Topic awaiting preservation: Virus/Trojan help, please. (Page 1 of 1)

I've been fighting with this nearly all day.
Like an idiot, I accidentally double-clicked a suspicious exe file. I was going to delete it, but some other reflex took over (like subconscious, morbid curiosity or something). Something flashed in the taskbar and all was quiet. I immediately went to DefCon 2.

First, I installed a demo of Norton that came with our computer. I scanned c:\windows and got rid of 3 trojans. I left some of the trojans' helper files around because I hadn't identified all of them just yet. So I was going through and renaming bat files and dll files that I knew were a part of the trojans.

Every seems to be going pretty well, except for one little thing: everytime I reboot, there is disk access. Now, I'm not exactly sure if this is a Norton thing or not. I did tell Norton to not scan the drives when shutting down, but I see no mention of scanning them when booting.

Just to be on the safer side, I installed the demo of Tiny Personal Firewall(?). As soon as I did that, the fit hit the shan again. I don't know if the install was infected, or if something else happened. Uninstall it, and installed the demo of ZoneAlarm. (I didn't like TPF anyways because the demo wouldn't let me turn on the firewall service.)

Previously, when I let Norton blast the 3 trojans, I took note of the folder. The vast majority of the action was happening in c:\windows\security. After I installed TFP, I went back to that folder and found a bunch of new files - and I do mean a bunch.

Some of these files are from the trojans, and some are from a newer trojan/virus, all in c:\windows\security:
admdll.dll
cool.dll
edb.chk
edb.log <-- binary that points to c:\windows\security in the beginning
expiorer.exe
Expl0rer.exe
file.ini <-- CoolBoot script
fri.ini <-- CoolBoot script
index2.html <-- calling card and specs for CoolBoot 4.0
kill.exe
mirc.ini <-- I do have mIrc, but this does not belongs to mIrc
MsgServr32.EXE
msinfo.dll
nick.zip <-- script of some sort, I believe for CoolBoot
prox.exe <-- looks like an ini file, possibly for mIrc, but it has scipt in that looks like it scans
raddrv.dll
registry.dll
remote.ini <-- variables for unknown script/prog
res1.log <-- filled with mostly #DA
res2.log <-- filled with mostly #DA
SERVER <-- no extension
sock.exe
temp.scr <-- text, filled with nicks or something
tmp.edb <-- 99% #00
winboot.dat <-- bat file to run Expl0rer.exe

Nearly all of the above files have been renamed. After a warm boot, none have been renamed or recreated.

In root, c:\, there are some suspicious files:
cpy.exe <-- handy for checking something to do with modified files
ntldr <-- no extension
WINDOWSkj01d.sys

Also some folders off of root:
"c:\system.sav\" <-- keeps popping up
"c:\System Volume Information\" <-- permissions have been changed, and I can't explore it until I figure out how to Admin this damn machine

Since I've installed ZoneAlarm, several outside things have been blocked, but I haven't noticed anything trying to go out.

Also, I was running Norton when CoolBoot invaded. Not sure why Norton didn't catch it. Maybe because CB is an IRC script thing?

And, I've only been running Norton on certain folders. I did scan the files in root and c:\windows\security, and nothing turned up. However, I still have to scan the entire system (including the rest of c:\windows).

I've been Googling filenames like a madman, but nothing conclusive to my satisfaction. All pages that I have hit only mention bits-n-pieces of the above named files. Right now, I think I'm mostly safe, but there are still some things that I'm not quite sure about.

Any insight much appreciated.
(Any insight beyond me being an idiot, thank you very much. Heh.)

edit:
I did find something suspicious in the registry. At the time, I decided to leave it.
I'll track it down again tomorrow and post it.


[This message has been edited by warjournal (edited 07-21-2003).]

Can't help you with much, but...

Norton AV is great if you're eradicating viruses, but if you're working with trojans, you'll probably need a seperate program to handle that. I use Spybot Search & Destroy, which works pretty well. Try running it through your hard drive. I think you'll be surprised at how much stuff Norton doesn't catch.

Of course, I'm not guaranteeing it'll kill everything, most likely you'll still have to do some manual weeding, but try it anyways.

I use the same prog that Oz has suggested, adn has been very successful in the past.

You may also find this page helpful

Helpful Link

ntldr is the NT-Boot-Loader, ie. anything after nt 4.0 (=2000 and xp) use this to start booting.
I'd leave it on there ;-).

apart from that, give housecall.antivirus.com a try... it's an online virus scanner that has worked rather well for me in the past.

(system volume information is on my machine as well, and windows tries to even lock the administrator out. nothing to worry about, in the trojan sense ;-))

warjournal: I too recommend using Norton and Spybot. Also look into The Cleaner, it is a good program that specifically looks for trogans. check it out http://www.moosoft.com/


The programmer's national anthem is 'AAAAAAAAHHHHHHHH''

Wolfen's Sig Site

standard simple trojan & virus check-
check your Startup folder, Registry, and Autoexec.at files for the virus.... if it's there, remove it and then reboot (check again) and delete the files... check for the running in 'Ctrl+Alt+Del' blah, blah, blah...

if it's nastier, then there's probably more help for it... and then toss youself on the mercy of Google


Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

A friend of mine has a trojan as well that we can't seem to get rid of. All it does is set your home page to http://www.whazit.com/ (I don't recommend visiting it). Only problem is, if you try and change the home page it just changes it right back.

In the registry, I went to the Run/Runonce under Current User and something else (Local?).

In one, nview.dll is set to run. From what I've read, this is for dual monitors, but we don't have dual monitors. Read that this might be used as a trojan helper. I haven't turned it off yet.

In the other, I found nwiz.exe. The value for this is set to "nwiz.exe /installquit /keepload". Not sure what to make of this one. While nwiz.exe is legit for NVidia, I did find some reference with this to MUMA. Not sure if this is running legitamately or not. Again, I haven't turned it off.

Checking the processes on this machine is mostly useless. Unless it's blatant, I have no idea. The main reason being that Woman won't let me get rid of the crappy HP junk, and some of the processes are HP junk. I don't always know the difference between windows processes, HP processes, and virus/trojan processes. It's a bloody mess in there. I might post a screen cap later. (To a lesser extent, this is also true for the registry. HP junk has made it a mess.)

I did run SpyBot. Cleaned out my cookies pretty well, but I didn't see anything suspicious. The only suspicious things that it did clean out were the little dialer things that I hadn't bothered removing.

InI, some of those files are legit. Is there a way to know if they are where they are supposed to be, or if they are being used by a trojan?

Did a complete system scan, and Norton says I'm clean. Not sure about some of the loose ends, though.

Thanks for the help.

Skaarjj, I had something like that once. I did a binary search for the URL, found the offenders, and blasted them. That solved my problem with that.

http://securityresponse.symantec.com/avcenter/vinfodb.html#threat_list

The Symanyec page for searching for viruses, trojans and other things. I have used this in the past and it was quite helpful for removing the BUgbear virus from a number of computers. THe site provides a listing of viruses, trojans and exploits giving information on what the virus does and how to remove, often a autoremove file is provided. It works best when you have a specific name for the file or virus to search with.

__________________________
"Show me a sane person and I will cure him for you."-Carl Jung
Eagles may fly high, but beavers don't get sucked into get engines.

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

Ahh, the System Volume Information folder. One of the best places to hide stuff on a network because access is supposed to be denied.