Trojan infection in C:\Recycler?

Discussion in 'malware problems & news' started by kylekyle, Apr 29, 2005.

Thread Status:
Not open for further replies.
  1. kylekyle

    kylekyle Registered Member

    Joined:
    Apr 29, 2005
    Posts:
    1
    This is a conglomeration of some posts I made at the TDS-3 private forums. Maybe a wider audience will help with this problem.

    This is what i get when I scan my PC with TDS-3.

    Scan Control Dumped @ 22:49:47 26-04-05
    File Trace: Default trojan filename: Worm.Legion
    File: C:\Recycler\Legion.exe.vbs

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\tlist.exe

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\JAsfv.ini

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\iissrvs.exe

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\hk.exe

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\iis.dll

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\iisl.dll

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\JAsfv.exe

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\JAsfv.dll

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\Localstart.cnf

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\nc.exe

    File Trace: Default trojan filename: RAT.ServuDoor
    File: C:\Recycler\pskill.exe

    When I delete the files through TDS-3 it says they're deleted but when i scan again they are back.

    Shown as a hidden file in Explorer but get "Access Denied" when I try to browse.
    I don't have the Recycle Bin enabled so the directory shouldn't be there. I CANNOT delete this directory any way I've tried.
    This includes-
    from safe mode w/ command prompt
    with Killbox every way possible
    from a boot disk
    from Microsoft Recovery Console
    dellater.exe

    I get "Directory is not empty" and "Access Denied" errors.

    And my Sygate Firewall Pro appears to have been corrupted beyond usability.
    Also having intermittent Internet Connection problems now.

    Oh, and XP Pro SP2 all current updates, latest MSXML, all office updates, latest Sun Java, Process Guard free, NOD32 trial, Windows Firewall, Spyware Blaster, Ad-Aware, Spybot...

    I am running TDS-3 on my user account w/admin priveleges, but not the default XP "Administrator" account though.

    I have the config set to "boost TDS-3 token priveleges" as well.

    And I have System Restore completely disabled on my machine.

    Whatever this thing is, it's tenacious.

    There doesn't appear to be any running proccesses associated that I can tell using any utilities- including Proccess Explorer.

    Some time passes...

    Eraser actually deleted the folder! C:\Recycler is gone... only to be replaced by ANOTHER folder immediately with a randomly generated 8 character name such as C:\M9KTU5B3. When I erase that I get C:\Q492KCWO. And so on ad naseum.

    And now TDS-3 finds nothing on the trace scan.

    I also found 2 1.5GB "system files" (ie. no extension) named "2" and "7" in my windows folder that I managed to delete with Eraser.

    Also, I get an "Access Denied" error when I try to run File Monitor by sysinternals.

    This thing is started to freak me out a little...
    Rootkit?

    I'm about to nuke my hard drive and reinstall but damn this is an intrigueing problem.
     
  2. bdw

    bdw Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    2
    I was about to post an identical problem. Have you resolved it yet? Here's my TDS-log:
    Code:
    Scan Control Dumped @ 09:54:42 26-06-05
    File Trace: Default trojan filename: Worm.Legion
      File: C:\Recycler\Legion.exe.vbs
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\tlist.exe
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\JAsfv.ini
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\iissrvs.exe
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\hk.exe
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\iis.dll
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\iisl.dll
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\JAsfv.exe
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\JAsfv.dll
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\Localstart.cnf
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\nc.exe
    
    File Trace: Default trojan filename: RAT.ServuDoor
      File: C:\Recycler\pskill.exe
    Windows shows C:\Recycler to contain 0 bytes, I'm running 2000 so no system restore and I'm administrator. After deleting the files through TDS they show up again on the next scan (without a reboot).

    The odd thing is that C:\Recycler is accessible on all partitions except for C. All are NTFS.

    Any ideas guys?
     
  3. bdw

    bdw Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    2
    OK, search first, ask questions later. I've managed to resolve it. For some reason no-one, not even system or administrators, had security rights to C:\Recycler. A few weeks ago I was playing around with security rights on my C-drive due to some very persistent directory creation by my Canon printer drivers. I didn't use TDS after that until this morning when it discovered the trojans. A scan by Nod32 didn't result in any alarms and I've also got an updated Boclean running at all times.

    Recycle Bin was working fine, despite the security rights issue. The underlying directory was empty, as expected. I'm now working on the assumption TDS didn't have access to the directory and for some reason mistakes this for the infection listed. The following system scan by TDS didn't find any problems whatsoever, despite the fact I hadn't authorised the software to delete the files last time it discovered them.

    Perhaps someone from TDS can look into this issue.
     
Loading...
Thread Status:
Not open for further replies.