Wednesday, October 11, 2006

Skills of Former Employ

Ordinarily I do not spend much time passing along my tidbits of computer information, usually because someone else out there has already figured out the same things I have, and has already posted it. But today is different.
Hopefully the search engines will pick up on this post, and this will be useful to someone.
The key items here are:

VBS/PSYME
abc123.pid
checkin[1].htm
or, for the search engines, let's call this one checkin.htm
solution, removal

McAfee was complaining that a file "checkin[1].htm" was infected with the VBS/PSYME virus, and had been deleted. This file was being created in %TEMP% along with another file named "abc123.pid"

Searching around the Internet, I found a few clues, but couldn't find anything that really nailed it, so it was down to old school detective work. Rather than give you the long route that I took to get to the answer, I'll give you only the important part that I was able to boil it all down to.

Whatever virus this is, it's actually almost kind -- it doesn't actually "infect" existing files, and in fact, makes backup copies of the existing files before inserting itself in their places. Needless to say, this makes restoring the files very easy.

First, do a search on your computer for all folders named "bak" and you should see a results list with quite a few folders named "bak" Sort the view by file name so that the folders are on top.

In some of the "victim" folders, you will find executable files that bear the same filenames as those that are listed in the startup portion of your computer's registry. If you don't know what or where this is, don't worry about it. It's good to know, but not necessary to fix the problem.

From the search screen, open one of the "bak" folders, and copy the file that you find there (there should only be a single file in this folder). This is the backup copy of the file that the virus replaced. Then, do another search for the exact same filename as the one you found in the "bak" folder. When you find a file with the same name that is exactly 21K, you have found the virus that causing the headaches for you. Paste your "bak" file over this 21K menace, and you will have fixed part of the problem. Repeat this for as many files as you find in "bak" folders (but please be smart about it -- this post assumes you work in IT or have enough experience to know exactly what I'm talking about without further need of explanation).

I hope this shortcut helps someone. It took me about six hours to peg it; it should take you less than 30 minutes. If you aren't sure what you're doing, ask me for help before you botch it.

EDIT: 11/11/2006
If you find that this solution works for you, then I ask that you spread the word to make it easier for the search engines to find it. If you have a blog, or web page, take a few minutes out of your life to write about the problem you had, and post a link to this page (URL provided below), so others can find it too. I am constantly receiving email from sysinternals forums pages from people with this exact problem, because they are looking in the wrong place for the solution. Help me to help them.

http://ganellon.blogspot.com/2006/10/skills-of-former-employ.html

bellum in capite meum pugno

79 comments:

Unknown said...

Also had the same issue - you hit it on the head!

A few notes...
In my case, the valid files were replaced with 25K files not 21K. In some instances, a file was moved into the temporary \bak folder but not replaced.

When performing the search in your "fix" procedure, it's important to just search for bak files. In other words, not bak* or *.bak or bak*.*, etc. Just type in bak as the search parameter.

Thanks again. Now to figure out how this user was infected...

Unknown said...

You just saved my life.

Note, I found one that seems to be the source of the problem, which is lsasss.exe <-- note the extra "s". How did I know it was the source? Well, it's 25K and has replaced a 25K program. Rat bastards.

Thank you. I am linking to you on my livejournal as having saved my life.

Unknown said...

Update:
I submitted a sample of this to McAfee.

Previously, McAfee VirusScan would block execution of the script but didn't know anything about the trojan itself. It now should be included in the latest DATs.

Incidentally, I also submitted it to VirusTotal and only 6 out of 26 programs actually found a specific result (1 other saw the file as suspicious).

I still haven't been able to figure out how this user became infected. I hurt my own efforts here because the first thing I had him do was delete his IE history and temporary internet files (who knew?).

My guess is that he clicked on something he shouldn't have. He insists that he didn't but he did say he visited a web site that seemed questionable. He said he started getting popups, etc. when he visited this site. This was shortly before McAfee blocked the first execution of the script. So maybe it was a hit and run thing.

If anyone has any ideas about the method of infection for this trojan, I'd be interested in hearing about it.

Thanks!

fsugal25 said...

Hi, Thank you sooooo much for posting this. I have spent weeks trying to figure out what this was. I really appreciate you posting this so others could see!

Ganellon said...

I'm extremely glad that this tip was valuable to you all, and thank you for your comments.

Good work updating McAfee to the problem; I had already overwritten my files (in the process of fixing the problem) before I thought about submitting it, and then it was too late.

-G

Jule said...

Thanks so much! I had this virus and all of the problems that came along with it, having McAfee as my virus software. I tried what you suggested..the only problem was that the checkin bogus files were not located on my harddrive within the bak folders, and I was unable to copy and paste in the search window as you suggested, and unable to do so on my hard drive within the folders. I am not Miss IT...but I just deleted the checkin created files...and hence...it worked out just fine and the virus was removed from my system. Thanks to your hard work, I did not have to pay for a phone call to McAfee! Many thanks to you...Jule www.JuleCarey.com

I'm a fish! said...

