A Look at Look2Me Malware

We looked at killing off spyware before. That spyware was pretty mild. Let’s look at some really nasty stuff! Here is an installer for Look2Me. Note: DO NOT INSTALL THIS ON A PRODUCTION COMPUTER! Use Virtual PC or Vmware if you want to take a look at this spyware. The file is ZIPed, then RARed, so you’ll need WinRAR to unpack it. Before running INSTALLER.EXE, let’s start up Process Explorer. Upon launching INSTALLER.EXE, we notice that EXPLORER.EXE dies and then restarts itself. After this happens, a pop-up ad! Hmm! Looking at Process Explorer, we see nothing out of the ordinary:

The processes in blue were loaded after INSTALLER.EXE ran. Hmm….notice anything? All processes are digitally signed either by Vmware, Sysinternals or Microsoft. Where is the malware? RUNDLL32 allows programmers to run DLLs as programs. In order to find out the malware is, we have to go EXPLORER.EXE and click on the Threads tab:

The sRfrcdlg.dll is the actual malware DLL launching the pop up ads. Let’s kill all the DLLs out of memory. We locate sRfrcdlg.dll in C:windowssystem32. Attempts to delete the file fail. What is locking the file? EXPLORER.EXE! If we head back to Process Explorer and go to Find>Find Handle, you will see that EXPLORER.EXE still has a handle or lock into sRfrcdlg.dll. Highlight the entry, then go to Handle>Close Handle. It will warn about about doing so, but proceed. Now try to delete the file. The file still cannot be deleted! What gives?! If we do a DLL search we find this:

EXPLORER.EXE still has a lock on the file, even though sRfrcdlg.dll doesn’t appear to be running. To delete the program, we can use a nifty little program called Unlocker. This program is freeware and works very well! It installs itself as a menu extension, so all we have to do is locate the file in Windows Explorer, right-click on the file and pick Unlocker. Pick Delete and Unlock all and flush goes the file!

Now there’s only one thing left to do: delete it out of autostartup. If you look in all the familar places you won’t see it, but if you happen to look under Winlogin, there it is:

If you attempt to delete this key while Look2Me is running, it restores it! Whether you boot into Safe Mode or not, this key will always load and it loads even before you log into the system. Nasty! That’s why you have to delete the DLL from memory and the disk before you attempt removing it from the registry.

Another ingenious solution for deleting the file was posted over at the Sysinternals forum by bmccool2003. This involves setting the “Deny” NTFS permission on the file for the Everyone group (and removing SYSTEM and CREATOR OWNER from the rights section). When you reboot, the OS doesn’t have permission to use the file and thus you can login and take ownership of the file. This will then let you delete the file.

– Soli Deo Gloria

Detach That Peripheral!

During these past two weeks I’ve noticed an interesting phenomenon: attached peripherals causing systems not to boot. My first call was a computer out on the shop floor with a keyboard not working. It was a Compaq 733 Deskpro. The screen was totally black and the user wasn’t around. I proceeded to unplug the computer and plug it back in from the power. Still no video and no hard drive activity, although the fans would speed up. Every cable was nice and snug. I proceeded to reset the CMOS using the jumper on the motherboard. No go. I then proceeded disconnect all peripherals from the computer (network cable, monitor cable, etc). System booted right up! I added the peripherals back one at a time until I added the keyboard cable back in and then the system won’t boot. Replacing the keyboard fixed the problem. This morning, I was working on a D600 Dell Latitude laptop. Upon rebooting, the system would freeze on the BIOS screen. Powering the laptop off and on and disconnecting the battery made no difference. I proceeded to disconnect the network cable and the attached IPOD device and the laptop booted right up! It seems having the IPOD plugged into the USB port was causing the system not to boot. If you have a system that isn’t booting up, start by simplifying the problem by detaching all peripherals.

– Soli Deo Gloria

Can’t Burn at Anything but 48X!

Here’s a weird problem that’s plagued me at work for a while. My CD burner in my work computer would not burn at any other speed other then 48X! Not slower or faster, just 48X. It came with a Dell and it is model HL-DT-ST CD-RW GCE-8483B made by LG. After doing an Internet search I found this thread. It seems this is a known problem! By using the firmware provided it introduces three new burning speeds: 8x, 12x and 16x. Surprisingly, the 48X speed is gone. Hmm! I actually had to disconnect my other CD-ROM drive and make the burner the “master” drive before the update would actually work. Hopefully this entry will help anyone using this particular model of CD-ROM burner

– Soli Deo Gloria

Moving Hard Drives Between Windows XP Systems

How many times have you gotten a call for a computer that’s dead and the user needs the computer up right away with their data? Now, if we live by “best practices” all of the user’s data wouldn’t be on the hard drive, but a network drive that’s being backed up. The department’s PC setup would be documented with well written documentation. I have worked in such an environment and let me tell you it is pure bliss! Maybe, however, you don’t work in such environment. Maybe the install discs are lost. Maybe the software needs to be activated with the company and the company has gone out of business. Maybe you have no idea how or what the software does. “Just pull the hard drive from the “sick” PC and put it in a good spare PC” you say. Ah, but you assume that you have a spare PC for each model. Management usually doesn’t like keeping spare PCs around for “what-if” situations. We need to be a little more creative.

Case in point: I recently had a GX270 computer that had trouble turning on. We recently gotten in a few new GX520s from Dell. These two computers are completely different beasts: different motherboards, different IDE chipsets and different hard drive interfaces. The GX270 had a PATA hard drive interface and the GX520 a SATA interface. The old hard drive switch-a-roo technique won’t work here. Even if the hard drive interfaces were the same, we have one small problem: differences in the IDE chipsets. If you ever tried taking the hard drive out of a XP machine and port it to another PC, you probably have been greeted by a STOP 0x0000007B error message. This phenomenon is explained in this Microsoft Knowledge article. It relates to the differences of the drivers of the IDE chipset. When you take a hard drive from one PC to another that has a dissimilar IDE chipset, it won’t work. The computer tries to initialize the drivers for a chipset that doesn’t exist. Since this chipset is responsible for booting the computer and Windows can’t initialize it, the booting fails. If you have access to the old PC and it boots, the solution is simple. Before switching out the hard drive, boot Windows XP. Go into the Device Manager and expand the IDE ATA/ATAPI Controllers section. Update the driver of the primary and secondary storage controllers to the driver labeled “Standard Dual Channel PCI IDE Controller”. When prompted to reboot, DO NOT REBOOT. Now power off the old PC and place the hard drive into the new PC. Windows should boot with the generic IDE drivers and upon booting into Windows completely, it should detect the real identity of your IDE chipset and load the appropriate drivers (if it doesn’t, you might have to download the chipset drivers for that particular motherboard). It will prompt you to reboot again after “installing new devices”. Go ahead and do so. Viola, you just performed “open PC surgery”!

In my case I just changed the drivers on the old PC, make a Ghost image and then brought that Ghost image back down on the new PC. Alas, what if the old PC won’t boot? How do you hack the registry without getting into the original operating system? This web site offers a very ingenious solution. Interestingly enough, it’s made by a Macintosh guru by the name of Philipp Biermann. I’m going to post his instructions and files here in this entry with a bit of modification. He claims these instructions work with Windows 2000 as well, but he appears to be using the same mergeide.reg file from the XP article on the Microsoft Support Knowledgebase mentioned earlier. I would be very leery of using this on a Windows 2000 machine unless you have done a full backup of the affected PC (a full PC backup may be a good idea in all cases).

0. Download mergeide.zip from my web site

1. Place the hard drive from the affected PC into another PC as a slave drive

2. Extract the Atapi.sys, Intelide.sys, Pciide.sys, and Pciidex.sys files from the Driver.cab file into the slave drive folder %SystemRoot%System32Drivers folder. Make sure you use the Driver.cab file from the same service pack level you are at (i.e. if you are working on a hard drive loaded with Windows XP SP2, use the Driver.cab from SP2 media. You can usually tell if a service pack has been applied to a Windows XP machine by looking for the presence of a $NtServicePackUninstall folder under the C:Windows directory)

3. Open the Registry Editor by going to Start>Run and type in regedit (type in “regedt32” if you are running Windows 2000)

4. With the mouse, mark the “HKEY_LOCAL_MACHINE”

5. Go to the File up on top and then choose “Load Hive”

6. Navigate to the “%SystemRoot%\System32\config” folder (Example: C:windowssystem32config)

7. Open the “system” file

8. When asked for a name, give it the name “aaaa” (this is important since it must match the file you downloaded from here)

9. Close the registry editor

10. Double click the expanded file you got from the mergeide.zip file. It will ask if you want to import the changes from the REG file. Say yes.

(Note, you have two choices: mergeide.reg or mergeide1.reg. The difference is that the mergide1.reg does not contain the entries for the drivers. Most of the time, they are present anyway. It is probably safer first to try this version. If mergeide1.reg does not work, do the procedure again and use the mergide.reg file)

11. Now, open the registry editor again and look for the “aaaa” tree in the HKEY_LOCAL_MACHINE directory

12. Mark it and from the File menu, choose “Unload hive” (this step is important as not unloading a hive can cause corruption)

13. Close the registry editor

I choose to host his mergeide.zip file on my web page in addition to his in case he ever decides to take it down (Josher took down his “Tale of Two HALs” and had no backup copy of his web site. Had I known he was taking it down I would have copied it!) Did you see what he did? He loaded the slave hard drive’s registry as a hive under the key “aaaa” and then modified the mergeide.reg to merge directly into the loaded “aaaa” hive. Brilliant

– Soli Deo Gloria