Partial trojan removal

Discussion in 'Trojan Defence Suite' started by mconmackie, Oct 23, 2004.

Thread Status:
Not open for further replies.
  1. mconmackie

    mconmackie Guest

    I've read a couple of reviews of TDS-3 and before I plunk my money down for a copy, I would like to ask a question. One of my machines has a partial installation of the EGCOMM trojan. It's main dll has been deleted (egomlib_1035.dll) but another component insists on adding the start-up entry to the registry after I manually remove all references to the dll or "Instant Access". Would TDS-3 find and remove the remaining component(s) of EGCOMM/Instant Access?
     
  2. Ga1tar

    Ga1tar Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    118
    Location:
    U.K
    May be a silly question, but have you tried downloading the trial version to see whether it works for you or not?
     
  3. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi mconmackie, and welcome.

    May I ask what program alerted to you having EGCOMM trojan and the egomlib_1035.dll file?

    I have not been able to find any information on the egomlib_1035.dll nor EGCOMM trojan. The closest I've been able to find is from Kephyr for Instant Access Dialer.B which has a EGDHTML_1023.dll along with several other files, so you may have a new variant of that dialer.

    Could you zip up a copy of those "other components" (files?) that are putting themselves back in startup, if possible, and send by email to submit@diamondcs.com.au for analysis (please include a link back to this thread in the email message.)

    If you are using the trial copy of TDS-3, make sure you have download the most recent radius database file, which you can find here Radius td3 update before doing a scan.

    Please let us know what the scan results are and any other helpful information like your operating system, any other programs you've scanned with for example an anti-virus or anti-spyware app, and the program that alerted you to the infection, etc.

    Regards,

    snap
     
    Last edited: Oct 24, 2004
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Egcomm as i see it in google would be a protected ftp site and not sure if it has to do with egcomm for air purifiers etc. so trojan? does not look like it?
     
  5. mconmackie

    mconmackie Guest

    In response to all of the questions:

    (1) I have not downloaded the trial version of TDS-3.

    (2) The actual dll is called egcomlib_1035.dll (I typo'd the name in my initial post, sorry). No other software alerted me to the presence of EGCOMLIB but somehow egcomlib_1035.dll was deleted and WinXP complains at start-up because a Run key points to this dll.

    (3) http://www.nsclean.com/trolist.html lists EGCOMLIB as a trojan that the product BOCLEAN is capable of removing. Hence my assumption that it is a trojan however, this may be incorrect. I have Ad-Aware and SpyBot (both with up to date signature files) but I don't think that either of these tools recognized the dll. Please bear in mind that the affected machine is used exclusively by my son and he doesn't always remember everything that happens on his PC :-(

    (4) I have no clue as to the identity of the "other" components but their existence is presumed because after manually deleting the Run keys associated with egcomlib_1035.dll from the registry via regedit, they reappear a short time later (usually within a minute or so).

    I hope this information helps. Thanks.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Last edited: Oct 24, 2004
  7. mconmackie

    mconmackie Guest

    Ok, here's the story so far ...

    I downloaded the trial version of TDS3, updated the .td3 file from www.diamondcs.com.au (yes, I read the sticky thread from this forum pointing me to http://radius.turvamies etc. but I'm unable to determine exactly how to retrieve the file from that site). Regardless, a full system scan turned up absolutely nothing. I had Ad-Watch (Lavasoft) running at start-up and it claimed to have blocked the modification of the following registry key (again during start-up):

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    although looking at the registry a minute or so later showed that Ad-Watch was lying because the supposedly blocked registry update was indeed there along with an identical entry in the following registry key:

    HKUS\S-1-5-21-527237240-2052111302-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run

    At this point, I am no further ahead than I was prior to using TDS3.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    on the TDS site for updating it says you grab the radius file from the site and just put it in the TDS directory and start TDS. At this moment your total references should show 39899 references.
    Let TDS do it's initial startup scans, then in System Testing > Scan Control check all options and the worm slider on highest, make sure all logical drives are scanned, press ok.
    For the most successfull scans with any scanner it's best to close other scanners during that activity, especially their resident protection so the scanner has full access to all files.