Thanks for posting this! I had found that a soundmax.exe was infected (it was missing its icon and way too small to be real) a few weeks back and reinstalled that, but it didn't fix the problem... in fact, the same file was infected again a few days later. I just blocked 88.80.5.21, but it was frustrating not knowing the real problem. After reading this I did a search and found that there were a whole load of "bak"s, not just from progs in the run list! I've finally cleared off the last of them, and I hope this machine is cleared...

I can't see any way this thing can spread computer to computer, so I'm guessing this is just the payload of something else... has anyone discovered where it comes from?

Ganellon said...

Hey Jule. You did the right thing by deleting those files. In fact, that appears to be the solution when it comes right down to it. The only thing you miss by taking that approach is restoring the functionality of the original files. While little in that portion of the registry is critical to the function of your computer, there are often helper programs that make other programs work more effectively. Tray icons, reminders of all sorts, small utilities... those are the sorts of things usually found here. So as long as you can live without this functionality, you're okay. But, if you take your computer to any IT person, they should be able to tell you what you're missing, and whether or not to replace it.
-G

Ganellon said...

Hi Tuna. I can't say for sure where the source of infection was, because it was on my fiancee's laptop when she got home. My guess is that it was a vb script from a website. She was shopping for gag gifts for a bachelorette party, and was visiting some less-than-wholesome retailers. At the time I discovered the virus, her laptop was connected to our home network, but none of the other computers were subsequently infected (whew!). So I think you're right about its inability to replicate to other computers.

Anonymous said...

Hi Ganellon,
This same problem has been driving me crazy for the last couple weeks and I've never had a problem before.
I'm no IT person but I want desperately to fix this problem. I started the process as you showed it and I already found one file that was 21K. What I don't know is how to paste the good file over the menace file. I saw the other post from Jule and could just delete the 21K files but I don't want to lose any functionality if I can help it.
So, I have two questions:
1. When I make a copy of the bak file I find within the folder, do I just leave that copy in the folder with the other file?
2. How do I "paste" the good file over the menace file?

Thanks!
CE

Lisa Anne-Marie Harte said...

Hello Ganellon--Thank you for posting your solution. I think my computer was infected through the Weather Studio website. Your blog put me in mind of Rene Girard's (nonfiction) book *The Scapegoat,* which you might find an interesting read. Thanks again.

Anonymous said...

GANELLON:
Thank you for the elegant fix to a very annoying problem. One of my co-workers had this bug and, as the local proxy IT resource (ranking = amateur), I was really struggling with this one.
Thanks, also, to the other commenters for adding priceless additional info. Unfortunately, almost all I can contribute to the posts is that the fix does indeed work.
To CE, the other anonymous poster:
deleting the 21K files will not reduce any functionality. However, to ease your fear over deleting, use an old DOS trick: rename your suspicious file by putting an underscore before the filename: _filename.exe, that way you can always get it back by removing the underscore.
Many thanks,

JEK

Ganellon said...

CE:
JEK has the right of it. You won't lose functionality by deleting those files, but renaming them first is an option. The functionality I mentioned earlier was lost on your computer when the original file was moved into the backup folder at the time of infection. Chances are, you didn't notice the loss of functionality then, and likely won't miss it if you don't put the original files back. In fact, your computer may startup faster without them. It's a double-edged sword.

As far as copying and pasting files, here's what I do:
From the search window, I right-click on the BAK folder, and choose "Open Containing Folder" from the menu. Then, I locate the BAK folder in the new window that opens, and double-click to open it. Then I right-click the file, and choose COPY from the menu. Then I do another search to find the virus file which should have the exact same name as the file I just copied. When the search finds the file, I again right-click and choose "Open Containing Folder." Then I find some empty space in that folder (in other words, not on an icon), right-click, and choose PASTE from the menu. That will overwrite the virus file with the original. If you want to leave the original in the BAK folder, that's up to you. It won't hurt to leave the BAK folders there, nor will it hurt anything to delete the BAK folders and files. Preference, really.
I hope that's cleared it up a bit. I could have been more thorough in my earlier description.
-G

Ganellon said...

Lisa Anne-Marie Hart:
Thank you for the interesting comparison and recommendation. I haven't read Girard, but I did read some very thorough reviews of "The Scapegoat." Interestingly, your comment was made more poignant because I familiarized myself with "The Scapegoat" only after I had posted this blog entry:
After I finish Don Quixote, I'll give Girard my attention. I'd be happy to hear from you re: literature / philosophy any time.
-G

Anonymous said...

Hi JEK and Ganellon,
I'm definitely going to try this and I really thank you so much for the invaluable tips and information. I've searched all over the net and not found any information like you posted anywhere else so clearly, you're one of the few who has figured out how to truly fix the problem.
Thanks for going into more detail for this semi-techie type. ;-)

CE

P.S. Ganellon, I found your blog really interesting and am sending good thoughts your way. You never know what life is going to throw at you and you seem to be dealing with things well.

Anonymous said...

Hi Ganellon,
Thanks for the very descriptive explanation of how to replace the one file with the other. I was able to do it with all except one file that it wouldn't let me replace with the good file or delete. I renamed the menace with an _ at the beginning of the name and went ahead and pasted the good file in the folder anyway.

