Win32/suomia

Discussion in 'malware problems & news' started by Pieter_Arntz, Nov 21, 2002.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi all,

    I´m trying to help someone on a dutch forum, but I´m afraid I can´t handle it alone.
    He ran a on-line scan at: http://www.ravantivirus.com/scan/indexie.php

    This were the results:
    C:\werk....21 Full-Crack.exe->(AsPack2k) : Infected with Backdoor:Win32/Theefle.patch
    C:\werk...ish Full-Crack.exe->(AsPack2k) : Infected with Backdoor:Win32/Theefle.patch
    C:\Syst...394.exe->(RARSfx)->Alderan.exe : Infected with Trojan:Win32/Suomia
    He downloaded, updated and ran Trojan Hunter which found and got rid of the upper two, but did not find the third one.
    He checked his registry to see if it is this one: http://www.virus-scan-software.com/latest-virus-software/latest-viruses/suomia.shtml but it isn´t.
    A manual search on his system did come up empty for alderan.exe and *394.exe (this scan apparently does not give full path names)<
    Any ideas are welcome.

    Regards,

    Pieter
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Obviously, it could be either a false positive or something TH does not detect. So, the options are to try other scanners, either online ones or other trial AT packages.

    Also, assuming it's not a "false positive", but only RAV can "see it" currently, then ways to isolate just what file it is becomes a priority. The RAV online scanner seems to report viruses as it finds them, and it displays generally what folders it's scanning as it runs, how about if he re-runs it and watches closely as it scans - when it finds the file, make note of the folder it's supposed to be scanning in. Then, perhaps zero in on the file using the "scan a folder" and "scan a file" options available? At the very least, this gets him closer to the exact file in question and perhaps by process of elimination, he can determine if it's an issue - examining the suspect file or files to see if it's something he installed, and knows as trusted or not...

    Just a couple thoughts,
    LowWaterMark
     
  3. feertje22

    feertje22 Registered Member

    Joined:
    Nov 21, 2002
    Posts:
    3
    hi,

    I do not know what that (potential) virus is doing on a system, but the pc it is on has a problem starting up IE6 or OE.

    The first time you try to launch IE6 or OE it can take up to 2 or 3 min before the program is running. During that time it does not react at all, however you can open folders on the machine.

    After that first time you can run the programs instantly, no problem.

    So is anyone has a sugesion, please post it here.

    Greetings
    Feertje
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Maybe it helps to download a trial version of RAV (or some other good av software) and run it instead of using an online scan. This will at least produce a more readalbe output with full path names.

    The last one maybe could be also a false positive by RAV. Maybe before deleting the file he should sent it CeCAD for analysis.

    wizard
     
  5. feertje22

    feertje22 Registered Member

    Joined:
    Nov 21, 2002
    Posts:
    3
    NAV 2002 (updated 20/11) does not find it.
     
  6. feertje22

    feertje22 Registered Member

    Joined:
    Nov 21, 2002
    Posts:
    3
    Housecall online scanner does not find it
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    feertje 22,

    I´m adding your Startuplist here.
    Maybe someone else can find something suspicious:

    StartupList report, 21-11-2002, 22:11:29
    StartupList version: 1.35.0
    Started from : D:\DOCUME~1\FERAEN~1.THU\LOCALS~1\Temp\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    D:\Documents and Settings\Fera en Martin.THUIS\Desktop\PopUpKiller.EXE
    D:\WINDOWS\System32
    tfmon.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\WINDOWS\System32\tcpsvcs.exe
    D:\WINDOWS\System32\snmp.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\ZONELABS\vsmon.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    D:\PROGRA~1\WinZip\winzip32.exe
    D:\DOCUME~1\FERAEN~1.THU\LOCALS~1\Temp\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = D:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    anvshell = anvshell.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    PopUpKiller = D:\Documents and Settings\Fera en Martin.THUIS\Desktop\PopUpKiller.EXE
    THGuard = "D:\Program Files\TrojanHunter 2.5\TH_Guard.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = D:\WINDOWS\System32
    tfmon.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = D:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "D:\WINDOWS\System32\rundll32.exe" "D:\Program Files\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    D:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    D:\WINDOWS\Explorer\Explorer.exe: not present
    D:\WINDOWS\System\Explorer.exe: not present
    D:\WINDOWS\System32\Explorer.exe: not present
    D:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - D:\Program Files\DAP\DAPIEBar.dll - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://home.wanadoo.nl/music-place2be/freemp3s.exe

    [CAX Control]
    InProcServer32 = D:\WINDOWS\DOWNLO~1
    ax.ocx
    CODEBASE = https://www.p3.postbank.nl/sesam/CAX.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52/20020909/qtinstall.info.apple.com/sikes/nl/win/QuickTimeInstaller.exe

    [Google Activate]
    InProcServer32 = d:\windows\downloaded program files\GoogleToolbar_nl_1.1.62-deleon.dll
    CODEBASE = http://toolbar.google.com/data/nl/deleon/1.1.54-deleon/GoogleNav.cab

    [HouseCall Control]
    InProcServer32 = D:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab

    [Tintel Class]
    CODEBASE = http://exe.dialer.tintel.nl/tcw.cab

    [MSN Photo Upload Tool]
    InProcServer32 = D:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
    CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

    [Shockwave Flash Object]
    InProcServer32 = D:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [RavOnline Control]
    InProcServer32 = D:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    [PBGNX Control]
    InProcServer32 = D:\WINDOWS\DOWNLO~1\PBGNX.ocx
    CODEBASE = https://www.p3.postbank.nl/GTO/PBGNX.cab

    [HouseCall Control]
    InProcServer32 = D:\WINDOWS\DOWNLO~1\xscan51.ocx
    CODEBASE = http://www.housecall.nl/housecall/xscan4.cab

    --------------------------------------------------
    End of report, 6.913 bytes
    Report generated in 0,040 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    Regards,

    Pieter
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Theefle (at least the latest version) comes with plugins - which can be altered. Therefore, it could well be cleaning these ones did the job in regard to the (altered) plugin as well. I'm interested in a) running DLLs b) possible existing self-extracting RAR files (RARsfx). Any info on these?

    On a side note: apart from opinions in regard of running cracks - there's often a high price to pay - as seems to be the case here.

    regards.

    paul
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    feertje22,

    I would like to advise the following:
    1. Remove NAV 2002 following: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001083014161306
    I think it has been corrupted, because Auto-protect won´t start, and the considerable amount of time it takes OE and IE to get started.
    2. Install a new anti-virus program. If you want to stick with NAV I would suggest upgrading to version 2003.
    3. Download and install FileChecker and let it guard at least the key-executables of your AV, AT and firewall.
    4. Change your passwords after all this, but asap

    Regards,

    Pieter
     
  10. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Well.. I'm too tired (and overall lazy) to read all posts in this thread, so.. :D

    Just a simple question...

    Is the file stored in the folder C:\System Volume Information ?

    That folder is used to store backup of files for the filesystem protection, and for example antivirus programs, don't have access to delete the files in there.

    You can either remove the file using a bootdisk, or disabling the protection (which will probably make you loose any restore points you may have).

    [hr]
    1. Right-click "My Computer" and choose "Properties" (it's either located on the desktop, or in the start menu).

    2. Select the tab "System restore".

    3. Check the option "Turn off system restore".

    4. Restart the computer.

    5. Scan the system with an antivirus scanner.

    6. Repeat step 1 and 2, and de-select "Turn off system restore" in order to enable it again.
    [hr]

    Regards,
    Anders
    EuroSecure
     
Thread Status:
Not open for further replies.