Thank you for sample, it's a new Trojan horse. It will be added to the detection
in the next virus base update.

     Best regards,

     AVG Technical Support

website: http://www.grisoft.com
mailto: technicalsupport@grisoft.com
--- END CUT ---

I have also sent a sample to Lavasoft and Safer Networking... I haven't heard from them just yet though.

cwtxx2, excellent detective work

Thanks.

I hope others are able to benefit from this information.