Virus in Recycler

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JMNorris, Feb 9, 2007.

  1. JMNorris

    JMNorris Private E-2

    I have a virus (found by Symantic AV) in a Windows 2000 recycler subdirectory (C:\Recycler\s-1-...) that I can't get rid of. Trying to delete it by the Windows Explorer, DEL from the command prompt (even trying to reset the the attributes by ATTRIB), putting the drive in another computer as a slave, running the recovery console from the Windows install disk, didn't work. Symantic's attempt to delete the file also did not work. In every case, access is denied. Ideas? Thank you.
     
    JMNorris, Feb 9, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Did you simply try emptying the Recycle Bin first. Right click on the Recycle Bin icon and select Empty Recycle Bin.

    If that does not work, try the same thing after booting in safe mode. If that does not work, tell us exactly what Symantec is reporting (the full file name and the name of the virus). Then move on to the below.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Feb 10, 2007
    #2
  3. JMNorris

    JMNorris Private E-2

    Yes, I tried emptying the recycle bin (I guess I forgot to mention that). The offending file is C:\RECYCLER\s-1-5-21-1960408961-1563985344-1708537768-500\g-us.exe and Symantec describes the threat as "Trojan Horse". (I guess I've fallen into the sloppy habit of calling all malware viruses. I used to be better about that.) I'll start going through the other procedures on Monday when I return to work.
     
    JMNorris, Feb 10, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But do they give it a name. Trojan Horse is just a generic class. Normally most vendors use a name to refer to various malware components.

    When you used the Recovery Console, what exactly did you do to try and delete the the file.

    When you put the drive into another system as a slave, how did you go about trying to located the file and delete it? Did you just try to delete it manually? Did you try to empty the Recycle Bin? Did you run an antivirus scan from the Master drive on the slave drive? Did it detect it?

    If using the Recovery Console did not work and assuming you actually located the file, then you probably will not be able to delete the file. It could be a corrupted file system or an error on the hard disk. Did you do an error check on the hard disk.
     
    chaslang, Feb 10, 2007
    #4
  5. JMNorris

    JMNorris Private E-2

    Okay, I've done the scans as specified in sticky thread. Logs are attached here and to a subsequent message.

    • Spybot Search and Destroy found (and deleted):
      • Alexa Related: C:\Winnt\Web\Related.htm
      • Comet Cursors: HKLM\Software\Classes\Interface\{FF76344F-99D3-11D2-B959-00C04F81BC00}
    • CounterSpy in safe mode, log attached to this message
    • Bitdefender in safemode with net support, log attached to this message
    • Panda ActiveScan in safemode with net support, log attached to this message
    • RunKeys, log attached to next message
    • ShowNew, log attached to next message
    • HijackThis (as AnalyseThis), log attached to next message

    I suppose the logs will be more useful to you than the following, but here goes. Attempts to delete g-us.exe from the RECYCLER directory manually, met with the error "Access denied". So my first guess was to try to get around the stranglehold Windows has on the RECYCLER permissions. But your reply (and the fact that the above scans turned up other stuff) probably indicate more serious matters.

    Symantec just said "Trojan Horse". I know, that's unhelpful, but that is all they give.

    I changed to it's directory. I tried to remove the SYSTEM and HIDDEN flags with ATTRIB, but got an "Access denied" message. I don't remember if I tried DEL -- I wouldn't expect it to work because the file was hidden. The commands "ATTRIB *" and "DIR /A" showed the file.

    I don't remember the exact order:

    • I tried to delete the containing subdirectory of C:\RECYLCER from WindowsExplorer. Note: Windows Explorer did not show any files in the containing subdirectory.
    • I tried Emptying the Recycle Bin. Opening the Recycle Bin did not show the file.
    • I tried to delete the whole C:\RECYLCER from WindowsExplorer.
    • I tried to change its attributes and delete it from the command line in the same manner as I had from the Recovery Console.
    • I ran Symantec AV on the slave from the master. It detected the file but could not delete it.
    • From Recycle Bin -> Properties, I checked "Do not move files to the Recycle Bin. Remove files immediately when deleted" and tried everything above again.

    I did an error check and no errors were found.
     

    Attached Files:

    JMNorris, Feb 14, 2007
    #5
  6. JMNorris

    JMNorris Private E-2

    Here are the other logs.
     

