Horrible Mutex Problem

Discussion in 'Trojan Defence Suite' started by Luke Price, Aug 31, 2004.

Thread Status:
Not open for further replies.
  1. Luke Price

    Luke Price Guest

    Once I updated TDS-3 today I received the following:

    16:42:18 [Memory Scan] Memory scan started, please wait a moment ...
    16:42:21 [Memory Scan] Memory scan complete.
    16:42:21 [Mutex Memory Scan] Started...
    16:42:24 [Mutex Memory Scan] Trojan mutex(es) found:
    16:42:24 [Mutex Memory Scan] ... mutex found for TrojanDownloader.Win32.Adi
    16:42:24 [Trace Scan] Started...
    16:42:40 [Trace Scan] Finished.

    That is all the information I get about TrojanDownloader.Win32.Adi source. I don't know much about removal of trojans or virus so please help me get rid of this problem. Thanks
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Luke,

    You almost certainly are infected. TDS-3 has detected a mutex (essentially a flag that says "yes i'm running") in memory that is unique to this particular trojan, and there is virtually no chance of any legitimate program using this particular mutex name due to the somewhat rude nature of the mutex name, which I won't say here. If you've done a full system scan (with all scan options turned on) and TDS wasnt able to find the file then it may have been heavily modified to avoid detection by scanners, but because of TDS's many different detection techniques it's a lot harder to bypass all of them, as you've now seen.

    First things first, download our free Autostart Viewer program. Can you see any entries that you're not familiar with, or look new, or you're unsure about?

    Then have a look at your running process list. Are there any processes that you're not familiar with, or look new, or you're unsure about?

    When you find a file you think may be the culprit, move the file to another location (ie. c:\quarantine), but do not delete the file. You may need to terminate it first (as the mutex will only exist while it is running). When it's been moved to a new location it has essentially been rendered harmless, as there's no autostart entries pointing to it that will cause it to automatically load the next time you start Windows. When youve done that, please submit the file to submit(at)diamondcs.com.au for analysis.
     
    Last edited: Aug 31, 2004
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Its definitely a new variant of that trojan - chances are nothing will detect it. Please do run ASViewer or HijackThis and send us a log, I'll be able to spot the offender. Any problems email us
     
  4. Luke Price

    Luke Price Guest

    I've downloaded the Autostart Viewer 1.4. I'm pretty new with Windows XP Pro so most of these processes look unfamiliar. Is there anyway you could hint me towards the correct file that holds this trojan?
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    When youre using Autostart Viewer press Ctrl+S to save the display to a text file, and then email that file to submit(at)diamondcs.com.au or send it as a private message to Gavin
     
  6. Luke Price

    Luke Price Guest

    Sorry Gavin missed your post at first. Here is the log you've requested:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\imslsp.dll
    C:\WINDOWS\System32\ZoneLabs\vetredir.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    All looks normal there, please use ASViewer and press F2 F3 F4 once each which shows more autostarts, then post the log

    Also a process list of running programs, HijackThis log will do - see this post (but skip straight to step 2)

    https://www.wilderssecurity.com/showthread.php?t=15913
     
  8. Luke Price

    Luke Price Guest

    Here is Autostart's log after I pressed F2, F3, F4:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\imslsp.dll
    C:\WINDOWS\System32\ZoneLabs\vetredir.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll

    I will add the other log from Hijackthis once I download the program and read the thread you posted. I am doing it right now.
     
  9. Luke Price

    Luke Price Guest

    SORRY!!! That was the same log, here is the correct one:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\sstext3d.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\imslsp.dll
    C:\WINDOWS\System32\ZoneLabs\vetredir.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}\
    C:\WINDOWS\System32\mssyncr.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
    C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
    C:\WINDOWS\System32\Ati2evxx.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CAISafe\
    C:\WINDOWS\System32\ZoneLabs\isafe.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\DcomLaunch\
    C:\WINDOWS\system32\svchost -k DcomLaunch
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ElbyCDIO\
    C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wscsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  10. Luke Price

