Spyware/Trojans on CPQ Server -7 days and counting

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Konos, Aug 23, 2004.

  1. Konos

    Konos Private E-2

    Hi all,

    I'm a long-time reader, first time poster! :)

    For the last week and a bit I've been struggling with a Compaq Server that was absolutely infested with trojans, viruses, spyware, you name it. I'm pretty sure I'm close to "normal". However, we're still getting a fair amount of pop-ups on it and believe you me, its not for lack of running SpyBot and Ad-Aware. Anyway, here's what I removed from it:

    landisc
    msgfix
    dntus26.exe
    payload.dat - Randex
    vx2
    winshosts.exe
    svchostn.exe
    Backdoor.Malpayo
    w32.SpyBot.worm
    Sdbot (multiple versions)

    and thats just the stuff I remember. I'm particularly having grief with some stuff in the registry that HiJackThis has picked up and can't seem to permanently get rid of.

    The first is a folder called Slow Creative that has a few files in it. A coupe exe's, one called Team Mp3.exe in particular that even after deleting it from HiJackThis still manages to reload itself. I renamed the Slow Creative folder and it recreated itself - complete with all programs still in it.

    Found another program called ItchBlue.exe in a folder called C:\Program Files\Sixth Meow.

    The last registry entry that blatantly doesn't belong there is this one:
    C:\Documents and Settings\All Users\Application Data\Part 01 soap online\Lite chin.exe

    Scans using HiJackThis executed just 3 days ago didn't show this one. So its new.

    There were two suspicious files in the C:\Winnt\system32 folder:
    o Hack6.exe
    o Net1.exe

    Which I've since renamed to OLD[filename].old

    The machine was running Symantec Anti-virus Corp edition with up to date defs at the time of infection. I've also noticed that BackupExec now takes at least twice as long to back up the same information (approx. 8GB - 2hours). So I know for sure that something isn't quite right.

    From my limited knowledge of system processes everything seems to be quite normal so I suspect its something like the lsass.exe that's running something its not supposed to.

    Subsequent scans with Stinger, Ad-Aware and SpyBot don't seem to turn up anything other then tracking cookies and maybe a DSO Exploit in SpyBot.

    Any suggestions you guys might have would be a huge help. I've got over 14 hours into this bloody thing and am growing quite tired of patching it up! Although I'm certain I'm getting close now!

    Thanks in advance,
    -Steve
     
    Konos, Aug 23, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Have you tried the tutorial?
    http://forums.majorgeeks.com/showthread.php?t=35407

    Reason I ask is I spotted the VX2 in there and theres a plug in for ad-aware for VX2 covered in that tutorial. Some of these could easily be trojans and could be removed with a trojan remover mentioned in that link. Thats typical of odd names in the system3d folder. I personally had luck going into safe mode, deleting them and removing their startup entries, but it can be a hassle.

    Let me know.
     
    Major Attitude, Aug 23, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds