Re: Malware/Virus problem -
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 08/15/05
- Next message: webchimp: "Budweiser Frog Screensaver"
- Previous message: David H. Lipman: "Re: Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability?"
- In reply to: Steve: "Malware/Virus problem -"
- Next in thread: Steve: "Re: Malware/Virus problem -"
- Reply: Steve: "Re: Malware/Virus problem -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Aug 2005 13:00:27 -0400
From: "Steve" <Fed_up_Withspam@nospam.here>
| I've spent the last couple of days trying to get rid of the Aurora
| "Abetterinternet" malware. I ran the Sophos scan using David Lipman's
| advice which identified a couple of Trojan's. (Sophos tool 13 hours to
| complete the scan, haven't run Trend - McAfee is my "native" installation).
|
| Hopefully having used Nailfix, the problem is now finally resolved.
| (nail.exe re-spawns when deleted).
|
| However, there is something still amiss.
|
| Using Windows Task Manager process display, there is an unknown process
| running, currently "xpgbpo.exe". It was previously "arsmpxq.exe".
|
| When this process is deleted it respawns with a different random name, it
| starts at 180k then its use of memory grows. I've found the file in
| C:\windows\system32 with a files size of 89k it has a buddy "rjdvkm" and
| I'm convinced a third "ready to go" with a file size of 0KB "afnhped".
|
| All these names appear to be random and I've deleted the live process a
| dozen times and the filename is always 6 or 7 characters in length.
|
| If I delete the live process then a new process is spawned with a new
| random name. This is an extract from Filemon where I deleted "armspxq" and
| it is re-spawned as "xpgbpo" McAfee can be seen running, but doesn't flag
| any issues, don't know why.
|
| Neither Sophos or McAfee flag this as a virus, unless I've made a poor job
| of cleaning up - any ideas?
|
| TIA
|
| Steve
|
| 16:42:49 McShield.exe:316 SET INFORMATION C:\WINDOWS\Nail.exe SUCCESS
| FileBasicInformation
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 12288
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS Length: 91136
| 16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
| Offset: 0 Length: 65536
| 16:42:50 arsmpxq.exe:2324 WRITE C:\WINDOWS\system32\xpgbpo.exe SUCCESS
| Offset: 65536 Length: 25600
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 arsmpxq.exe:2324 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\arsmpxq.exe
| SUCCESS FileBasicInformation
| 16:42:50 wintasks.exe:3348 SET INFORMATION C:\WINDOWS\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 McShield.exe:316 SET INFORMATION C:\windows\system32\xpgbpo.exe
| SUCCESS FileBasicInformation
| 16:42:50 explorer.exe:564 DELETE C:\WINDOWS\system32\arsmpxq.exe SUCCESS
| 16:42:50 svchost.exe:1028 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 20480
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 24576
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 28672
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 32768
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 36864
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 40960
| 16:42:50 xpgbpo.exe:4060 SET INFORMATION
| C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 45056
| 16:42:50 McShield.exe:316 SET INFORMATION C:\WINDOWS\system32\crypt32.dll
| SUCCESS FileBasicInformation
|
Have you tried such applications as Ad-aware SE v1.06 and SpyBot Search and Destroy v1.4 ?
-- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
- Next message: webchimp: "Budweiser Frog Screensaver"
- Previous message: David H. Lipman: "Re: Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability?"
- In reply to: Steve: "Malware/Virus problem -"
- Next in thread: Steve: "Re: Malware/Virus problem -"
- Reply: Steve: "Re: Malware/Virus problem -"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