Not sure if I've totally fixed the problem because I got the message from McAfee again right after doing all except that one.
Here's the message I got when I tried to delete the 21k file:
"Cannot delete: Access denied. Make sure the disk is not full or write-protected and that the file is not currently in use." When I previously tried to paste the good file (before renaming the menace), it said it couldn't replace it because the file was in use.

By the way, this file was called jusched and it was found in C:\Program Files\Java\jre1.5.0_06\bin
Anything else I should do at this point or do you think pasting the good file in the folder will fix it?
Thanks again for all your help!!

CE

Ganellon said...

CE:
The reason you cannot delete this virus file is because it is actively working on your computer. To delete it or overwrite it, you must first end its process.
To do this, press CTRL+ALT+DEL.
In the task list, find the process called "jusched" (this is an updater program for Java that checks to see if you've got the most recent version), highlight the "jusched" process by clicking on it once, and then click the "End Process" button at the bottom right of the screen.
After it disappears from the process window, go back and try to overwrite it or delete it again. You should have no problem.
-G

kindred said...

Hello Ganellon et al.
Thanks so much for this information. I too have been plagued with this trojan for some weeks now. I've walked my end-user self through these steps and have encountered a problem similar to what been addressed at least once already. When I go to replace one of my bak files I receive a notice that I can not do so because it is "in use". So I go to task manager to end process. When I try to end process I receive a warning that ending will cause instablity etc. The process is TBMon.exe. Should I end the process anyway? What happens if/when I do? Thanks for addressing these issues and restoring some of my sanity.

Anonymous said...

Thanks for the fix. My virus software just started detecting it today but I believe the infection occurred about 10 days ago. I lost some functionality with my touchpad but didn't know why. Now I do. When I started searching for a resolution, I came across your blog very quickly. Thanks again.

Ganellon said...

Kindred:
The important thing to bear in mind is that the process you are ending is NOT the original program -- it is the actual virus, running on your computer in place of your original program.

Ordinarily, the warning you saw that confirms your intention to end a process should be heeded, unless you know exactly what the process is, and what will happen if you terminate it. In this case, you do know both of these things.

First, the process is a virus that assumed the identity of an actual program on your computer. Second, terminating it will help you get rid of the virus.

Terminate the process, and replace the virus program with your original file. Good question, though -- that "warning" box about terminating a process looks pretty intimidating.

One way to think about this virus is the story about Windows Red Riding Hood. The Big Bad Wolf (the virus) goes to grandmother's house (your computer). When he gets there, he takes grandma (your original file) and throws her into the broom closet (the BAK folder). Then he climbs into grandma's bed and makes himself look like grandma(by giving itself the same name as the original file), and then waits.

When Windows Red Riding Hood comes along to visit grandma (to start up the "startup" programs when you turn on your computer), Windows Red Riding Hood says, "My, TBMon.exe!" (or whatever the original file name was) "What big eyes you have!" And TBMon.exe says, "Yes, and thanks for overlooking the fact that I'm a fraction of grandma's original size, and for starting me up anyway, so I can do the bad things that I do, being a virus and all."

But, armed with this knowledge, you draw forth your Sword of Justice (Task Manager), and burst upon the scene, throw back the covers of grandmas's bed, and say aloud, "Thou art not TBMon.exe! Thou art a virus, and quite smelly!" And with your vorpal blade, snicker-snack, you slay the beast (end its process, and confirm) and then overwrite it with grandma, who has been in the closet all the while.

The wolf is vanquished, Windows Red Riding Hood is safe to wander the Internet, and you emerge victorious and feel great about your accomplishment.

Anonymous said...

Ganellon,

I can't thank you enough for this blog. You saved me so much frustration and after carefully following ALL of your instructions, I haven't had any more trouble with this virus for the last 24 hours. Such an easy fix it was and yet, you're the only person who came up with it that I have found.

THANK YOU, THANK YOU, THANK YOU!!

CE

P.S. Loved the "Windows Red Riding Hood" story!

kindred said...

Ganellon,
Thanks to you and your help I think I got rid of that pesky checkin trojan. Thanks for walking me through the "woods" to find that nasty wolf. He was a sneaky old thing. I enjoyed the Red Riding Hood story and reading your blog.
grazie mille, dank je, merci, gracias, danke schön, thank you, thank you, thank you.

http://www.elite.net/~runner/jennifers/thankyou.htm

Anonymous said...

Thanks a lot. Your post was very helpful!

Anonymous said...

Thanks for posting this. It saved me after several days of trying to rid myself of this virus.

One question - anybody know what this virus actually does other than create these files?

Anonymous said...

Thank you so much!
You're a life-saver!

Anonymous said...

Has anyone noticed that the executables (.exe files) that get affected by this virus can be found in the HKEY_LOCAL_MACHINE /SOFTWARE /Microsoft /Windows /CurrentVersion /Run

Ganellon said...

KevinMarion:
Yes, that is correct. I mentioned the registry aspect in the original post, but generally (and I mean no offense), the people who get infected with trojan viruses are not people who ought to be tooling around in the registry, which is why I didn't spend any time trying to explain it from that perspective.

In fact, the reason many IT folk that I have spoken with about this virus haven't been able to find it is because when they look at running processes, they see exactly what they expect to see: if qttask.exe is running, great, it's supposed to be. That's what makes this a rather clever attack. Had it not created BAK folders, it would have been difficult to identify and repair without the use of more sophisticated utilities.

Anonymous said...

Hi, THANK YOU for this information. It's invaluable to me. I've almost completed the process but i have the same problem as someone else plus 2 other little issues. One of my bak files were EMPTY. Idk what to do about that one? The other is my mcagent was infected too and i tried to delete the one for 21K and it wont let me. I don't know what to turn off in my task manager (ala little red riding hood) in order to complete the process. I have now a new pasted version, so two originals and the bad one still in there. What in task manager do i turn off to get it to successfully delete? I didn't have that thing running that you named that started with a J. It says write-protected or in use as well. The last thing is AOLhostmanager was found and it was the only file that was not 21K it was 15k. Could that be one as well? I know i've had extensive trouble with AOL since this checkin thing appeared a couple months ago.

Thank you so very much for all your help and thanks to everyone for their additional comments.

Anonymous said...

Ganellon -

Interesting fix. I must've had a different iteration of the file in my system because the files were 25K, and not 21K as you suggested.

So far as I know, it never actually did anything; the only way I noticed it was the checkin that appeared in my Internet Explorer history.

Are those the only symptoms people have recognized?

And thank you for the fix. I'd been thus far unable to locate how to fix them.

Anonymous said...

Hi, i noticed this thing kept on trying to download a file from an amsterdam website. No idea where i picked it up, and never really bothered to find out what it was until it interrupted my game of scrabble. A number of antivirus and antispyware progs picked it up but didnt know what to do with it. Just a note, file size was 33k in my case. cheers for the quick fix.

Unknown said...

Well its good to see that as I finished my research into my problem, someone else had solved it. Notes on the prob: How did I notice it? Many icons not in the icon tray that usually were. Full screen games were minimizing every little bit. Programs were losing focus every little bit. Firewall complaining about internet explorer constantly wanting to access some sites. Ok, after all that I already know I have what I will term a virus. I immediately suspected a file and checked it out, came upon the bak folder and bam! here I am at this blog. Location of infection: most likely everyone here is too shy to say but I believe this is a narrow target virus type. I have only been to a million websites recently, however all had one thing in common: they were of movie stars who were women, usually sexy women, and I was collecting pix of people. Of course this led to some shady sites since I started with Google images and sometimes branched out under what it found. For those too afraid to say the same, I say this: fear nothing in this life for all that is revealed only opens more doors behind which nothing has yet been revealed.
p.s. way to go on hitting the solution, I'm in college(even though I'm 30, a vet, computing guru, electronics wiz, etc) and have little enough time for gathering pix of women much less finding the trouble they inevitably bring ;)

Anonymous said...

Well, a few days after i wrote my comment here, and ever since then, the problem has just disappeared. I haven't had an alert about that checkin trojan again. I guess what i did worked. Thanks so much for posting your solution!

Anonymous said...

you da man!!!!

josh said...

I found this same thing a few months ago, but did not delete all the 25kb files. The problem kept happening and I never related the bak folder issue with the IE page that kept knocking me off of what I was doing. I just all of them now (I hope) so I should be good. Thanks for the help. Oh the process I had to stop was "java_profile" in order to delete that file.

Anonymous said...

one question
when you do the second search for the virus that is 21KB, how do you paste over it? It is a PF (prefetch) file and the computer wont allow me to paste over it!!! plz help me
thank u tons

Anonymous said...

another question
do all the folders have to be 21KB in size? Mine are all different...

Anonymous said...

I am having trouble getting rid of this problem. I have done the file search for bak and I have then looked for files that are only 21 or 25K and the copy and paste the correct files. Now when I do the bak search and look in each file and find an item in that file I then do a search for the file I found in the bak file. I don't always find another file with that title or size. Is that normal or should I be finding a file for every item I find in the bak files? I have 18 bak files with items in each. I thought I went through and replaced all of them like you described, but I still keep having the window open up on me with the http://88.80.5.21/30/in/html etc.. I don't know if I am doing this right or not. Do you have any more advice that might help.

Thank you

Ganellon said...

Hi anonymous,
I'm not sure that I'm following you exactly, but it sounds as if you've got more BAK folders with files in them than you have virus files that were supposed to have taken their place. This is normal, and I found this on my fiance's computer as well. I simply copied those files from the BAK folder into a folder immediately "above" the BAK folder in the directory tree. Do you understand what I mean by this? This is the first thing you should work on correcting before you go much further.

The other way to attack this problem (and depending on your system, this can take hours) is to establish a selective startup for your computer, and by power of deduction, determine which program is causing the problem for you. I'll explain this process, and hope you can follow along.

First, click Start, then Run. In the box that appears, type in the following: msconfig
Then press Enter, or click OK.

