Horrible Mutex Problem

Once I updated TDS-3 today I received the following:

16:42:18 [Memory Scan] Memory scan started, please wait a moment ...
16:42:21 [Memory Scan] Memory scan complete.
16:42:21 [Mutex Memory Scan] Started...
16:42:24 [Mutex Memory Scan] Trojan mutex(es) found:
16:42:24 [Mutex Memory Scan] ... mutex found for TrojanDownloader.Win32.Adi
16:42:24 [Trace Scan] Started...
16:42:40 [Trace Scan] Finished.

That is all the information I get about TrojanDownloader.Win32.Adi source. I don't know much about removal of trojans or virus so please help me get rid of this problem. Thanks

 

Hi Luke,

You almost certainly are infected. TDS-3 has detected a mutex (essentially a flag that says "yes i'm running") in memory that is unique to this particular trojan, and there is virtually no chance of any legitimate program using this particular mutex name due to the somewhat rude nature of the mutex name, which I won't say here. If you've done a full system scan (with all scan options turned on) and TDS wasnt able to find the file then it may have been heavily modified to avoid detection by scanners, but because of TDS's many different detection techniques it's a lot harder to bypass all of them, as you've now seen.

First things first, download our free Autostart Viewer program. Can you see any entries that you're not familiar with, or look new, or you're unsure about?

Then have a look at your running process list. Are there any processes that you're not familiar with, or look new, or you're unsure about?

When you find a file you think may be the culprit, move the file to another location (ie. c:\quarantine), but do not delete the file. You may need to terminate it first (as the mutex will only exist while it is running). When it's been moved to a new location it has essentially been rendered harmless, as there's no autostart entries pointing to it that will cause it to automatically load the next time you start Windows. When youve done that, please submit the file to submit(at)diamondcs.com.au for analysis.

 

Its definitely a new variant of that trojan - chances are nothing will detect it. Please do run ASViewer or HijackThis and send us a log, I'll be able to spot the offender. Any problems email us

 

I've downloaded the Autostart Viewer 1.4. I'm pretty new with Windows XP Pro so most of these processes look unfamiliar. Is there anyway you could hint me towards the correct file that holds this trojan?

 

When youre using Autostart Viewer press Ctrl+S to save the display to a text file, and then email that file to submit(at)diamondcs.com.au or send it as a private message to Gavin

 

Sorry Gavin missed your post at first. Here is the log you've requested:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\imslsp.dll
C:\WINDOWS\System32\ZoneLabs\vetredir.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll

 

All looks normal there, please use ASViewer and press F2 F3 F4 once each which shows more autostarts, then post the log

Also a process list of running programs, HijackThis log will do - see this post (but skip straight to step 2)

https://www.wilderssecurity.com/showthread.php?t=15913

 

Here is Autostart's log after I pressed F2, F3, F4:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\imslsp.dll
C:\WINDOWS\System32\ZoneLabs\vetredir.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll

I will add the other log from Hijackthis once I download the program and read the thread you posted. I am doing it right now.

 

SORRY!!! That was the same log, here is the correct one:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@LOGICAL, 08-31-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\sstext3d.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CloneCDTray
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\imslsp.dll
C:\WINDOWS\System32\ZoneLabs\vetredir.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}\
C:\WINDOWS\System32\mssyncr.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
C:\WINDOWS\System32\Ati2evxx.exe
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CAISafe\
C:\WINDOWS\System32\ZoneLabs\isafe.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DcomLaunch\
C:\WINDOWS\system32\svchost -k DcomLaunch
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ElbyCDIO\
C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\MDM\
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wscsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Here you go:

Logfile of HijackThis v1.98.2
Scan saved at 8:24:45 PM, on 8/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1982.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093833408113
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab

 

What operating system are you using - 2K or XP?

 

Hi,

C:\WINDOWS\services.exe

Kill this Please send it to me submit(at)diamondcs.com.au and then remove it. You can do so by going to the TDS Process List in System Analysis, find this running and right-click, kill process and delete file

Make sure you kill the one in the Windows folder, NOT system32

 

You can't kill this file, TDS said it killed it & also deleted but when I restarted my computer my firewall reported services.exe is asking for internet again. I tired terminating the program through the task manager but it says it is a critical system process. How should this program be killed if TDS cant kill it.

 

Download our free Advanced Process Termination program:
http://www.diamondcs.com.au/index.php?page=apt
You shouldn't have any problems terminating the process with that.

When the process has been terminated, move (but do NOT delete) the file to a different location, such as c:\quarantine. However, even without terminating it you should be able to email the file to us.

 

Okay I am able to terminate the program & then relocate or delete the file. The problem is once I restart my computer the file is recreated in C:\windows. I sent the file to you guys in .zip format. If you didn't receive I can send it again because for right now it seems it isnt going anyway where. I really thank you guys too for your hard work on helping me with this problem.

 

Hi,

I did receive it, its similar to previous versions and seems to be more of a test, than something dangerous. Not sure how you got infected either, there isn't too much information about this one available.

Try rebooting into Safe Mode and delete the file again, does it return ? surely it should NOT, there is no self protection in this. Nothing else in your log looks responsible for this

 

Sorry Gavin but I went into Safe Mode deleted the file & when I restarted my computer services.exe was recreated in the C:\Windows directory and asking for internet usage again. Does this mean theres another program working with this one or does it have virus abilities?

 

Something else must be "dropping" it, but I cant tell what from your log..

Delete it again, but this time create a new folder in the Windows folder, name it services.exe. This will prevent the dropper working, and might even crash it giving us a hint as to what it was that dropped it. If you reboot and get any error, note the full error message please. I'll look over your log again for hints

 

C:\WINDOWS\System32\ZoneLabs\vetredir.dll

Please send me this file, could be the problem. Doesn't look right..

 

Okay I have created a folder named services.exe in the C:\Windows directory and restarted my computer. I didn't receive any kind of error or anything that could pin point the problem causer. I have sent you the file C:\WINDOWS\System32\ZoneLabs\vetredir.dll
so hopfully this is our problems source.

 

Seems like we found it

HKLM\Software\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}\
C:\WINDOWS\System32\mssyncr.exe

Delete this registry value as well as both files, reboot, problem gone ?
Please send me that file just in case, but its probably another copy of the same file

To delete the above, try ASViewer, right-click and Jump to with Regedit. Then delete the KEY on the left (looks like a folder) named {44AC6201-B203-10CC-1F32-A0BC12E2014D}

 

YAHOOO!!! YOU GUYS DID IT!!! Your awesome, I was starting to think my problem was too complicated but damn you put that theory to shame Sorry I forgot you wanted mssyncr.exe but I can tell you the file size was the same or pretty closely the same (cant remember exactly) to services.exe but mssyncr.exe gave me no trouble when I deleted it manually. I thank you guys a million for your help because there was no way I would have ever figured out that how to remove that trojan nor even know I had one if it wasnt for you Tell your boss I say you deserve a raise

 

Great to hear.

 

Quite sure it was the same file, a backup copy. Glad its gone added to tonights update too

 

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab

Are you sure about this one to be a normal legal innocent one? I see it everywhere removed as a nasty