Re: Are these Trojans?
From: SJP (SJP_at_Virtuo.com)
Date: 01/02/05
- Next message: David H. Lipman: "Re: Serious Error"
- Previous message: Big mark: "Serious Error"
- In reply to: MartynB: "Re: Are these Trojans?"
- Next in thread: MartynB: "Re: Are these Trojans?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 02 Jan 2005 22:47:16 GMT
I did everything manually, but for me I had two items in my startup config
called "chkcfg -drivers" and "chkcfg -services". These would keep coming
back after reboots, so I figured that there was a service or driver involved
as a 'buddy'. I disabled a handful of services that didn't exist on my
laptop, deleted chkcfg.exe and the startups (there was also one under that
shell key). Then when I rebooted, the startup entries didn't reappear in
msconfig, and there were no foriegn tasks in my tasklist. The last thing I
had to do was re-enable registry editing. I found this through a web
search. Here's a little VB that's actually helpful for a change, this will
re-enable your registry editor. Just paste it into a text file and give it
a .vbs extension. One question though, why are we disabling system restore?
Is this exploited in some way?
'Enable Registry Editing
'© Veegertx - 06/27/2003
'This code may be freely distributed/modified
On Error Resume Next
'Prevents errors from values that don't exist
Set WshShell = WScript.CreateObject("WScript.Shell")
'Delete DisableRegistryTools registry values
WshShell.RegDelete
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
'display message
Message = "You should have access to Regedit now"
X = MsgBox(Message, vbOKOnly, "Done")
Set WshShell = Nothing
Set fso = Nothing
Proch
"MartynB" <anonymous@discussions.microsoft.com> wrote in message
news:%23ffOYBG8EHA.2124@TK2MSFTNGP15.phx.gbl...
> Thanks to everyone for your help!
>
> Sorry I haven't replied sooner, but I've been off the 'net for a while as
> you'll see below.
>
> Status:-
> I took David Lipman's advice and downloaded the Trend Sysclean package and
> latest Trend signature files.
> Turned off system restore.
> When trying to reboot to safe mode, the computer wouldn't autoboot so had
> to power off/on.
> Booted safe mode then ran Trend Sysclean, this is what it found:-
> .
> Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\All Users\Start
> Menu\Programs\Startup\OfficeOSA.exe
> Success Clean [DOS_AGOBOT.GEN] from C:\Documents and
> Settings\Martyn\Desktop\old name hosts
> Success Clean [TROJ_UPLOADER.F] from C:\Documents and
> Settings\Martyn\Local Settings\Temp\GLF7FGLF7F.EXE
> Success Clean [TROJ_CHUM.B] from C:\Documents and Settings\Martyn\Local
> Settings\Temporary Internet Files\Content.IE5\GXUB81AJ\xp[1].exe
> Success Clean [TROJ_CHUM.B] from C:\System Volume
> Information\_restore{E0142BE0-B807-42D0-B9DC-71953C4DA509}\RP1\A0000004.exe
> Success Clean [TROJ_CHUM.B]from C:\WINDOWS\system32\mspmspv.exe
> .
> The files above were automatically deleted, but it didn't find
> svcxnw32.exe which had the same file size as mspmspv.exe. I deleted that
> one manually.
> I tried to check the registry for unwanted entries but couldn't execute
> regedit (I put this down to being in safe mode, but see below)
>
> I thought that was it - but wait! there's more!
>
> After rebooting back to normal mode I noticed some odd behavior:-
>
> The WinXP Firewall was disabled (couldn't be re-enabled)
> Automatic Updates was disabled (couldn't be re-enabled)
> System Restore had re-enabled itself (was able to disable it again)
> No tasks were visible in Task Manager
> Regedit couldn't be executed (system message:- "Registry editing has been
> disabled by your administrator")
> After opening Microsoft Management Console and clicking on Services, the
> Management Console closed again.
>
> Checked startup entries using Startup Inspector for Windows and found:-
>
> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices
> "WinService32"="drvstat16.exe -services"
>
> HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
> "IPConfig"="svcxnw32.exe"
> "WinService32"="drvstat16.exe -drivers"
>
> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
> "IPConfig"="svcxnw32.exe"
> "WinService32"="drvstat16.exe -services"
>
> Startup Inspector reported that registry editing was disabled, so I
> couldn't remove the entries.
>
> I eventually managed to edit the registry from a Command Prompt with:-
>
>>REG DELETE HKLM\software\microsoft\windows\currentversion\runservices /v
>>WinService32
>
> and so on for the other entries.
>
> I found drvstat16.exe in C:\WINDOWS\system32\ but could not delete it
> (access denied) but managed to rename it to drvstat16.exe.vir
> I found C:\WINDOWS\system32\svcxnw32.exe and renamed it to
> svcxnw32.exe.vir
> Also noticed that the properties of C:\WINDOWS\system32\Services.msc
> showed that the file had just been updated compared to other Microsoft
> Common Console Documents which all had the date of 18 August 2001,
> 08:00:00.
> I therefore renamed it as Services.msc.vir to be safe.
>
> After the next re-boot I ran Trend Sysclean again but it didn't find
> anything.
> Found that the service "Security Center" was disabled. Set it back to
> Automatic and started it.
> I was then able to switch on the WinXP Firewall.
> So, things were more or less back to normal except for:-
> Executing Regedit still gives the error message as above
> Clicking on Services in Administrative Tools doesn't work - probably due
> to Services.msc having been renamed.
> Administrative Tools | Services and Applications | Services was working
> ok.
>
> Some questions:-
> What should I do to get Regedit working?
> How can I extract a clean copy of Services.msc from the WinXP CD?
> Is drvstat16.exe a new virus or is it a clone of one of the ones that
> Trend Sysclean found?
> Has anyone an opinion of a reliable virus scanner?
>
> Thanks again!
>
> Martyn
>
>
> "MartynB" <anonymous@discussions.microsoft.com> wrote in message
> news:eVThmn07EHA.1408@TK2MSFTNGP10.phx.gbl...
>> I'm running XP Pro SP2 and use AVG free, Spybot, Ad-Aware SE and
>> a-squared
>>
>> 2 new processes have appeared yesterday and are both loaded by registry
>> at startup as:-
>>
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
>> "LangSupportEx"="mspmspv.exe"
>> "IPConfig"="svcxnw32.exe"
>>
>> and:-
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>> "LangSupportEx"="mspmspv.exe"
>> "IPConfig"="svcxnw32.exe"
>>
>> Both files are located in C:\WINDOWS\system32\
>> Properties:-
>> mspmspv.exe 18.5 KB (18,976 bytes) 30 December 2004, 11:26:14
>> svcxnw32.exe 18.5 KB (18,976 bytes) 30 December 2004, 18:28:59
>>
>> According to netstat, the processes are established to the following
>> addresses using TCP:-
>>
>> mspmspv.exe:-
>> 17-112.202-68.se.rr.com [68.202.112.17] on port 6667
>>
>> svcxnw32.exe:-
>> astound-64-83-195-190.mn.astound.net: [64.83.195.190] on port 6667
>>
>> I have scanned using all the installed malware/virus scanners mentioned
>> above but they are not detected. I've also tried a web search but so far
>> no luck.
>>
>> Does anyone have any info about these? They look like Trojans to me. How
>> did they get in?
>>
>> Martyn
>>
>
>
- Next message: David H. Lipman: "Re: Serious Error"
- Previous message: Big mark: "Serious Error"
- In reply to: MartynB: "Re: Are these Trojans?"
- Next in thread: MartynB: "Re: Are these Trojans?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
