Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Various trojan infection

  • Please log in to reply
3 replies to this topic

#1 septera


  • Members
  • 2 posts
  • Local time:10:22 AM

Posted 12 June 2009 - 05:01 AM

I realy hope someone can help me here!
I have Vista OS.
Tomorrow i just sitting by my computer and suddenly recognised this strange event: my computer has connected to the internet by itself, automaticly! I always log in to my ISP manualy, auto connect is disabled, so im sure its some kind of trojan infected my PC! Could it be a dialer or a backdoor? I checked my firewall log and i found these strange network connections: "Teredo Tunneling Pseudo-Interface" -these never appeared before. Can it be that the trojan uses this connection to backdoor to a remote computer?
Here are my antispyware scan results:


Infected registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ati2sgav (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater (Backdoor.Bot) -> No action taken.

Infected registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digest32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Infected files:
C:\Windows\System32\ati2sgav.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\digest32.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\snapapi32.dll (Trojan.Agent) -> No action taken.

Spyvot S&D:

Virtumonde.sdn: [SBI $FEB39643] Automatic stratup settings (RUNDLL32) (Registry database value, nothing done)

Virtumonde.sdn: [SBI $C6000100] Automatic stratup settings (SYSTRAY_UPDATE) (Registry database value, nothing done)

Virtumonde.sdn: [SBI $E32961C0]Automatic stratup settings (Windows System Update) (Registry database value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Update


Unclassified.Unknown Origin/System

Norton AV:

Heuristic virus:
Packed.generic.217 -in file: windows\temp\rudll32.exe

Heuristic virus:
Suspicious.MH690 -in file: windows\temp\rundll.32

Downloader -in file: windows\temp\iexplorer.exe

W32.spybot.worm -in file: windows\temp\system.exe

Trojan horse -in file: windows\temp\csrss.exe

Downloader -in flie: windows\temp\systray.exe

Downloader -in file: windows\temp\alg.exe

Running CMD->msconfig i found these strange things at the stratup tab:

RUNDLL32 -Manufacturer: unknown -Location: HKLM\Software\WOW6432Nod\Microsoft\Windows\Currentversion\Run

SYSTRAY_UPDATRE -Manufacturer: unknown -Location: HKLM\Software\WOW6432Nod\Microsoft\Windows\Currentversion\Run

Language shortcut -Manufacturer: unknown -Location: HKLM\Software\WOW6432Nod\Microsoft\Windows\Currentversion\Run

System restore: -Manufacturer: unknown -Location: HKLM\Software\WOW6432Nod\Microsoft\Windows\Currentversion\Run

Windows System Update -Manufacturer: unknown -Location: HKLM\Software\WOW6432Nod\Microsoft\Windows\Currentversion\Run

Not sure if Nortons results are false positive or not, couse im confused because those files like rundll32.exe, iexplorer.exe etc. looks like some system files, but its strange that they appear in the temp directory. Everytime i remove them, they come back at the next OS bootup, I wonder why?!
But Spybot S&D registry scan hits are very similar to that, but i dare to remove them, couse i dont want to delete any important system entries, waiting for an experts advice.
Im not sure if its releated to those Trojan.Agents or its the Virtualmonde.snd trojan, but it could be some kind of dialer/backdoor trojan mixture, couse it seems realy advanced that it can connect to the internet by itself!

Please help me find the slution, thank you!

Edited by septera, 12 June 2009 - 05:03 AM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,569 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:03:22 AM

Posted 12 June 2009 - 08:45 PM

Hello and Yes that is what is happening. The malware is connecting and sending information back out.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 septera

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:22 AM

Posted 13 June 2009 - 07:02 AM

Hi, and thanks for the reply!

I know it would be the best to reformat the whole thing, but right now i cant save my important files elsewhere, so till i get another hdd, i think im up to give it a try and remove the infection somehow. Where should i begin?

#4 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,569 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:03:22 AM

Posted 13 June 2009 - 09:46 AM

Ok so we will clean it for now.
Did you click the "Remove Selected " button after that last scan?

Now Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FUL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users