New trojan trojanspy.win32.agent.14 (dll)

Discussion in 'Trojan Defence Suite' started by millerm54, Nov 19, 2004.

Thread Status:
Not open for further replies.
  1. millerm54

    millerm54 Registered Member

    Joined:
    Nov 19, 2004
    Posts:
    5
    New trojan trojanspy.win32.agent. l4 (dll)

    I have been hit by a trojan I cannot find any information on. The id was given by the tds-3 program which could not remove it. There is a process running in memory called sysxml.exe that points to a location the windows tasks directory but is not to be found on the hard drive. It runs in both normal and safe mode. and if you remove the program from the registry, it replaces the entry as soon as you close the screen.
    Any possible help would be appreciated.
     
    Last edited: Nov 19, 2004
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: New trojan trojanspy.win32.agent. l4 (dll)

    I suspect that this is a newish version of an older hijacker that has 2 hidden reinstallers


    It always starts with sys and has a random number of letters after that

    there will be the sysxml.exe and a sysxml.dll and a sysp.dll (the sysp.dll is the reinstaller)

    please do this so I can check

    go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. millerm54

    millerm54 Registered Member

    Joined:
    Nov 19, 2004
    Posts:
    5
    Here is the log. I have been using Hijackthis for several months to work on computer adware and spyware problems. This is the first trojan that has kicked my but in a long time
    thanks for the help

    Michael


    Logfile of HijackThis v1.98.2
    Scan saved at 3:58:46 PM, on 11/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\PestPatrol\ppRemoteService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Sherry Harmon\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\SHERRY\LOCALS~1\Temp\lmxsys.dat
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe
    O4 - HKLM\..\RunOnce: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe rerun
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes it's a new blasted trojan that is impossible to remove with normal means

    first please copy C:\WINDOWS\Tasks\sysxml.exe in fact please copy & zip anything inside the tasks folder (except the M$ "add scheduled task wizard which should be it's only entry) & send it and this file also C:\DOCUMENTS AND SETTINGS\SHERRY\LOCAL SETTINGS\Temp\lmxsys.dat

    to submit@diamondcs.com.au with a short note referring to this thread & then do this


    Download pocket killbox from http://download.broadbandmedic.com/Killbox.exe put it on the desktop where you can find it easily


    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\SHERRY\LOCALS~1\Temp\lmxsys.dat
    O4 - HKLM\..\Run: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe
    O4 - HKLM\..\RunOnce: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe rerun

    now run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. On any dll file tick unregister dll before deleting, then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT LET IT REBOOT YET

    C:\WINDOWS\Tasks\sysxml.exe
    C:\DOCUMENTS AND SETTINGS\SHERRY\LOCAL SETTINGS\Temp\lmxsys.dat

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then let it reboot & when it has rebooted please post a new log
     
  5. millerm54

    millerm54 Registered Member

    Joined:
    Nov 19, 2004
    Posts:
    5
    There is no file in the c:\windows\tasks directory other than the add scheduled task wizard. I have run a complete search of the hard drive including system-hidden files and not found a copy of sysxml.exe. When I followed the procedure listed above, tea timer was able to block the CATLEvents entry from the reg but the sysxml.exe file is listed in the current processes list. Is there a program that will show me what process is trying to replace the files in the registry? Also is there anyway to tell when a program was last accessed? When I try to delete the sysxml.exe from running processes it restarts within less than a second. If I delete the reg entries for the file, it reappears as soon as I close that particular key. The machine is on a customer site 150 miles away so I can’t get to it till Wednesday 11/24 but I am about ready to wipe the drive and start over. Any further help would be wonderful

    Thanks
    Michael
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  7. millerm54

    millerm54 Registered Member

    Joined:
    Nov 19, 2004
    Posts:
    5
    The removl tool worked. the processes are gone and the machine run correctly!

    Thanks for all your help!

    Michael :D
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi millerm54, Glad it is fixed, I think dvk01 would still like to see a new HJT log though.
    BTW TDS3 does catch this nasty including the dropper & installer. :)

    Pilli
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Pilli

    TDS recognises it like KAV and most antiviruses but the way it hooks into the system needs a special way to remove it and TDS doesn't actually seem to fix it even though the exec prot should have stopped it running

    The symantec tool does fix this particular version and I'm sure when gavin looks at the tool he will incorporate the fixes into tds3 if it is possible if not then I'm sure TDS 4 will have the capabilities of fixing these sort of pests.

    It has been a busy few days with this one until symantec came up with the fix as it's spreading like wildfire and all the regular methods didn't work
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the clarification :)

    Would ProcessGuard not have stopped it installing by blocking .dll injection evn if the installer was allowed to run?
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I would have thought that PG would have stopped it

    I tried to infect my computer with it when we were having diffficulties curing it yesterday to experiment but prevx stopped it installing so PG definitely should have done
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks :)
     
  13. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Win32/Vundo is since the 4th of September in the database of NOD32. Maybe it's a good idea to use that AV too ;)
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thanks for the info but we know that and this is a new version that came out a few days ago with a nasty hidden hook to prevent it being easily removed. All the antiviruses/anti trojans detect it but none could rermove it because of the new addition to it

    that is why prevention is better than cure and any AV that stops it being installed is good
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Ewido claims that it would have intercepted and cleaned the thing too ;)
     
  16. millerm54

    millerm54 Registered Member

    Joined:
    Nov 19, 2004
    Posts:
    5
    ogfile of HijackThis v1.98.2
    Scan saved at 12:47:29 PM, on 11/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\PestPatrol\ppRemoteService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\System32\wuauclt.exe
    \LIGHTSERVER\Acct\BWGold\BWLauncher.exe
    C:\PVSW\BIN\W3DBSMGR.EXE
    \LIGHTSERVER\Acct\BWGold\BWServer.exe
    \LIGHTSERVER\Acct\BWGold\TASKS\TASK6020.EXE
    \LIGHTSERVER\Acct\BWGold\TASKS\TASK6009.EXE
    C:\Program Files\Microsoft Office\Office\Excel.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Documents and Settings\Sherry Harmon\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There is one entry stil showing in the hjt log

    I am assuming it's just a left over registry entry from when the symantec cleaner fixed it

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [*sysxml] C:\WINDOWS\Tasks\sysxml.exe


    then reboot twice please and post a further log to check
     
  18. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Can you please install Windows XP Service Pack 2? SP2 can help to secure your computer in some ways.
    Please go to v5.windowsupdate.microsoft.com and check for updates and install them, if any.
     
Thread Status:
Not open for further replies.