Re: Are these Trojans?

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 01/02/05 

Date: Sat, 1 Jan 2005 19:38:07 -0500

Martyn:

Sounds like you are STILL infected.

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
        http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
         infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
        System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

You should also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Panda:
http://www.pandasoftware.com/activescan/

Symantec:
http://security.symantec.com/

* * * Please report back your results * * * 

-- 
Dave
"MartynB" <anonymous@discussions.microsoft.com> wrote in message
news:%23ffOYBG8EHA.2124@TK2MSFTNGP15.phx.gbl...
| Thanks to everyone for your help!
|
| Sorry I haven't replied sooner, but I've been off the 'net for a while as
| you'll see below.
|
| Status:-
| I took David Lipman's advice and downloaded the Trend Sysclean package and
| latest Trend signature files.
| Turned off system restore.
| When trying to reboot to safe mode, the computer wouldn't autoboot so had to
| power off/on.
| Booted safe mode then ran Trend Sysclean, this is what it found:-
| .
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
| Menu\Programs\Startup\OfficeOSA.exe
| Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
| Settings\Martyn\Desktop\old name hosts
| Success Clean [TROJ_UPLOADER.F] from C:\Documents and Settings\Martyn\Local
| Settings\Temp\GLF7FGLF7F.EXE
| Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
| Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
| Success Clean [TROJ_CHUM.B] from C:\System Volume
| Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
| Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
| .
| The files above were automatically deleted, but it didn't find svcxnw32.exe
| which had the same file size as mspmspv.exe. I deleted that one manually.
| I tried to check the registry for unwanted entries but couldn't execute
| regedit (I put this down to being in safe mode, but see below)
|
| I thought that was it - but wait! there's more!
|
| After rebooting back to normal mode I noticed some odd behavior:-
|
| The WinXP Firewall was disabled (couldn't be re-enabled)
| Automatic Updates was disabled (couldn't be re-enabled)
| System Restore had re-enabled itself  (was able to disable it again)
| No tasks were visible in Task Manager
| Regedit couldn't be executed (system message:- "Registry editing has been
| disabled by your administrator")
| After opening Microsoft Management Console and clicking on Services, the
| Management Console closed again.
|
| Checked startup entries using Startup Inspector for Windows and found:-
|
| HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
| "WinService32"="drvstat16.exe -services"
|
| HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
| "IPConfig"="svcxnw32.exe"
| "WinService32"="drvstat16.exe -drivers"
|
| HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
| "IPConfig"="svcxnw32.exe"
| "WinService32"="drvstat16.exe -services"
|
| Startup Inspector reported that registry editing was disabled, so I couldn't
| remove the entries.
|
| I eventually managed to edit the registry from a Command Prompt with:-
|
| >REG DELETE HKLM\software\microsoft\windows\currentversion\runservices /v
| >WinService32
|
| and so on for the other entries.
|
| I found drvstat16.exe in C:\WINDOWS\system32\ but could not delete it
| (access denied) but managed to rename it to drvstat16.exe.vir
| I found C:\WINDOWS\system32\svcxnw32.exe and renamed it to svcxnw32.exe.vir
| Also noticed that the properties of C:\WINDOWS\system32\Services.msc showed
| that the file had just been updated compared to other Microsoft Common
| Console Documents which all had the date of 18 August 2001, 08:00:00.
| I therefore renamed it as Services.msc.vir to be safe.
|
| After the next re-boot I ran Trend Sysclean again but it didn't find
| anything.
| Found that the service "Security Center" was disabled. Set it back to
| Automatic and started it.
| I was then able to switch on the WinXP Firewall.
| So, things were more or less back to normal except for:-
| Executing Regedit still gives the error message as above
| Clicking on Services in Administrative Tools doesn't work - probably due to
| Services.msc having been renamed.
| Administrative Tools | Services and Applications | Services was working ok.
|
| Some questions:-
| What should I do to get Regedit working?
| How can I extract a clean copy of Services.msc from the WinXP CD?
| Is drvstat16.exe a new virus or is it a clone of one of the ones that Trend
| Sysclean found?
| Has anyone an opinion of a reliable virus scanner?
|
| Thanks again!
|
| Martyn
|
|
| "MartynB" <anonymous@discussions.microsoft.com> wrote in message
| news:eVThmn07EHA.1408@TK2MSFTNGP10.phx.gbl...
| > I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and a-squared
| >
| > 2 new processes have appeared yesterday and are both loaded by registry at
| > startup as:-
| >
| > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
| > "LangSupportEx"="mspmspv.exe"
| > "IPConfig"="svcxnw32.exe"
| >
| > and:-
| >
| > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
| > "LangSupportEx"="mspmspv.exe"
| > "IPConfig"="svcxnw32.exe"
| >
| > Both files are located in C:\WINDOWS\system32\
| > Properties:-
| > mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14
| > svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59
| >
| > According to netstat, the processes are established to the following
| > addresses using TCP:-
| >
| > mspmspv.exe:-
| > 17-112.202-68.se.rr.com [68.202.112.17] on port 6667
| >
| > svcxnw32.exe:-
| > astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667
| >
| > I have scanned using all the installed malware/virus scanners mentioned
| > above but they are not detected. I've also tried a web search but so far
| > no luck.
| >
| > Does anyone have any info about these? They look like Trojans to me. How
| > did they get in?
| >
| > Martyn
| >
|
|

Relevant Pages

  • Re: worm symptoms, and M-S patches wont "stick"
    ... Once you have "Thoroughly Cleaned" the system, yes install WinXP SP2. ... i've been using mcafee, so i also ... and because after several cycles i found the system restore was NOT ... | sysclean found worm_donk_worm_rbot.fl during the opening memory scan. ...
    (microsoft.public.security.virus)
  • Re: W2k3 - lsass shutdown problem
    ... Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/ ... If you are using WinME or WinXP, disable System Restore ...
    (microsoft.public.security.virus)
  • Re: Download.Trojan
    ... If you are using WinME or WinXP, re-enable System Restore, reboot the PC ...
    (microsoft.public.security.virus)
  • Re: Anybody hear of this?
    ... I have received the JPEG. ... |> 3) If you are using WinME or WinXP, disable System Restore ...
    (microsoft.public.security.virus)
  • Re: Very Strange Problem
    ... Dowload the Trend Pattern File by obtaining the ZIP file. ... If you are using WinME or WinXP, disable System Restore ...
    (microsoft.public.windowsxp.general)