What should appear is the Microsoft System Configuration utility. This tool is useful in tracking down troublesome startup problems because it allows you to manipulate registry items without having to muck around in the registry. So the changes you will be making with this program can also be made directly in the registry, but without the risks of creating a major catastrophe.

At the top of the System Configuration utility, you'll see a series of tabs. The one at the far right should read "Startup" Click on that tab, and you will see a list of all the programs that start along with Windows. One of the programs listed here is the culprit, and to weed it out, you're going to do the following things:

1. Click the button that reads "Disable All" This will remove the check in the boxes to the left of each item. Checked items will start, unchecked items will not.
2. Click the "Apply" button.
3. Click the Close button.

If you are prompted to restart your computer (and you should be prompted to restart your computer), do so at this time. What you have done is prevented all of those programs from starting so that you can now understand which program is causing the problem. When your computer finishes restarting, you may see a scary looking message about your computer running in a special diagnostic mode, and that's perfectly fine because that's what we want. What you should notice is that the original problem (with the http: blah blah) is now gone. Here's the next set of steps to follow:

1. Click on Start, then Run. In the box that appears, type in the following: msconfig
The press Enter, or click OK.
2. When the System Configuration utility appears, click on the Startup tab on the far right.
3. Put a check in one of the boxes that appear at the left of the startup items. Only check ONE box, though, and I would advise you start at the top.
4. Click on Apply, and then click on Close.
5. You should be prompted to restart your computer. Do so.
6. If the original problem still has not returned, then repeat steps 1 through 5 until all the checkboxes are checked, but remembering to check only one box at a time, and restarting your computer each time you check another box. If the problem HAS returned after restarting your computer, go to step 7.
7. If you are reading this, it means that the LAST checkbox you checked is the program causing the problem. Go back to Start / Run / msconfig, and then click on the startup tab again. Note which startup item you last enabled, and disable it by removing it's checkbox. Then repeat steps 1 through 5 until all the boxes are checked, EXCEPT those which you have identified as causing the problem (because there may be more than one).

This should have gotten rid of the original problem for you, but it leaves another problem: what to do about the items that are disabled because you unchecked them in the msconfig utility. There are two options.
1. Don't worry about it. This option is the "easy way out."
2. Go back to msconfig, and take note of the COMMAND section that appears next to the unchecked box(es). This is the actual location of the virus file, and you'll need to know a few things about it. First, it's location, which is essentially the whole path, minus the executable at the end. Second, the executable name, because you'll need to find your original file of the same executable name. Do a search on your computer for the executable name, and you should come up with at least one. If the only one that appears in the search results list has the same path as the command section in msconfig, then simply delete it into your recycle bin. If there are more than one, you will probably find that one of them (matching the command section from msconfig) is the virus file, and the other (probably in a BAK folder) is your original file. Again, you'll have to take the file from the BAK folder, and copy / paste it over the virus file.

Although this can be done more simply by an IT professional, this will point you in the right direction and resolve the majority of the problem for you. If the problem persists, though, I strongly recommend that you take it to an IT pro, and let them assist you. Remember, you're not paying IT professionals for what they DO (anyone can click on some stuff and type some stuff, which makes many people believe they can fix their own computer), but for what they KNOW and UNDERSTAND. At the very least, let me know how it goes, and I can try to steer you in the right direction.

Anonymous said...

The files I found were all 68K instead of 21K. But they all had the exact same last modified date.

Anonymous said...

Hi, Just to say thanks for this solution, I have been trying to solve this abc123 infection for a couple of days.

I was given a extremely badly effected system to fix which was my wife's sisters machine, she has two teenage sons, I say I would look at it and attempt to stop it GPF'ing 30 seconds after booting.

It was in a very very bad way, corrupt policy files, crippled firewall, etc ,etc, two issues (I think) still remain, the acb123.pid issue and an unknown one.

The unknown one I now think is rootkit issue, current info on this is..

Winlogon Shell reg entry has been hacked. (Explorer.exe c:\windows\system32\ghjvw.exe)
Winlogon UserInit reg entry has been hacked. (userinit.exe, c:\windows\system32\rcaqus.exe)

These entries I assume are reg locked by winlogon.exe itself, I can't edit them or get any reg fixing software to solve it.

The file ghjvw.exe can't be found on the whole system BUT it can't be created ANYWHERE on the system, ie. create a file in c:\tmp\ghjvw.exe and the system states a file of that name already exists...

Very odd.

I tried RootKitRevealer but it GPF'ed on its scan :(.

Anyway thanks again for the abc123 fix Ganellon.

Regards Mike.

Anonymous said...

Hi Ganellon,

Thank you for your assistance with this annoying problem.

One of my users was infected with the Trojan.Zonebac which one of the offsprings is abc123.pid.

I did the bak file replacments but it did not fix the issue.

The user was still receiving a pop-up each time they log onto the pc.

Well I did finally find the .exe which was creating the problem. (ARW.exe) located at
C:\WINDOWS\system32\ARW.exe

First, I stop the process from running with ProcessExplorer.

Second, when to the source C:\WINDOWS\system32\ARW.exe, then renamed by placing a line infront _arw.exe.

Finally the Symantec AV quarantined the trojan.

