Trojan prob

Discussion in 'Malware Help (A Specialist Will Reply)' started by boolfase, Nov 4, 2007.

Page 2 of 2
  1. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    LOL! Sorry about that, once in MSCONFIFG, click the box next to "Normal Startup" and click OK but do not reboot. Attach a fresh HJT once complete.
     
    bjgarrick, Nov 18, 2007
    #51
  2. boolfase

    boolfase Private E-2

    here are the new logs...i needed to use a fix for run keys and shownew...i wondered why i had to press ignore every time i'd run the apps.
     

    Attached Files:

    boolfase, Nov 18, 2007
    #52
  3. boolfase

    boolfase Private E-2

    oh and yeah i assumed you'd have me tick normal startup...the logs below are after i did that :p
     
    boolfase, Nov 18, 2007
    #53
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Have you had McAfee installed before? I see some traces that we can remove if it's not going to be used.
     
    bjgarrick, Nov 18, 2007
    #54
  5. boolfase

    boolfase Private E-2

    Yes I had Mcafee installed once, I've tried about 10 different anti virus solutions for hupigon.saz
    edit: I wont be using it again, so removing the traces would be good.
     
    boolfase, Nov 18, 2007
    #55
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's run ComboFix one more time...

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Once this scan is complete, attach the new log from it. Also, attach two fresh logs from ShowNew & GetRunKey.
     
    bjgarrick, Nov 18, 2007
    #56
  7. boolfase

    boolfase Private E-2

    Combofix says that it's expired, and to please download an updated copy.
     
    boolfase, Nov 18, 2007
    #57
  8. boolfase

    boolfase Private E-2

    ok I got around the combofix issue by changing my clock back a month.

    attached are the new logs.
     

    Attached Files:

    boolfase, Nov 18, 2007
    #58
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download the attached zip file and save to your desktop.

    Extract the single exe inside and run it.

    This will create a new file on your desktop called procdll.txt

    Attach this log as your next post.
     

    Attached Files:

    bjgarrick, Nov 19, 2007
    #59
  10. boolfase

    boolfase Private E-2

    Procdll log attached.
     

    Attached Files:

    boolfase, Nov 19, 2007
    #60
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Locate and run Process Explorer, what we used Post 35 and once open follow the below.

    On the menu bar, click on FIND and then "Find Handle or DLL". Type in cscript.dll and press enter. When the results come back, look on the left hand side of the search window and let me know what process this file is locking to.
     
    bjgarrick, Nov 19, 2007
    #61
  12. boolfase

    boolfase Private E-2

    Nothing was returned in the search result, I made sure that I typed it correctly, I even tried cscr, csc, and looked through the results, but it isnt showing up.
     
    boolfase, Nov 19, 2007
    #62
  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay, just run these instructions for now...

    Copy the bold text below to notepad. Save it as fixme5.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now run Avenger again...

    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Once you complete the above, reboot a few times and attach fresh logs from the below.

    • GetRunKey
    • ShowNew
    • HijackThis
    • Avenger
     
    bjgarrick, Nov 19, 2007
    #63
  14. boolfase

    boolfase Private E-2

    fresh logs
     

    Attached Files:

    boolfase, Nov 19, 2007
    #64
  15. boolfase

    boolfase Private E-2

    new logs #2
     

    Attached Files:

    boolfase, Nov 19, 2007
    #65
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download Silent Runner's
    • Save it to the desktop.
    • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and attach it to your next message.
    NOTE: If you receive any warning messages from your antivirus or antispyware programs about a script trying to be run , please choose to allow the script to run.
     
    bjgarrick, Nov 19, 2007
    #66
  17. boolfase

    boolfase Private E-2

    log attached
     

    Attached Files:

    boolfase, Nov 19, 2007
    #67
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay, I'm not seeing anything helpful.

    See if you can manually locate the file, once you find it, ZIP it and attach it to your next post.

     
    bjgarrick, Nov 20, 2007
    #68
  19. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    bjgarrick, Nov 20, 2007
    #69
  20. boolfase

    boolfase Private E-2

    cscript.dll attached.
     

    Attached Files:

    boolfase, Nov 20, 2007
    #70
  21. boolfase

    boolfase Private E-2

    Ok, I ran both utilities, for anything to show up in regmon I just opened exes like I.E, firefox, notepad etc as you'll see.
    The Trojan seems to monitor opening executables, otherwise regmon and filemon remain fairly static.

    I'll test this by leaving my laptop on for a few hours while I go out tonight.
     

    Attached Files:

    Last edited: Nov 20, 2007
    boolfase, Nov 20, 2007
    #71
  22. boolfase

    boolfase Private E-2

    boolfase, Nov 20, 2007
    #72
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the attached GRK-Test.zip file and extract the new GetRunKey.bat file from it into the same folder you are currently running GetRunKey from. This will overwrite the previous version. Based on your last log the folder is C:\cleaning tools\New Folder (which by the way was not a good idea to name it this way. You should have used what was recommended C:\MGtools ) Now run the new GetRunKey.bat file by double clicking on it. Attach the new runkeys.txt log.
     

    Attached Files:

    chaslang, Nov 20, 2007
    #73
  24. boolfase

    boolfase Private E-2

    New log attached.
     

    Attached Files:

    boolfase, Nov 20, 2007
    #74
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Registry Search (see the link titled RegSearch Download Link)
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • Enter cqw32 in the top area of the form and then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file now before doing the next search below.
    Now repeat the above search but this time search for cscript
    Attach this second log too.


