I thought readers of MPIG might be interested in a problem I had for several months and eventually solved. I really hope that this issue has not been addressed before and I had simply missed it.

I have a fully updated and patched XP Pro OS; I use Windows OneCare as my primary av and malware wall; and I regularly use Spybot, Spysweeper, and AdAware as well as JV Power Tools 6. I use a separate popup blocker and the google popup blocker is activated. About two months ago I started to get a full page popup for a shareware site, www.allwindowssoft.com and another from www.smartfixer.com. At first these didn't bother me; I would simply close the pages and go on until it occurred to me that these pages were popping up from many different sites: news sites, YouTube, comedy sites, Drudgereport, wired.com, in fact there didn't seem to be any connection between the site I was looking at and these popups. I worked at the problem on and off for a couple of weeks (as time allowed), but I couldn't figure out where they were coming from. I put the sites in my host files (with DNS Client both on and off), searched the computer and the registry for any term that could apply, including the IP of the sites, the name of the company that owned the site,etc, put the the sites in my IE7 restricted list, etc. Hijackthis came up empty. Nothing helped.

I finally took a look at my Browser Helper file. In there I found a file called "rulbk.dll" without a publisher or description. I used autoruns.exe to find that it was listed under WINLOGON's. I disabled it, refreshed, and it was there in another iteration, enabled. I deleted it via autoruns, refreshed and it again appeared enabled. Like Freddy Krueger, it just wouldn't die. By this time I was getting pretty pissed.

I ran a search for the file (show hidden files on) by both name and CLSID on the computer and also did a registry search. I did a google search. Nothing. Finally I manually checked WINLOGON at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and found the file (rulbk.dll) listed there with a physical location at windows\microsoft.net\DirectX for Managed Code\1.0.2902.0. But, lo and behold, the file wasn't there (show hidden files on).

I tried deleting the registry entry but upon reboot the entry was still there. I went back to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\rulbk.dll and noticed that one of the RG_DWORD's was "Impersonate." I opened the Recovery Console (set up after reading a LangaList column), went to windows\microsoft.net\DirectX for Managed Code\1.0.2902.0 and, the truth will out, there it was. I copied rulbk.dll to my desktop and deleted it from windows\microsoft.net\DirectX for Managed Code\1.0.2902.0. I rebooted, opened regedit, and deleted all registry entries for the file. I then rebooted, ran JV Registry Cleaner, and haven't had the problem since.

That actually isn't the end of the story. I opened rulbk.dll with a hex reader, found the name of the author, P.J. Plauger of Dinkumware, Ltd and his phone number and called him. And, miracle of miracles, he answered the phone. Mr Plauger said that he occasionally gets phone calls from irate users asking what he has done to their computers but he explains that he writes a lot of code for various and sundry purposes and it is sometimes put to uses he doesn't approve of. He was very gracious in talking to a complete stranger on a Sunday afternoon.

So...I have a couple of questions that I hope someone can answer for me. I only noticed the "rulbkk.dll" entry in Browser Helpers because it had no more information with it. Is it possible for someone to spoof this also by, for example, listing the publisher as Microsoft or some other legitimate publisher? What is the "Impersonate" function? Why is it there and is it possible that there is other malware code on my computer of which I'm unaware and, if so, how do I find it? Why didn't the term "rulbk.dll" come up in my registry searches? Does "impersonate" also prevent this?

Sounds like a Wareout (or even a possible SmitFraud) infection, to me.

> I use Windows OneCare as my primary av and malware wall...

Uh-huh...
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.org
"John Brainerd" <john.brainerd@mail.com> wrote in message news:OvCGSskdHHA.4916@TK2MSFTNGP06.phx.gbl...
I thought readers of MPIG might be interested in a problem I had for several months and eventually solved. I really hope that this issue has not been addressed before and I had simply missed it.

I have a fully updated and patched XP Pro OS; I use Windows OneCare as my primary av and malware wall; and I regularly use Spybot, Spysweeper, and AdAware as well as JV Power Tools 6. I use a separate popup blocker and the google popup blocker is activated. About two months ago I started to get a full page popup for a shareware site, www.allwindowssoft.com and another from www.smartfixer.com. At first these didn't bother me; I would simply close the pages and go on until it occurred to me that these pages were popping up from many different sites: news sites, YouTube, comedy sites, Drudgereport, wired.com, in fact there didn't seem to be any connection between the site I was looking at and these popups. I worked at the problem on and off for a couple of weeks (as time allowed), but I couldn't figure out where they were coming from. I put the sites in my host files (with DNS Client both on and off), searched the computer and the registry for any term that could apply, including the IP of the sites, the name of the company that owned the site,etc, put the the sites in my IE7 restricted list, etc. Hijackthis came up empty. Nothing helped.

I finally took a look at my Browser Helper file. In there I found a file called "rulbk.dll" without a publisher or description. I used autoruns.exe to find that it was listed under WINLOGON's. I disabled it, refreshed, and it was there in another iteration, enabled. I deleted it via autoruns, refreshed and it again appeared enabled. Like Freddy Krueger, it just wouldn't die. By this time I was getting pretty pissed.

I ran a search for the file (show hidden files on) by both name and CLSID on the computer and also did a registry search. I did a google search. Nothing. Finally I manually checked WINLOGON at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and found the file (rulbk.dll) listed there with a physical location at windows\microsoft.net\DirectX for Managed Code\1.0.2902.0. But, lo and behold, the file wasn't there (show hidden files on).

I tried deleting the registry entry but upon reboot the entry was still there. I went back to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\rulbk.dll and noticed that one of the RG_DWORD's was "Impersonate." I opened the Recovery Console (set up after reading a LangaList column), went to windows\microsoft.net\DirectX for Managed Code\1.0.2902.0 and, the truth will out, there it was. I copied rulbk.dll to my desktop and deleted it from windows\microsoft.net\DirectX for Managed Code\1.0.2902.0. I rebooted, opened regedit, and deleted all registry entries for the file. I then rebooted, ran JV Registry Cleaner, and haven't had the problem since.

That actually isn't the end of the story. I opened rulbk.dll with a hex reader, found the name of the author, P.J. Plauger of Dinkumware, Ltd and his phone number and called him. And, miracle of miracles, he answered the phone. Mr Plauger said that he occasionally gets phone calls from irate users asking what he has done to their computers but he explains that he writes a lot of code for various and sundry purposes and it is sometimes put to uses he doesn't approve of. He was very gracious in talking to a complete stranger on a Sunday afternoon.

So...I have a couple of questions that I hope someone can answer for me. I only noticed the "rulbkk.dll" entry in Browser Helpers because it had no more information with it. Is it possible for someone to spoof this also by, for example, listing the publisher as Microsoft or some other legitimate publisher? What is the "Impersonate" function? Why is it there and is it possible that there is other malware code on my computer of which I'm unaware and, if so, how do I find it? Why didn't the term "rulbk.dll" come up in my registry searches? Does "impersonate" also prevent this?