Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Activedst.exe a Trojan?


  • Please log in to reply
37 replies to this topic

#1 LostOne96

LostOne96

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 12 December 2009 - 02:32 PM

Hello!

I recently was infected by a trojan file, activedst.exe, which I believe is contained, but I would like some help cleaning my system. I'm running Windows XP, Media Center Edition (2002 version), updated to Service Pack 3. My security program is Kaspersky Internet Security 2009, and I also run SuperAntiSpyware (SAS) and Malware Byte's Anti-Malware (MBAM) programs.

According to Kaspersky, here is the series of events:

0.008989111490346868.exe (events: 8)
12/12/2009 10:13:08 AM Placed in group Low Restricted
12/12/2009 10:13:12 AM Process start C:\DOCUME~1\Morbius\LOCALS~1\Temp\0.008989111490346868.exe
12/12/2009 10:13:21 AM Setting debug privileges Allowed: KLPrivileges/KLPermissionSystem/KLPermissionPrivileges/KLSetDbgPrivilege
12/12/2009 10:13:21 AM Setting debug privileges Allowed: KLPrivileges/KLPermissionSystem/KLPermissionPrivileges/KLSetDbgPrivilege
12/12/2009 10:13:21 AM Delete C:\Documents and Settings\Morbius\Local Settings\Temp\0.008989111490346868.exe
12/12/2009 10:13:21 AM Modification C:\Documents and Settings\Morbius\Local Settings\Temp\~TM43.tmp
12/12/2009 10:13:21 AM Rename C:\Documents and Settings\Morbius\Local Settings\Temp\~TM43.tmp
12/12/2009 10:13:21 AM Process exit C:\DOCUME~1\Morbius\LOCALS~1\Temp\0.008989111490346868.exe

wpv981253129279.exe (events: 6)
12/12/2009 10:14:05 AM Placed in group Low Restricted
12/12/2009 10:14:05 AM Process start C:\WINDOWS\temp\wpv981253129279.exe
12/12/2009 10:14:05 AM Create C:\WINDOWS\system32\acledith.exe
12/12/2009 10:14:06 AM Delete C:\WINDOWS\system32\acledith.exe
12/12/2009 10:14:06 AM Create C:\WINDOWS\system32\activedst.exe
12/12/2009 10:14:13 AM Process exit C:\WINDOWS\temp\wpv981253129279.exe

wpv221253131464.exe (events: 6)
12/12/2009 10:14:06 AM Placed in group Low Restricted
12/12/2009 10:14:06 AM Process start C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:07 AM Process start C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:09 AM Access to protected storage Allowed: KLPrivileges/KLPermissionSystem/KLPermissionStrange/KLPrtStgAccess
12/12/2009 10:14:12 AM Process exit C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:13 AM Process exit C:\WINDOWS\temp\wpv221253131464.exe

HpqPSmon (events: 5)
12/12/2009 10:14:11 AM Placed in group Untrusted
12/12/2009 10:14:12 AM Process start C:\WINDOWS\system32\activedst.exe
12/12/2009 10:14:12 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:12 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:12 AM Process exit C:\WINDOWS\system32\activedst.exe

wpv691257453440.exe (events: 4)
12/12/2009 10:14:09 AM Placed in group Untrusted : HEUR:Trojan.Win32.Generic
12/12/2009 10:14:09 AM Process start C:\WINDOWS\temp\wpv691257453440.exe
12/12/2009 10:14:09 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:09 AM Process exit C:\WINDOWS\temp\wpv691257453440.exe

wpv081257849029.exe (events: 4)
12/12/2009 10:14:15 AM Placed in group Untrusted : HEUR:Worm.Win32.Generic
12/12/2009 10:14:15 AM Process start C:\WINDOWS\temp\wpv081257849029.exe
12/12/2009 10:14:15 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:15 AM Process exit C:\WINDOWS\temp\wpv081257849029.exe

The last 3 entries show me moving the three programs to Kaspersky's Untrusted zone. To clear the program, I ran CCleaner, then MBAM, then SAS, and finally Kaspersky. Both MBAM and SAS cleared programs from the system; Kaspersky did not find anything. However, the activedst.exe file is still on my system.

I've pretty much exhausted my knowledge of system cleaning and would appreciate any help you can give.

Thanks!