Run a second for good measures, log off/on no more pop-up.

Again, I truly appreciate your initial assistance to help me resolve this annoying problem.

FKM..HI

Anonymous said...

Pure genius. I have been pretty successful with spyware removal many times but the simple and stealth nature of this one eluded me. Unfortunately, I only found this blog by searching for the IP address of the mother ship this virus seems to contact for what I guess are insidious payloads that it deposits on victims. I think this seemingly harmless virus is actually the transport of things potentially much worse.

Anonymous said...

it hasn't worked for me. please help me. i am so confused.

Anonymous said...

Great info, this thing shut down everything that was protecting the PC.
I'm glad whoever did this was nice enough to leave the pieces behind to fix it.
All my files were changed to 35K size.
My initial changes were to all of my startup items. Still don't know the source.
Thanks a bunch.
Jp86SS

Ganellon said...

Anonymous said...
it hasn't worked for me. please help me. i am so confused.

12/29/2006 6:54 PM

Well, bear in mind that this blog does not proport to have the solution to every computer problem known to exist, only for a distinct species of problem. So, if you have followed all the steps, and the problem hasn't been resolved, consider the possibility that you have a different problem entirely.

Pleas for help and assertions of confusion can be applied just as easily to burned toast, and when you fancy toast as much as I do, this is a serious matter. However, by posting anonymously (as many have done successfully here by providing additional details) I have no way of knowing which anonymous person of the several billion on the Internet you happen to be. Unless you better explain the specifics of the problem you are experiencing, I can scarely begin to guess to what you are referring, and therefore, assume that it is toast, which I will help with.

If your toast is overdone, and blackened beyond taste, then you need to adjust your toaster's timing device down a smidge. If the toast is underdone, and can be more easily called "bread" than "toast" then you'll need to adjust the toaster's timing device up a smidge. Repeat this process as many times as required until you have found the appropriate setting for your toaster, making sure to ALLOW IT TO COOL completely before each successive attempt. This will ensure that the toaster produces the ideal toast when used the following morning, when it hasn't been preheated.

Ganellon said...

To the many people who have posted here to report their successes and additional discoveries, I offer you my sincerest thanks. I am glad I was able to help you in some way, and that you were kind enough to come along and share your information here, so that others might be helped too.

Though I may not respond to each individual comment, please know that I read them and appreciate your thanks as well. Mike, Josh, FKM, the lot of you anons... well done, and peace to you.

Unknown said...

Thank you so much!

One change in the behavior of this trojan, though. It now changes the size of the infected files to 68 k.

Anonymous said...

Amazing, thank you for posting this! Our firewall blocked the address to of the 'home' site, so i had to open up an index.dat viewer to retrieve it form the users machine. I then found yoru site and copied all the files in the BAK folders over the infected ones and BOOM, all fixed!! Took me 2-3 hours to figure out, but the user is very happy :) Thanks soooooo much for the help!

Anonymous said...

Thanks for all your work and effort on these issues !

CHEERS !

dataCLOUD

Anonymous said...

Ingenius detective work !

In my case, the valid files were replaced with 37k files

problem started 2 days ago ... my
best guess for source is myspace

Does anyone know "the what or the why" about all of this ?

THANKS AGAIN !

Anonymous said...

Your BAK copy over solution for the abc123.pid file problem worked for me!! This was originally generated by that *&%!!@#$ WinAntivirusPro2006 popup. I was able to clean it off except it continued to generate the abc123.pid and abc123.dat files in the Temp folder after each login. Thanks for your diligence--what a relief!

Anonymous said...

Brilliant! I spent two days on this before I finally found your post.

Just fyi, McAfee isn't yet cleaning this up -- it did detect "psyme" and said it removed files containing some bad script, but it just kept coming back over and over until I followed your instructions. Also, Spy Sweeper was smart enough to block 88.80.5.21, but it did nothing to fix the root problem.

File sizes were all 38k for me.

All this AND I had perfectly prepared toast this morning...Thanks!!!

Anonymous said...

Thanks a ton, this was being blocked the whole time but it's nice to have it actually off the comp.

You're a star. :)

Anonymous said...

You da man.

Nice fix.
My files sizes were 38KB as well.

Been fighting several laptops with this.

McAfee on the box never saw it but their SIG box at the gateway was seeing it going to the 88.80.5.21 site in Sweden

Thanks for the help.
SHOE

Anonymous said...

To use the vernacular,
OMFG D00d you R0xxors.

Thank you SO very very much!

all of my files were 39kb.

it must randomly pick files to shut down, it didnt seem harm my system until it REPLACED my AVG virus software start file.

Thank you again and a great big well done!

Anonymous said...

Thankyou thankyou thankyou!
This problem has been driving me up the wall, neither Symantec, Ad-aware, or Spybot did a damn thing to indicate why 88.80.5.21 kept showing up in my history.

Again, thankyou for this solution, it worked like a charm. 9 of my files had been replaced, all with the 25 KB imposters.

You are a lifesaver!!!

Anonymous said...

