I’ve been preparing an old IBM PC 300PL for my parents to replace their generic clone that died (RIP the machine formerly known as exodus.dreaming.org). They’re familiar with Windows, so I installed Windows 2000 Professional, ran Windows Update to download all the latest patches, and installed ClamWin as a virus scanner, and ZoneAlarm as a firewall. Fortunately they don’t have Internet access yet, but I worry about them clicking on some malware link and having some nasty spyware/trojan/virus take over their machine.
Despite all this, somewhere along the line I picked up some nasty trojan. This particular strain, TROJ_CONHOOK.AE, attached itself to WINLOGON.EXE so even booting in Safe Mode wouldn’t get rid of it. It saved itself as a randomly-named DLL (in my case, C:WINNTSYSTEM32pmnmlml.dll) and added itself as an AutoRun all over the place, a fact I was able to ascertain by using SysInternals‘ excellent Autoruns utility. Using another SysInternals utility, ProcessExplorer, I was also able to see that it was causing WINLOGON.EXE to run some routine inside the DLL file every second!
Call me a skeptic but I was still not totally convinced that pmnmlml.dll was not some legitimate Windows DLL. After all, just open your C:WINNTSYSTEM32 and half the stuff in there looks like a virus. (Quick: is dcomcnfg.exe a virus? How about dcomcfg.exe?) So I decided to copy the DLL to my Linux workstation and run strings(1) on it. Sure enough, the following text string was enough confirmation for me to see that it was a trojan:
http://82.98.235.63/cgi-bin/check/autoaff3
So I followed the procedure on Trend Micro’s site for getting rid of it — namely, booting off the Windows 2000 Professional CD and running the recovery console, then deleting the DLL.
Let’s step back for a second here. I am a professional system administrator, and my parents are not. How can I expect them to surf the Internet safely and not suck down one or more of these nasty trojans? Next thing I know, I’ll be getting a call from their ISP telling me that their little IBM is sending out 10,000 spams a minute, or is the control point for some DoS botnet.
I’m leaning more and more towards just getting them a Macintosh. I just have to convince them to part with their beloved Windows.
(By the way, dcomcnfg.exe is legitimate, while dcomcfg.exe is not. But how would one ever tell?
Many programms include spyware modules. Use anti-spyware for protect your privacy.
As for me, I like professional anti-spy software like Anti-keylogger by Raytown Corporation LLC.
You can download it here: http://download.softsecurity.com/1/15/antikey.zip (~4MB)
> I am a professional system administrator
> and my parents are not
Don't let them run as a user with Administrator privileges.
Don't worry, I'm not 🙂
curious about this address… http://82.98.235.63/cgi-bin/check/autoaff3
i have my roomate on my DSL as well,
and the router logs show…
82.98.235.63
no web addy configured at that address.
i might email them, i dont want my ISP cracking down on me,
Brad
http:/911review.org
i gess this is a srange question, but i have noticed that my antivirus software "Symantec AntiVirus Corp Edition" is periodically connects to this address "82.98.235.63:80" i would like to know why this is occurring and should i be concerned?
I have no idea how Symantec AV works but I would find it very suspicious that it would try to connect to this site which seems to be a malware host.
I have the same malware on my pc:/ It connects on that specific ip address using explorer.exe process. Although I cleaned explorer and the dll, it keeps trying to connect.
Now I'm gonna use those tools from SysInternals to find out more.
Thnx for the tip:)
It's me again (post #7).
I used SysInternals' Autoruns, got the names of the 2 .dll causing all the trouble, returned to XP CD using Recovery Console and deleted them!
Everything is working great now!
Thank you JDunn 😀
I also have the 82.98.235.63/cgi-bin/check/autoaff3/ it's a form of trojan from the Lop.AQ and i cant believe nortons is connecting, if anything nortons is trying to send it to the server to be added to trojan or virus global list…………I cant get rid of this bastard at all..I have tried everything except using the xp recovery console how do i do it? The trojan slows my bandwidth down and it takes over 4 hrs for 4 mb….any help with recovery console please?