Edit: Moved topic from HijackThis Logs and Virus/Trojan/Spyware/Malware Removal to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:03:55 PM

Posted 12 December 2009 - 05:04 PM

Have you tried manually removing the file/folder? I looked it up and it's not good :thumbsup:
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 12 December 2009 - 08:04 PM

I know it's a baddie. It's part of a larger program, and I need to know if more disinfection is needed to contain the bug. I also need to know if this program is part of a backdoor trojan? If so, how do I clean the trojan from my system if the 3 AV/Malware programs I currently use aren't detecting any problems?

Thanks!

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 12 December 2009 - 08:10 PM

Which ones are you using?
Computer Pro

#5 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 12 December 2009 - 10:53 PM

Kaspersky Internet Security 2009, Superantispyware, and Malware Byte's Anti-Malware (all noted in the initial text). Hijack This shows nothing, and I hesitate to run Combofix, because I don't want to screw up my system anymore than it already is.

I just finished running MBAM again, and it came back clean. I have yet to run SAS again (because it's taking a long time to run through the files on my system), but I'll run that again at a later time, just to be sure.

I've also run DDS and RootRepeal (and saved the log files), but I didn't want to post anything until told to do so.

Edited by LostOne96, 12 December 2009 - 11:00 PM.


#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 13 December 2009 - 11:38 AM

I also have Kaspersky and it has excellent detections so we are going to use that.

But first, let's update your version to 2010 (it's a free upgrade), being that 2010 contains lots of updates for detecting malware.

Kaspersky Internet Security 2010

Let me know once the updating process is complete.
Computer Pro

#7 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 13 December 2009 - 11:48 AM

I'll go ahead and upgrade (doing that now). I hadn't done it yet because I've heard a lot of negative things about Kas2010 regarding Firefox and the kilf.sys bug. Have those been resolved yet? Have you had similar problems with Kas2010?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 13 December 2009 - 11:51 AM

I did have a slowdown problem on the very first version of 2010, but that has been resolved.
Computer Pro

#9 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 13 December 2009 - 03:37 PM

The update process is complete.

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 13 December 2009 - 05:29 PM

Ok, now let's change some settings so that we can detect additional malware on the scan.

Please open up Kaspersky Internet Security. Go to Settings at the top right corner. In the left hand column, select "Full Scan". Under Security Level, click the Settings button.

On the Scope Tab, under File Types, select All Files. Still under the scope tab, under Scan Optimization, check the "Scan only new and changed files". Now on the Additional Tab, under Scan Methods, drag the Heuristic Analysis to Medium Scan. And then Finally, check the box that says Deep Rootkit scan.

Now click Ok to this box, then Apply, finally Ok.

Once you are back to the program's main screen, go to the Scan My Computer button. Click Start Full Scan.

Wait for the scan to finish.


Once the scan is complete, and all viruses have been taken care of, go to the Quarentine button. Under the Detected Threats tab, select "All" on the drop down menu. Items that were found during the scan should appear. Please list all of those in your next reply.
Computer Pro

#11 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 13 December 2009 - 10:54 PM

There was only 1 entry. I've spaced out the full details on separate lines for easy reading:

12/13/2009

12:43:16 PM

Deleted

legal software that can be used by criminals for damaging your computer or personal data not-a-virus:Downloader.Win32.SpyNoMore.a

C:\Documents and Settings\Morbius\My Documents\Downloads\Download_spycatcher.exe

Low

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 13 December 2009 - 11:09 PM

You updated the software before the scan, correct?
Computer Pro

#13 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 13 December 2009 - 11:13 PM

Yes I did.

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 14 December 2009 - 07:48 AM

Let's try Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#15 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 15 December 2009 - 07:10 AM

Here is the Dr. Web report; there was only 1 entry:

$sys$upgtool.exe;C:\WINDOWS\system32;Trojan.Starter.582;Deleted.;


I apologize, I should have been more explicit in my initial post. I ran CCleaner to clear out the temp files, then MBAM, which cleared out files, then SAS, which cleared out files, then KIS, which found nothing. The acvtivedst.exe file was still on my system (and coming up clean), so I ran the scans again, with no success. Because the activedst.exe file is still on my system, I posted a topic on this forum.

Here are the deleted items from the first MBAM scan I performed:

C:\WINDOWS\temp\wpv081257849029.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv691257453440.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Morbius\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv221253131464.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv981253129279.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Morbius\Start Menu\Programs\Startup\mgjwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

All files were successfully deleted.


Here are the SAS quarantined files:
Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SMPROFLT.DLL
C:\WINDOWS\SYSTEM32\SMPROFLT.DLL
C:\WINDOWS\UA000059.DLL

The first 2 files are still on my system, the last has been quarantined.

I hope this information is helpful.

Edited by LostOne96, 15 December 2009 - 07:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users