Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Trojan


  • Please log in to reply
4 replies to this topic

#1 LNR 4 Life

LNR 4 Life

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 07 June 2008 - 09:49 PM

I recently suffered an adware/malware attack on my Windows XP SP2 computer. After running MBAM and SAS in succession as well as Smitfraud fix and SDfix, most of them were gone. Now upon starting up, scans with both MBAM and SAS reveal no dangerous files. However, when I connect to the internet my McAffee stops and cleans a trojan it calls Tcad-Crypted. At this point another scan with MBAM shows nothing, but SAS returns with Rootkit.RunTime3/WinCtrl32.Process. The files are quarantied and removed and the system reboots. This annoying trojan comes back every time. Here is the SAS log, post-internet connection:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2008 at 10:40 PM

Application Version : 4.15.1000

Core Rules Database Version : 3477
Trace Rules Database Version: 1468

Scan type : Custom Scan
Total Scan Time : 00:02:11

Memory items scanned : 0
Memory threats detected : 0
Registry items scanned : 4964
Registry threats detected : 6
File items scanned : 0
File threats detected : 1

Rootkit.RunTime3/WinCtrl32
HKLM\System\ControlSet001\Services\Windl70
C:\WINDOWS\SYSTEM32\DRIVERS\WINDL70.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Windl70
HKLM\System\ControlSet002\Services\Windl70
HKLM\System\ControlSet002\Enum\Root\LEGACY_Windl70
HKLM\System\CurrentControlSet\Services\Windl70
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Windl70

The file listed from the System32 directory always has a different entry where WINDL70.SYS appears.
The memory scan and file scan sections don't return any dangerous entries so I scan only the registry because it's faster.
I don't know if my McAffee is messing with the virus scans by catching the trojan and cleaning, but I am reluctant to disable it and let the trojan communicate.

I have looked through the existing threads and haven't found any specific mention of this particular problem. Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2008 - 04:24 AM

1. Download ATF cleaner (by Atribune)

Doubleclick ATF cleaner to start the program.
At the tab "Main", place a mark at Select All.
Klick the button Empty Selected.

If you use FireFox:
Klick at the tab "Firefox", place a mark at Select All.
I you would keep the stored passwords in FireFox, please choose "No" at the window that opens.
(This deletes the mark at "Firefox saved passwords")
Klick the button Empty Selected.

If you use Opera:
Klick the tab "Opera", place a mark at Select All.
I you would keep the stored passwords in Opera, please choose "No" at the window that opens.
Klick the button Empty Selected.

Ga to the tab "Main" and click the button Exit to close the program.

2. Download the next programs, but do nothing more than that:3. Install the programs that are advised in step 2, and update them. :thumbsup:

4. Restart your computer in Safe Mode. See here for a tutorial how to do this.

5. Scan with the next programs:
  • Your anti-virusscanner.
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
    Post the results in your next answer
    Let the programs clean what they find
6. Restart your computer again, but now in Normal Mode.

7. Go to Kaspersky Online Scanner.
Klick at the button Accept.
This scanner is only compatible with Internet Explorer 6 and higher !!
It could be you must click at a yellow beam to activate ActiveX files that Kaspersky needs to run and download. Accept this.
  • The program will now start downloading the latest definition files. After this you need to click Next.
  • Than click Scan Settings.
    Beneath the text Scan using the following antivirus database: you need to choose the second option: extended - protect your .....
    Beneath the text Scan options: you need to check the following boxes: Scan Archives .... and Scan Mail Bases ....
  • Than click OK.
  • Now start the scan by clicking the text My Computer.
    Posted Image
    Note that this scan may take a while.
  • When the scan is finished, you'll get the option to save the scan report.
    Click at the button Save Report As. Save the report at your Desktop with the name kavscan.txt
Post this report in you next reply.

8. Now, post the logs/results in your next answer. Tell which problems you still have. I need the following reports:
  • The results of your anti-virus program
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
  • Kaspersky Online Scan
Good luck. :flowers:

#3 LNR 4 Life

LNR 4 Life
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 June 2008 - 04:29 PM

OK, I ran ATF cleaner, followed by my McAffee and then went down your list in order.

Here is the McAffee log:

The Manual Scan is complete and there are no items that require your attention.

Results
Number of items scanned: 100694
Number of items detected: 2
Number of items repaired: 0
Number of items quarantined: 0
Number of items removed: 2

6/7/2008 2:03:31 AM Scan Done: 06/07/2008 02:03:31 AM
6/8/2008 09:55:25 Scan Started: 06/08/2008 09:55:25 AM
6/8/2008 09:55:30 "IRP_MJ_CREATE" "Cutwail!rootkit" "5"
6/8/2008 09:55:30 "IRP_MJ_CREATE" "Cutwail!rootkit" "5"
6/8/2008 12:36:00 Total objects scanned: 100694
6/8/2008 12:36:00 Objects detected: 2
6/8/2008 12:36:00 Scan Done: 06/08/2008 12:36:00 PM

Then I scanned with Spybot S&D which produced this log:

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


Next was Ad-Aware:

Cleaned Infections
===========================
MRU Path: C:\Documents and Settings\Derick Lo\Recent Count: 19, Belonging to MRU Object
MRU Registry Key: S-1-5-21-1821939732-2841098238-3887560322-1006\Software\Microsoft\Search Assistant\ACMru\5603 Count: 4, Belonging to MRU Object

End of Cleaned Infections
===========================

And finally I scanned with Windows Defender which returned nothing but the message that no dangerous items were found and my computer is working normally.

At this point I restarted in normal mode and as soon as I opened my internet connection, the Tcad-Crypted trojan was caught and cleaned by McAffee again. Moving on to step 8, I tried to go to Kaspersky but my IE just locks up. It does this on several other sites which is when I realized I had a problem. I even disabled all of my add-ons for IE and still can't load Kaspersky. Where the hell is this bugger hiding?

#4 LNR 4 Life

LNR 4 Life
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 08 June 2008 - 07:08 PM

After looking a little closer, I noticed that the file that gets created in the Windows32/Drivers folder may have a forged properties tab.

Created: Tuesday, September 23, 2003, 11:47:01
Modified: Monday, March 31, 2003, 08:00:00
Accessed: Today, June 08, 2008, 19:49:00

How could it have been modified on a date almost 6 months prior to creation? Also, when you mouse over it, the description bubble is formatted differently from known windows files.

Of course I can't delete it because it's in use, and I can't terminate the process because I can't see it in task manager. It's very aggravating that none of these dangerous objects can be found until I open my internet connection.

#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2008 - 12:04 AM

Could you post the results of Spybot S&D, Ad-Aware, Windows Defender and Kaspersky Online Scan too, please? :thumbsup:

And which file are you talking about?

Edited by superbird, 09 June 2008 - 12:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users