Ahhhhhhhh! This thing is so annoying, but could be far worse if it didn't make backups (imagine - how to find the fake files then, not to mention how to restore it). Thanks for the incredible help. I recommend using the ctrl-x and ctrl-v keyboard shortcuts - it goes pretty fast.

I'm tempted to write a script to do this for me, and will do so if i find another infected computer. My files were 23K- and the missing icons are a good hint as well as the fact that some programs don't start.

Ghent96 said...

Mine was trying to contact these:

88.80.5.21
88.80.5.36

Evidently many variants of this are now afloat.

I noticed a little slowdown at bootup, so i cntl-alt-del and watched Task Manager & the processes. I realized immediately from about 8 IEXPLORER processes without a window that I had a virus or something was very wrong. Found this blog among others, and the Symantec info & removal page on this trojan.

Luckily, we have a firewall. I closed off the 'net. I shut down all the processes I could, started virus scanning, tracert on the IPs above, googled, and started removal. YOU MUST CLOSE ALL THE PROCESSES that usually load at startup. If in doubt, CLOSE, i'd say. :) Excellent blog, thanks for your help and info above. Keep up the good fight.

Anonymous said...

Thank you so much. I had the same symptoms as Chad. My files were varying is size, but mostly 39kb. Your site is number one in google search for 88.80.5.21. Thanks again.

Anonymous said...

WOW man i read this post from top to bottom and i couldnt leave without also saying Thanks for the Help.. I was lost before i came here WTG, WTG

Anonymous said...

Hi, I also spent some time trying to find the solution...thanks so much...I'm in IT and would be interested in finding out the nitty gritty of your investigation...
Thanks again

Anonymous said...

Can't tell you how much I appreciate your help, as this problem has slowed me down for months.

First off, I'm far from an IT person, but your explanation was so good that I've been able to eliminate all but two of the sneaky replacement programs. Here they are:

#1
In C:\Program Files\ThinkPad\Utilities
there's a bak folder with a file called PDirect.exe
I'm using a decrepit old ThinkPad, and (thus?) it tells me that since the file is in use, I cannot delete it. Ideas?

#2
There are two DIFFERENT versions of GoogleToolbarNotifier.exe
The bak folder one of them is in was created on same date and at same time as all the rest of the pesky replacement programs, but the other one that seems to be in use is not the same size as the rest of them (36.5 k). Is it possible that this bak folder is legit? Here are the locations of each one:

bak folder is at
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008

Other is at
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462
along with the Readme.txt and two .dll files. System won't allow me to delete or replace this one.

One more (salient?) detail: Today the Google toolbar disappeared from Explorer, and the browser started acting differently.

Really hoping to get this machine back to some semblance of normalcy. Many thanks for any help you can provide.

Anonymous said...

You can add thoses servers too...
----------------------------------------------------------------
Encrypted: efR.g0LLifW1152Gp.zkmVY0
Decrypted: 88.80.5.21
----------------------------------------------------------------
Encrypted: qB1UB./FKYd0R1bfK/GCs6O/
Decrypted: 221.231.140.49
----------------------------------------------------------------
Encrypted: efR.g0LLifW1UFBik.kK1VL1"
Decrypted: 88.80.5.36
----------------------------------------------------------------
Encrypted: FNfZ.1kTNGE1mxLVG/dUpkf/
Decrypted: sdfhhhhhhdf.com
----------------------------------------------------------------

Anonymous said...

I discovered this today while trying to figure out why some of my start-up programs weren't loading. I see all of the behavior you describe except that my files are all 37K.

I also noticed some additonal behavior which began around tha same time. My default browser, Firefox in this case, would open on its own and attempt to go to "http://www.errorsafe.com/pages/scanner/index.php?aid=swp_ron_us__ed1&lid=3345&ex=1&p=&ax=1&rdbl=0&h=&affid=pp_1582515972"

A window pops up that says: "NOTICE: If you computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss. Would you like to install ErrorSafe to check your computer for free? [Recommended]"

Closing the window opens another that says once more that you really should install ErrorSafe!

Are you familiar with this behavior? It may or may not be related to the problem you describe. It's just funny that they both occured together.

Anonymous said...

Thanks for the advice. So far it seems to be working. In my case the files were 25k and in about 3 of the 17 "bak" folders that I found, there were more than one replaced file--two or three in fact, all of which were 25k.

Cathys life said...

Thank you so much for taking the time to post a solution to this problem! Your page was the 2nd one to come up in my search results. I hesitated to try your solution as I'm not THAT computer savvy but gave it a whirl. In about 5 minutes my problem was solved. You are the bestest!!

Joe Spinebuster said...

All of my faux files were 68K, and I also noticed that each backup file was placed in a "bak" subfolder of the folder that it was actually originally supposed to be a part of.

What worked for me was to search for all folders named "bak", and then SHIFT + CLICK each one to open in it's own folder.
After doing this, I'd "cut" the backup file, press "Backspace" to go up to the parent folder, and then "paste" the backup folder over the fake one. FInally, I'd delete the empty "bak" folder, so that I know that if I ever see a "bak" folder anywhere then it is new and the problem is still around!

Anonymous said...

Hello

I got this abc123.pid problem too..

i followed your method using search engine.
but i only manage to find the file abc123.pid,
i cant find Checkin[1].htm and the rest?

Thanks so much if you can help me with it

Anonymous said...

Thanks, man. I really appreciate your efforts and your willingness to help others. Best wishes to you in your ongoing enlightment. I suspect the perps are still creating varients. Mine used files of 25K with dates 11-06-2006. 24 files were hijacked. For those of you who suspect a file to be a culprit, send it Virustotal.com, they scan the file with about 25 virus checkers.

Anonymous said...

Hello G,
I found 5 bak files. One was empty, and the other four were well over 21k. (336k, 76k,49k,52k)Not to sound silly, but now what do I do?
Thank you, Lisa

Anonymous said...

Thanks for this fix. I first picked it up in December and this hopefully will finally get rid of it. I found 10 of these folders. Any idea about the empty ones? There were 2 of those.

Ganellon said...

Thanks again for all the kind words and fan mail. It really makes me happy that so many people have been helped by this post. Sorry I haven't been posting much lately to the comments. I thought this would have been a self-sustaining thread, but I guess there are a few people out there still being plagued by this thing.

As far as finding empty folders goes... I suspect that the virus program cannot "move" the original executable files into their respective "bak" folders because they are currently in use by the operating system, and are therefore immovable. Simpler programs that can be more easily terminated by the virus are more likely to become victims. This is merely a guess, though -- I haven't seen the actual code of the virus program to know what it's actually trying to do, and why it seems to fail to move some programs after creating a "bak" folder. You'll notice that, in the case of empty "bak" folders, the original file is still in place, and running.

If you have posted a comment here and are still looking for help, post again and I'll check in a few days.

Anonymous said...

I got rid of those 10 folders a few days ago and I'm wondering if the program is gone. The bak files were copied over the files the program put in and I think I got them all, but when I've been on the internet in my connections there is a connection called The Internet(1). I am not sure if this is a normal process or related to the problem. When I have logged offline the connection was gone. Thanks for all the help.

Anonymous said...

Thank you for solving this problem for me. I have been running into brick walls for a week over this. The files I had were 37K. I will close with 3 final words: YOU DA MAN!!!!!!

bluewatersplash said...

Wow, this is great! Finally I found a place that seems to under stand this abc123 nasty thing. I'm new to Blogging so I hope you are all patient with me. Dear Mr. Mind of a Psycho. I do need some help. I am not an IT guy but I've been dealing with computers from back in the IBM AT days. I followed most of your notes on this abc123 thing but I'm a bit afraid to follow through with them. Any way I can get some help from you. It would be much apppreciated. By the way for anyone else that is reading this. This is the only place on the web that I've been able to find that sounds like it knows what's going on with this abc123 thing. I've been looking for 2 weeks now. If this actually works for me I will yell kootos from every roof top. This thing is nasty this abc123,
G-d who creates this stuff and why???

bluewatersplash said...

WOW to the 1,000,000 POWER!!!

You are computer GOD!!!

Thank You, Thank you, thank you!!!!

I don't need a response to my previous entry, I figured it out. Man it took about 45 minutes to kill this little sh-t, but you are the MAN!!!!

I will shout it at the top of my lungs... YOU RULE!!! all the rest drool!!!

Only one minor glitch, one infected file was a 00THotkey.exe that lived in C:\windows\system32 folder when I went to delete the infected one it would not allow me access it, but it would allow me to rename it to an innocuous non-exe name. I hope it stays there and doesn't bother me, other then that it was way easy.

I am so excited I can't stand it. You are the Lord Supreme Computer Dude. WOW I got my computer back, Yippie Kiyaaaee Mudda fkas!!!! :)

One last thing, why do people make things like this? What do they get out of it? I mean this thing hooks IE up to some Swiss site in your computers back ground. What's up with that???

It's too bad that we can't handle the people that start crap like this like that guy in Pulp Fiction, you know that black guy with Bruce Willis, that said something like this;

" I'm about to get medieval on your hill billy a-s with a blow torch and a pair of pliers "

Now wouldn't that be satisfying??? :)

Thanks again, you've restored my faith in humanity.

Anonymous said...

Awesome description dude. I was infected by visiting a myspace page... of all things!

the original file in my case was 1189738830.dat and would download itself anytime I would connect to the internet.

then as everyone else's case it would put whataboutarabit and whataboutadog in the trusted zone files.

I downloaded the program SDFix.exe and it told me I had "Abc123.pid" which led me to your place.

overall great description and it was easy to clean up. The easiest way that I found to find all files were to search by date and time.

All my files were infected on Modified: August 16, 2007, 9:56:55PM.. which I wasn't even on the computer at that time.

I had 10 files infected and were also all 24K in size which gives it away.

thanks again!

Anonymous said...

Great job uncovering this. Thanks for your efforts.

Anonymous said...

You rock. That is one nasty little ba$7ard. Most of startup Exes were infected not to mention a few sys32 folders and files. I'm still getting an sv240.tmp folder but that may be legit from another app. I'll post your comment re this on my web site - www.hscinfotech.com. Thanks lots