    If the dll is the only trojan part and that one you deleted, there should be no reason for further alarms, should there be?
    You see the other threads i posted, did you try a hijackthis log if anything suspicious is still there?
    I mean this: a trojan can install lots of files, but if the trojan part is removed those other files are no danger anymore and with the proper info on the trojan they can be removed adequate and manually by the user.
    This is with any scanner where files are quarantined or dealt with, TDS is no other exception here then leaving you the choice to submit and/or delete the file, checking it, but not any scanner will see "oh this is trojan X and so now i have automatically to check for possible files a-z" as some of those files could be legal on your system!
    Reason why i prefer deleting such finds over trying to repair infected files if it were possible.

    Anyway, back to your specific problem: you have seen in the hijackthis logs the specific keys to get rid of, the file is in the Run section but can't run since you deleted it already.
    Please look another time in these threads which exact steps are taken.

    Very helpful wil be the AutoStartViewer (free) from the ww.diamondcs.com.au products site; d/l the program, check all options and post the log or send it to support@diamondcs.com.au

    In fact i'm expecting a whole series of registry entries, which could be names containing EG* , InstantAccess, Instant Access, EGCOMService, there can be files like egdialer.exe, egdial.dll, exedialer.exe, etc. etc.
    Reason why first the nasty infection is dealt with so you won't get unexpected high phonebills from this dialer.
     
    Last edited: Oct 25, 2004
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I know we don't normally allow hijackthis logs but in this case please post your HJT log and I will look at it and if I see any signs of the EGCOMLIB dialler and other entries that are probably reinstalling it then we can send them to TDS to get included in an update as well as removing them now

    with this dialler the associated entries DO NOT look any like the dll file. they have completely different names and locations
     
  10. mconmackie

    mconmackie Guest

    Warning: this may turn into a lengthy entry so ignore it if you aren't interested.

    Jooske: the total number of signatures in my .td3 file matches your stated value. I set the scan options as you indicated and performed a scan and still arrived at the same result -- nothing detected. As to your query about why I am still concerned about this issue when the actual dll is gone ... well, the answer is quite simple: I am extremely anal when it comes to any sort of software residing on any of my systems that I didn't explicitly put there.

    dvk01: after experimenting with regmon (which, by the way, proved useless in this particular scenario) and good old regedit, I have come up with the following:

    (1) it appears that Ad-Watch.exe has been compromised and I don't
    believe that is was distributed that way from Lavasoft since my
    son has been running it at start-up for a number of weeks prior
    to the onset of this problem. I am hypothesizing that an external
    agent (most likely a malicious web site) has grafted itself onto
    Ad-Watch.exe. The "infection" seems to be a two-stage process.

    (2) The first step is when Ad-Watch is executed at start-up and the
    registry has not yet been "configured". Values are added to
    HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg. At
    this point, Ad-Aware misleads the user by stating that an attempt
    to update HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    was blocked.

    (3) The next boot causes Windows to actually create the registry key
    that Ad-Watch mislead the user into believing that it had blocked.

    (4) The next boot would activate EGCOMLIB if the dll was present.

    There are two aspects of this that are of concern: (1) why didn't TDS-3
    detect the co-opted Ad-Watch.exe and (2) the co-opted Ad-Watch.exe is
    obviously not using standard Windows API calls to modify the registry since
    regmon didn't log the registry update. Of course there's always the
    possibility that regmon was detected and somehow bypassed.

    The whole problem has been circumvented by removing Ad-Watch from the
    start-up.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you look at the Ad-watch.exe properties, has it recently been modified (by the infection f.e.)?
    Could you please produce a HJT log and a AutoStartViewer log so the experts can help you looking if anything is still there?
    TDS alerts on malware, dangerous code, not just on file names.
    What you can do with files is put them in the TDS list for CRC checks (in the Important Sticky threads are some descriptions about that) so you would know immediately about changes.
    The registered TDS version allows you to install the exec protection which checks every file before it is allowed to execute, so your trojan would not have been able to run and install itself with this protection.
    Guess you will like to look at ProcessGuard too, to protect your processes from anything illigal, including modifying and terminating them, but your system first must be really clean before installing that.
     
  12. FanJ

    FanJ Guest

    For the original poster:

    Hi,
    You were invited and allowed to post a HijackThis-log.
    I don't understand why you haven't post one, but that is up to you.

    You were saying that (quoting you now) "it appears that Ad-Watch.exe has been compromised".
    For the moment I would say "have you prove of that"?
    Do you mean that the file Ad-Watch.exe has been changed on your system?
    Almost the only way to prove that is to tell exactly which version of Ad-Aware and AdWatch you are using and to give its MD5 checksum (or using an even stronger HASH-algorithm) so several other people with the same versions could compare it with the one they have on a clean system (or ask Lavasoft for its MD5 checksum). (or, if you have another, clean, machine to download it on that machine, calculate its MD5 on that one, then copy the installation file through a clean CD-ROM or floppy to the "compromised" machine and watch on that machine that file whether it has been changed using a file-integrity-checker (you can use the CRC32-test of TDS-3 for that).

    PS-1:
    It isn't exactly the first time that I tell people to use a good file-integrity-checker.
    PS-2:
    Of course I am wel aware that the "good working" of a file does not only depends on whether the file itself has been changed.
    PS-3:
    I advise strongly the use of a program like Process-Guard (starting on a clean machine) for those who can use it.
     
  13. mconmackie

    mconmackie Guest

    To FanJ:

    I made the statement regarding Ad-Watch purely based on observed behavior, i.e. when Ad-Watch is not in the list of start-up programs, no modifications are made to the registry and windows does not complain of any missing dll's. I might have breached protocol in blaming Ad-Watch but I stand by my observations. I am aware of the process of comparing files and as of yet, I have not had the opportunity to complete that task. I have just now finished running HijackThis and AutoStartViewer Unlike some people, my real job (the one that I'm paid to do) prevents me from responding to requests in a time frame that others in this forum might consider "normal" so give me a break :mad:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:34:47 PM, on 10/26/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jim\My Documents\My Received Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v5.windowsupdate.microsoft.c...Page=2&index=0&ErrorCode=-2145099774&ln=en-us
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095722102062
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E9AC2DC8-F9AF-42A2-A8EB-6FC3545999B3}: NameServer = 24.226.1.46,24.226.1.47


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jim@JIM-RNMGPARH1TM, 10-26-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
    C:\WINDOWS\SOUNDMAN.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GhostStartTrayApp
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINDOWS\System32\\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IntelliType
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    C:\WINDOWS\system32\mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Program Files\Messenger\msmsgs.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe
    C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
    C:\Program Files\Norton SystemWorks\OBC.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
     
  14. FanJ

    FanJ Guest

    Oops, my apologies to you ! :oops:
     
  15. mconmackie

    mconmackie Guest

    Note that the previously posted logs were obtained from the system _without_ Ad-Watch in the start-up program list. I can run them again with Ad-Watch enabled but I will not be able to post the results until tomorrow evening. If so, when should they be run ... first boot after adding Ad-Watch, second boot, third boot or all three? Please advise.
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I don't think ad-watch is to blame, but you have had a hijacker and toolbar the searchmall one with some traes left behind in the log

    please look for this dll on your system winsrm32.dll and delete if found, I am sure it won't be as Norton has it in it's database and I am sure that TDS does also

    now Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php


    I would then run adaware with updated definitions & check that no other bits are left behind


    An updated HJT & autostart viewer log would be useful and should be done after enabling adwatch and then reboot

    please also make sure all startups in msconfig are enabled before making & posting the logs

    Edit and also please check your host file for any unwanted additions
     
    Last edited: Oct 27, 2004
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://www.giantcompany.com/antispyware/research/spyware/spyware-Instant-Access.aspx
    You will be happy when looking at your own logs not much or nothing from the possible files belonging to that nasty as described above are on your system.
    This is why your logs are so important!
    When you create the new AutoStartVieuwer log, can you please in top of the menu select all three options to be included?

    BTW: did you disable the system-restore (temporary) so after a reboot the nasties aren't back?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.