    Luke Price Guest

    Here you go:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:24:45 PM, on 8/31/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ZoneLabs\isafe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\services.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FlashGet\flashget.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis1982.exe

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093833408113
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    What operating system are you using - 2K or XP?
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    C:\WINDOWS\services.exe

    Kill this :) Please send it to me submit(at)diamondcs.com.au and then remove it. You can do so by going to the TDS Process List in System Analysis, find this running and right-click, kill process and delete file

    Make sure you kill the one in the Windows folder, NOT system32
     
  13. Luke Price

    Luke Price Guest

    You can't kill this file, TDS said it killed it & also deleted but when I restarted my computer my firewall reported services.exe is asking for internet again. I tired terminating the program through the task manager but it says it is a critical system process. How should this program be killed if TDS cant kill it.
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Download our free Advanced Process Termination program:
    http://www.diamondcs.com.au/index.php?page=apt
    You shouldn't have any problems terminating the process with that.

    When the process has been terminated, move (but do NOT delete) the file to a different location, such as c:\quarantine. However, even without terminating it you should be able to email the file to us.
     
  15. Luke Price

    Luke Price Guest

    Okay I am able to terminate the program & then relocate or delete the file. The problem is once I restart my computer the file is recreated in C:\windows. I sent the file to you guys in .zip format. If you didn't receive I can send it again because for right now it seems it isnt going anyway where. I really thank you guys too for your hard work on helping me with this problem.
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    I did receive it, its similar to previous versions and seems to be more of a test, than something dangerous. Not sure how you got infected either, there isn't too much information about this one available.

    Try rebooting into Safe Mode and delete the file again, does it return ? surely it should NOT, there is no self protection in this. Nothing else in your log looks responsible for this
     
  17. Luke Price

    Luke Price Guest

    Sorry Gavin but I went into Safe Mode deleted the file & when I restarted my computer services.exe was recreated in the C:\Windows directory and asking for internet usage again. Does this mean theres another program working with this one or does it have virus abilities?
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Something else must be "dropping" it, but I cant tell what from your log..

    Delete it again, but this time create a new folder in the Windows folder, name it services.exe. This will prevent the dropper working, and might even crash it giving us a hint as to what it was that dropped it. If you reboot and get any error, note the full error message please. I'll look over your log again for hints
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    C:\WINDOWS\System32\ZoneLabs\vetredir.dll

    Please send me this file, could be the problem. Doesn't look right..
     
  20. Luke Price

    Luke Price Guest

    Okay I have created a folder named services.exe in the C:\Windows directory and restarted my computer. I didn't receive any kind of error or anything that could pin point the problem causer. I have sent you the file C:\WINDOWS\System32\ZoneLabs\vetredir.dll
    so hopfully this is our problems source.
     
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Seems like we found it :)

    HKLM\Software\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}\
    C:\WINDOWS\System32\mssyncr.exe

    Delete this registry value as well as both files, reboot, problem gone ?
    Please send me that file just in case, but its probably another copy of the same file

    To delete the above, try ASViewer, right-click and Jump to with Regedit. Then delete the KEY on the left (looks like a folder) named {44AC6201-B203-10CC-1F32-A0BC12E2014D}
     
  22. Luke Price

    Luke Price Guest

    YAHOOO!!! YOU GUYS DID IT!!! Your awesome, I was starting to think my problem was too complicated but damn you put that theory to shame :) Sorry I forgot you wanted mssyncr.exe but I can tell you the file size was the same or pretty closely the same (cant remember exactly) to services.exe but mssyncr.exe gave me no trouble when I deleted it manually. I thank you guys a million for your help because there was no way I would have ever figured out that how to remove that trojan nor even know I had one if it wasnt for you :) Tell your boss I say you deserve a raise ;)
     
  23. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    :) Great to hear.
     
  24. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Quite sure it was the same file, a backup copy. Glad its gone :) added to tonights update too
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab

    Are you sure about this one to be a normal legal innocent one? I see it everywhere removed as a nastyo_O
     
Thread Status:
Not open for further replies.