    Click Start and select Search
    Now Select "All files and folders"
    Enter the cqw32 in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    • Search system folders
    • Search hidden files and folders
    • Search subfolders
    Then click the Search button. Tell me what matches (if any) you get for the cqw32 string.
     
    chaslang, Nov 20, 2007
    #75
  26. boolfase

    boolfase Private E-2

    The only results that were returned were the RegSearchCqw.txt, a shortcut to that file, and another shortcut to that file somewhere in the temporary files.
     

    Attached Files:

    boolfase, Nov 20, 2007
    #76
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I need to know EXACTLY what was found.


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Tell me if you receive a success message.

    If you try to delete the c:\windows\system32\cscript.dll file, does it let you delete it.
     
    chaslang, Nov 20, 2007
    #77
  28. boolfase

    boolfase Private E-2

    Last edited: Nov 20, 2007
    boolfase, Nov 20, 2007
    #78
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then right now while it is deleted, I want you to go to c:\windows\system32 and create a new folder (yes a folder) named cscript.dll Then right click on the folder and select Properties and make sure that both Read Only and Hidden attributes are checked and click Apply and OK. Then continue onto the below.

    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Nov 20, 2007
    #79
  30. boolfase

    boolfase Private E-2

    Fresh logs incoming...
     

    Attached Files:

    boolfase, Nov 20, 2007
    #80
  31. boolfase

    boolfase Private E-2

    hjt log

    - the cscript.dll folder i created is still there, and the actual cscript.dll that the trojan produces hasn't appeared.
     

    Attached Files:

    boolfase, Nov 20, 2007
    #81
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That sounds good, but the APPINIT_DLL line referencing the file is still in your HJT log even though Avenger said it replaced it with a dummy. Run HJT and see if it can fix that O20 line.

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    Then afterwards, do another scan with HJT. Is the O20 AppInit_DLLs line gone?

    How are things working?

    You should uninstall CounterSpy now.

    Also you can have HJT fix the below unnecessary startups:
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
     
    chaslang, Nov 20, 2007
    #82
  33. boolfase

    boolfase Private E-2

    Ok hjt hasn't shown the APPINIT_DLL line, but I'll reboot just to be sure.
     
    boolfase, Nov 20, 2007
    #83
  34. boolfase

    boolfase Private E-2

    Back from restating.
    The cscript line in hjt is back.
     
    boolfase, Nov 20, 2007
    #84
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What about the folder we made?

    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!
    • Run it, copy and paste the below line to reglite's address bar:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    • Click the "go" tab
    • Look for Windows folder to be highlighted in the left side panel
    • Rename the Folder Windows to NotWindows by right clicking on it and selecting rename.
    • Now double click AppInit_DLLs in the right side panel and clear the data value. You will see this value at the bottom of the Data Editor window that opens. Just erase the line with C:\WINDOWS\System32\cscript.dll and click 'Apply' and 'ok' to set.
    • Now exit Registrar Lite and reboot your PC.
    Did the AppInit_DLLS line return in HijackThis?
     
    chaslang, Nov 20, 2007
    #85
  36. boolfase

    boolfase Private E-2

    The AppInit_DLLs is in the hjt scan I just did after following your previous step.

    The folder we made is still there, there doesn't appear to be any cscript.dll file made by the trojan in the sys32 directory.
     
    boolfase, Nov 20, 2007
    #86
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At this point, I'm not sure what is recreating the AppInit_DLLs entry but I have to wonder now if it is something that is installed and that also makes me wonder if it is really a trojan.

    How is your PC currently working in the current state?
     
    chaslang, Nov 21, 2007
    #87
  38. boolfase

    boolfase Private E-2

    It's fine, I mean, the trojan doesn't inhibit anything like surfing, or working with any programs...the only way I knew I had a trojan was because Kaspersky (I use F-Secure, but it uses kasperskys virus engine) detected it, other than that I couldn't tell.

    Although, I did notice once that a new trojan jumped onto my system soon after the AV resident told me that cscript.dll was a trojan...but it was deleted and never seen again.


    I've had various infections in the past due to this being my laptop and therefore I take it to uni, connect to their wireless network through the cisco vpn client, it seems that I got infections from doing next to nothing I.E I wasnt surfing nasty sites and or downloading anything I shoudn't have been.

    I looked at the cscript.dll file in notepad and it seemed to have links to dodgy websites, a lot of the text was unintelligible.
     
    boolfase, Nov 21, 2007
    #88
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay well it's good that your PC is running okay! If I think of anything else we can try to do to find out what is recreating the registry entry at boot time, I will post back. The tools we normally use to do this are the ones BJ already gave you (RegMon and FileMon) but they are not able to track something at bootup since they are not running until you configure them.
     
    chaslang, Nov 21, 2007
    #89
  40. boolfase

    boolfase Private E-2

    Well thank you both for your efforts.
    RegMon has an option to 'log boot'...which I tried once, but it produced a log of about 150 meg lol.

    I'll give it a go again, and just ctrl+f for cscript and the AppInit_DLLs.

    Thanks once again!
     
    boolfase, Nov 21, 2007
    #90
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    It's worth a try but I'm not sure if it will hook in early enough to catch it. Maybe it will. You will have to turn off logging as soon as possible after booting. Also you should do this after deleting the registry key (replacing it with a NULL) using Avenger so that it has to be recreated.
     
    Last edited: Nov 24, 2007
    chaslang, Nov 21, 2007
    #91
Page 2 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds