The symptoms of this infection would appear in a logfile like the contents of the quote below:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pmyqy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pmyqy.dll/sp.html#96676
O2 - BHO: (no name) - {151159EF-C5FE-DEA7-6C94-33A3EC6A9C14} - C:\WINDOWS\winlc32.dll
O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe
This infection will always contain the following entries in a HijackThis log:
- Processes - You will generally find 2 processes listed in the HijackThis process list
- R1 & R0 Entries - They contain a res:// followed by a dll always in the %windir% or %windir%\system32 directory, finally followed by the sp.html#number.
- O2 Entry (BHO) - This is always a dll found in %windir% or %windir%\system32
- O4 Entries - Here you will find one or more entries that point to .exe files. If the log is for 98/ME one of the entries will be a RunServices entry.
- For XP/NT/2000 it installs a service that has a display name of one of three random choices:
- Workstation NetLogon Service
- Network Security Service
- Remote Procedure Call (RPC) Helper
- For Windows 98/ME it adds a O4 RunServices entry for the service file as 98/ME do not have services like XP or 2000.
- Adds a O4 entry that contains a random file name and matching keyname.
- Adds a BHO that contains a random dll filename.
- Creates a dll to act as the search/start page as seen in the R0/R1 entries.
- Searches the computer for about 120 different files and if it finds them, deletes them. A common file you will find people have problems with after cleaning the infection is the shell.dll file on XP. This file should be found in both %%windir%\system and %windir%\system32. You may also be able to find a copy in %windir%\system32\dllcache.
- The service and O4 entries monitor each other. At a specific interval the processes will check for the existance of the other process and back itself and the other process up as a .dat file. If the O4 finds that the service is turned off, it will start the service again. If the service see's that the O4 is missing or stopped it will start it and spawn another O4 entry.
- This infection also installs itself as Alternate Data Streams. There is no standard command to remove these types of files, but we instead have to use custom tools such as Merijn's ADS Spy. What the infection does is find a standard, and sometimes critical windows file, and attaches the infection to it as an ADS. You can stop the process normally but will not be able to delete the ADS portion without using a tool like Merijns above. About:Buster should clean most of these ADS for you though which will your life easier but you can use the tool above if there are problems.
Note: ADS will only exist if the file system is NTFS. Therefore only XP, NT, and 2000 will be affected with ADS files. If a user is XP with a Fat32 filesystem then they wont have ads files.
- The BHO entry is the actual entry that installs the R0/R1's. This happens when IE is launched for the first time with this BHO installed.
- If you shut the service, and reopen an infected IE (still has R1/RO entries or has the BHO) then the service will be started again.
- This malware can get overzealous when protecting itself and install many extra helper programs in the O4 entries. These do not appear to ever be running in the processes though and can be easily removed.
If you see entries in a log that point towards this type of infection you would need to follow these generalized steps to remove the infection:
- First identify the service that is part of the infection.
- Then download about:buster for use later.
- Then print out these instructions as you do not have to enter IE when in safe mode.
- Boot into safe mode
- Shutdown the service
- Make sure the two processes that are listed in the hijackthis log process list are not running. If they are, end them.
- Fix the hijackthis entries using hijackthis.
- Delete the dll found in the R1/RO entry, delete the dll associated with the BHO, delete the service file (Only if it is not an ADS file)
- Delete the O4 files (Only if it is not an ADS file)
- Run About:buster
- Run Trend Micro online scan
- Reboot your computer
- Replace deleted files.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.
Back to top
