Results 1 to 10 of 10

Thread: Beep Balm Pure and first ref

  1. #1

    Beep Balm Pure and first ref

    As the title says, I found those 2 trojans a while back on my machine and expected to have them removed by ways of different anti-virus/trojan removal software.

    I usually use trend micro online for virus scanning, Lavasoft Ad-Aware SE for spyware and recently acquired NoAdware for trojan removal.

    My OS is an XP Pro machine without SP1 or 2 installed (the SP's killed my system previously, so I decided to do without them).

    To be honest I havent seen any side effects to these 2 trojans previously mentioned, except for the fact that one of them replicates constantly (beep balm pure) even after taking it out of the bootup (msconfig) process and deleting it manually from the Application Data it still manages to magically re-appear (I have done no manual registry editing because I'm not too confident about touching that).

    The second trojan I mentioned cannot be removed by force (delete) or cleaned by any of the previously mentioned tools. Deleting it from command prompt/windows only gives me access denied (at admin level). I checked permissions to the file itself to see if admin was magically left out of the loop but no, it does indeed have full control over the file as well as System having full control. I have a feeling this is more of an "ex trojan's" remains that just wont leave the system, at the same time I could be wrong.

    On a side note (it may be related to those 2) for some time now I have been having with my connection properties (DSL connection). Basically, it vanishes from the face of my computer. The only way I know I can connect to my ISP is by making a desktop shortcut to my "non-existing" connection. When I say non-existing I mean every word, it does not appear in the "connect to" option in the start menu, or in my "network connections" for the control panel. If I try re-creating the connection, the name "already exists" and trying to give it a different name will show the connection in the "network connections" for a little over 1 minute at which point it completely vanishes once more. If I look in my icon tray, the only connection icons I have is the wireless pcmcia, nothing else shows (when I am connected through the dsl connection). The only way I have of physically seeing the connections would be through IE at the connections option.

    Any thoughts, help on this matter would be greatly appreciated (I made a zip file containing both the beep balm pure trojan as well as the first ref one which is available upon request).

    P.S.: don't mind grammar, spelling mistakes, it is 3am and I really cant be bothered to re-read what I just said :P

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    +Is that the name that trend micro gave it?

    sure as hell hant find a reference to it on their web site..esp their Virus catalogue..


    You will need grab this bugger by the balls and attack the registry when you remove it.. it is liike cutting a hole in your skin to remove a splinter only to leave the splinter there.

    As for SP1/2.. there are some things taht allow winxp to run a little more reliably with these updates.. that is aside of the Patches that come by the way.. you do have them.. don't you?

    sp2 is best installed on a clean install.. oh that is if your not one of the unlucky dell, hp owners.. that couldn't install sp2.. (most can now with Bios updates.. and you think the registry is a scarey place..lol)

    best post back with the correct name of this trojan
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Took a little searching but the closest thing I found was this:

    Code:
    O4 - HKLM\..\Run: [cashbits] C:\PROGRA~1\01 Body Window\balm pure readme.exe
    C:\PROGRA~1\01 Body Window\balm pure readme.exe
    Perhaps it is more of an example of spyware rather than a trojan?

    One way to find out is to use a tool like HijackThis and see what might be running locally on you system and in startup.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Please forgive me if you have already tried this:

    1. Update your Ad-Aware SE and NoAdware
    2. get Spybot Search & Destroy and the trial of Ewido
    3. get SwatIT

    Run them all in SAFE MODE

    Frequently this stuff cannot be removed because it is active when you run the countermeasures.

    The trial of Ewido will revert to a free, fully functional on demand scanner that you can update. the only difference to the pay for version id the interactive protection.

    Whilst in safe mode and before you run the countermeasures, be sure to empty your temporary files, cache and history. Don't forget to empty the Java Cache, in fact it would be a good idea to disable java caching.

    Use the "tools" bit in Spybot's advanced mode to look at plug-ins, BHOs (browser helper objects) and your "Hosts" folder. Delete anythiong that seems related, or you don't understand...........this is safe because if you really do need it you will be prompted to re-install next time it is required

    Good luck...........please keep us informed

    EDIT: SwatIT takes a long time to run.................it is very thorough. Ewido currently looks for 87,000+ nasties, so is worth a try.

  5. #5

    small update

    First off thank you all for the prompt replies.

    Second of all, housecall does not identify those 2 as possible viruses (I pointed it to the exact directory they were located as well as done another system scan). So as far as the naming goes, that's as close as I can get.

    The filenames themselves are (not sure if it will help anyone): 'dale upload trans.exe' (beep balm pure) and 'for grid.exe' (First Ref).

    I'm gonna give try HijackThis first and see what's going on, if nothing suspicious, I'm gonna go ahead with nihil's suggestions #2 and 3 since I already done 1

    Will update again after doing those steps. *crosses fingers*

  6. #6
    Banned
    Join Date
    Aug 2004
    Posts
    534
    do everything in (like nihil said) S A F E M O D E !!!!

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    I am puzzeled as to how you know the name of the malware and related it to those file names?

    is there something my searches have missed? do you have a link to where you read about these?

    the only link to for grid.exe is that it is a version of CWS but it wasn't refered to as First Ref.. but I did only read the first paragraph of the first 10 links...

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Something makes me think someone was playing with fire...

    housecall does not identify those 2 as possible viruses (I pointed it to the exact directory they were located as well as done another system scan).
    and my Question (repeated)

    how you know the name of the malware and related it to those file names?
    (I made a zip file containing both the beep balm pure trojan as well as the first ref one which is available upon request).
    Would be nice please.. ( like playing with little pets.. are they house trained. )

    just post it in this thread with the usuall warning.." that the zip file contains a virus and if you don't know what your doing and you d.l this file and it bites you on the bum etc etc.. don't blame me.. etc etc.. " oh and pasword the zip file..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Why not play with fire when it's fun

    Reason I "somewhat knew" they were trojans/virii was the fact they could not be deleted in a normal fashion and the fact ad-aware/trend micro didnt do anything about them (or it did and they came back anyway). Besides, they were in folders with suspicious names (that I never installed to begin with).

    The problem now went away (removal software didnt play much of a role even in safe mode), safe mode permitted me to delete the first ref and beep from my system and now I am technically virus free except for the zipped versions of those two I still have on my comp

    Here are the files for those who wanna play around with them (First Ref will be in the next post).

    edit: problem with uploading them, they are 2MB in size

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Those are LOP infections (99%) sure. Googling for them won't do any good because LOP uses usually three random words in it's filenames (sometimes two), and the folder containing them will have two or three random words.

    Try the uninstallers provided by LOP (yeah, I know it seems contraintuitive to use removal tools from the people that infected you in the first place, but if it is a LOP infection, they will uninstall them cleanly)

    http://lop.com/new_uninstall.exe
    http://lop.com/toolbar_uninstall.exe

    If you don't want to use the uninstall tools, then you will need to use process explorer and regmon to see what is calling them., find the hidden .dll, unregister it. etc.

    Those tools can be found at sysinternals.

    Cheers!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •