Morphing malware

I have some kind of virus/malware/spyware what ever that I can't get rid of

Every time I get close it seems to morph into another file in another location.

I cant figure out what the root file is. Tend Officescan is not finding it either. The only thing that comes close to recognizing the files is Giant AntiSpyware and it only see's it as some generic trojan. It deletes the registry entries but they just come back.

I have scanned my computer with the latest updates with:
Trend
Spy-Bot
Giant Antispyware
Ad-aware 6

I know O4 - HKLM\..\Run: [*accdisk] C:\WINNT\java\Packages\accdisk.exe
is the culprate.

I can delete it is the recovery console but it will come back morphed as something else.

[log removed]

 

http://forums.majorgeeks.com/showthread.php?t=35407
READ ME FIRST: Basic Spyware, Trojan And Virus Removal

http://forums.majorgeeks.com/showthread.php?t=38752
Hijack This Tutorial And How To Post Your Log File

 

Hey guys,
This might be Stopguard. It looks (& sounds) familiar!

quile - Definitely follow the links Kodo gave you.

Are you getting popups for Stopguard scans and WinFirewall that shut down IE?

Let us know how you fared W/ the tutorial.

Best,
PP

 

Before I had posted my problem I did most of the stuff thats in your FAQ(prior to finding your site). But to make you guys happy I did it all again. My computer is clean as a whistle except for this one thing.

I have absolutely not popups. My internet explorer runs slow as hell and most of the time I cannot click links that open new windows. The window will just freeze and eventuall unfreeze and nothing has happened. I can open a new IE window and past a shortcut no problem though. Text boxes are giving me shit too.

The only thing that comes up with a problem in a scan is Giant Antispyware. None of the other tools find anything, except maybe a few cookies.

Giant Antispyware calls it Unclassified.Trojan.B Trojan. I assume they call it this because they haven't figure out ho to clean it yet.

It's located at C:\winnt\system32\bkinst.exe, which i have since deleted.

I know this has something to do with the accdisk.exe in my run.

I can delete both of these files in the recovery console but it will come back with a new name and in a new location with a new registry entry.

This is unlike anything I have ever come accross before.

For example, I cannot attach my log file. I click the manage Attachements button, my IE freezes for about a minute and then nothing.

I uploaded my log to my web server:
http://www.overkillzone.com/private/quilehijackthis.txt

Now, accdisk is supposedly in winnt\java\packages but i deleted that folder a long time ago. Now I have a process dllhost.exe, which i think is the new morph.

Uhg.

 

It looks like you have the remnants of a Stopguard infection. Some of the file names even look familiar to me.

dllhost - http://www.liutilities.com/products/wintaskspro/processlibrary/dllhost/
http://www.spyany.com/files/dllhost_exe.html

Tell me if these are all recognized and needed:

O2 - BHO: MSLib16s.Lib32 - {18FA4897-BF84-498C-B865-35C3A1CAD1E7} - c:\progra~1\mslib16s.dll

O15 - Trusted Zone: my.medtronic.com
O15 - Trusted Zone: www.muchosucko.com
O16 - DPF: Jacob - not available
O16 - DPF: NinjaRMI - not available
O16 - DPF: RMI - not available
O16 - DPF: Swing - not available
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095452231043
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.core.medtronic.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.core.medtronic.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.core.medtronic.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ent.core.medtronic.com core.medtronic.com corp.medtronic.com medtronic.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.core.medtronic.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ent.core.medtronic.com core.medtronic.com corp.medtronic.com medtronic.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ent.core.medtronic.com core.medtronic.com corp.medtronic.com medtronic.com

This will save some time.

PP

 

ok so dllhost.exe is a windows file. i've tried terminating it and it comes right back, just like the others were that I didn't recognize. I also cannot do a windows search to see if there is another copy of the file on my system othe than in the system32 directory.

the only stuff on that list i recognize is the medtronic. that stuff needs to stay.

 

All Righty Then. . .

Please make sure System Restore is OFF and you have Enabled the Viewing of Hidden Files.

Look in C:\Windows\Prefetch for accdisk and Delete any entries.

Please run HijackThis. Check the boxes for the following:
O2 - BHO: MSLib16s.Lib32 - {18FA4897-BF84-498C-B865-35C3A1CAD1E7} - c:\progra~1\mslib16s.dll

O2 - BHO: CATLEvents Object - {37882647-2D28-4D14-86F9-473FD6FED2D3} - C:\Temp\cvsptf.dat

O2 - BHO: CATLEvents Object - {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F} - C:\Temp\cfmdmc.dat

O4 - HKLM\..\Run: [*accdisk] C:\WINNT\java\Packages\accdisk.exe

O15 - Trusted Zone: www.muchosucko.com

O16 - DPF: Jacob - not available

O16 - DPF: NinjaRMI - not available

O16 - DPF: RMI - not available

O16 - DPF: Swing - not available

Make sure ALL browser windows are Closed when you click FIX.

Then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINNT\java\Packages\accdisk.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN. Stay in safe mode and run a search of your machine for cvsptf.dat / cvsptf.ini and cfmdmc.dat / cfmdmc.ini and Delete them if found.

Then, see if C:\WINNT\java\Packages\accdisk.exe remains and delete it.

Now, run SpybotSD.

Open Internet Explorer. Click TOOLS > INTERNET OPTIONS and Click DELETE COOKIES. Then, Click DELETE FILES and check the box for ALL OFFLINE CONTENT and Click OK.

Now Open the C>WINDOWS>TEMP folder and delete all files and sub-folders if any remain.

Make sure Recycle bin is empty.

Reboot to normal Windows and attach a fresh HijackThis Log and we’ll see if this does the trick.

I know some of this can be a pain in the ass, but I've dealt with this particular problem before and Stopguard likes to resurrect itself. This is my canned, generic removal procedure - I'm still working out the kinks Let me know if you run into any problems with the above instructions.

Best luck,
PP

 

I forgot to add that I do not know what this is:

C:\WINNT\Msa\MSAService.exe

But, that doesn't mean its bad. Do you know what it is? Let's leave it alone for now.

PP

 

BTW - If you'd like to see what a normal Stopguard infection looks like, have a look at this thread:

Could use some help.

You got off easy - Your Giant product must have caught most of it. It just left a few remnants.

PP

 

Thanks PhilliePhan,

Those steps did the trick.

I wanted to let you know I found a bunch of backup cfmdmc files and the ini in C:\WINNT\msagent\chars in addition to the c:\temp which I also deleted.

Yeah that Giant Antispyware is pretty damn good. It was finding and deleting things both spybot and ad-aware missed. And it has a 3-way watch mode that was preventing things from being re-added to the registry.

I think the MSA folder has something to do with the auto-updates my work pushes through the network. Should be OK.

Thanks for you help.

 

You're Welcome!

Best,
PP