    Attached Files:

    JMNorris, Feb 14, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a lot of serious problems! A lot more then just that g-us.exe file.

    Please download Blacklight Beta
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please post contents of the BlackLight log.

    Do you know what the below folder is for?
    Code:
    "C:\"
SAV101~1      Feb  5 2007              "SAV101-inst"
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_06
    Mozilla Firefox (1.5.0.9)
    SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1)

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp

    While following the below instructions for stopping, disabling and deleting NT Services, make sure you only stop, disable, and delete EXACTLY what I give you. You must match exactly. Be careful not to deleted valid Windows Services especially ones that all use the words Remote Procedure Call in them.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to System Restore Update
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • DNS Protocol Support
      • NetCat
      • Remote Procedure Call (RPC) Service
      • VNC Mail Client
      • TCP/IP-Verbindung
      • Event Log Manager
      • Automatic Services
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste dfrgui into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • DNSsvc
      • NetCat
      • Remote Procedure Monitor
      • run123
      • tcp-ip
      • TskSrv
      • turbo
    • Now exit HJT and reboot when it tells you it needs to.

    After reboot, download and install this: ExplorerXP

    Then run ExplorerXP and use it to look for the below files and delete them if they are found. When you locate a file, select it and then click the Edit menu selections and choose Delete Permanently
    C:\WINNT\system32\dfrgui.exe
    C:\WINNT\system32\dnssvc.exe
    C:\WINNT\System32\Catroot\ntfrsr.exe
    C:\WINNT\system32\Com\msrpc.exe
    C:\WINNT\system32\vncmail.exe
    C:\WINNT\system32\csrssh.exe
    C:\WINNT\system32\dfsvc.exe
    C:\WINNT\system32\ntvsm.exe

    Also see if ExplorerXP can delete (permanently) the g-us.exe file.

    Now attach a new HJT log.
     
    Last edited: Feb 15, 2007
    chaslang, Feb 15, 2007
    #7
  8. JMNorris

    JMNorris Private E-2

    I was beginning to suspect that. :eek:

    Okay, here is my progress.

    • I ran Blacklight Beta; attached is the log
    • C:\SAV101-inst was left over from updating Symantec AV to 10.1. My employer has a site license for the corporate version. They also have their own server for signature updates--and so they have a customized install. I don't know if this directory is due to the customized install or is part of the standard Symantec install process.
    • I uninstalled old JRE's. I didn't know Sun and a JRE 6. Their default installation is for JRE6, Update 11. I guess you guys are VERY up to date.
    • I uninstalled old Firefox (and found an even older pre-Firefox Mozilla browser to uninstall).
    • I installed newer JRE and Firefox.
    • I disabled Windows services you specified.
    • I used HJT to delete the the specified Windows services.
    • I used ExplorerXP to Delete Permanently the specified files. The files found to delete were:
      • C:\WINNT\system32\Catroot\ntfsr.exe
      • C:\WINNT\system32\Com\msrpc.exe
    • The looked for the g-us.exe file with ExplorerXP and DIR /A. It has disappeared.
    • A new HJT log is attached.

    I ran Symantec AV on the recycler directory, it also no longer reported g-us.exe (though it was from normal mode, not safe mode). It did detect HideRun.exe, which it described as HackTool.HideWindow. I didn't do anything more extensive Symantec AV.

    Note. There are a number of files in the offending Recycler subdirectory that I don't see on other computers. Attached is dir.txt which lists the ones found by ExplorerXP and also "DIR /A". Notice that one of them is a temp directory. ExplorerXP (but not DIR) found the following there:
    • tools
    • .ioFTPD
    • .ioFTPD.race
    • changeoop.txt
    I'm guessing that NONE of these files except desktop.ini belong there.
     

    Attached Files:

    JMNorris, Feb 15, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Careful! These were not Windows Services. They were malware services.;) It appears to me that someone using this PC has been experimenting too much with FTP servers and some of them are malware.

    Are you saying Norton does not fix the problem? If so, sounds to me like you guys are wasting your money paying for something that does not work very well.

    Can you just empty the Recycle Bin now to get rid of all these files that you showed in the dir.txt log. If not, can you delete them Permanently with ExplorerXP?

    Those ioFTPD files are from this: http://www.inicom.net/pages/en.ioftpd-home.php Someone must have installed it at one time.

    Let's fix some more things too!

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [AV UpDate] C:\WINDOWS\System32\Spool\prtprocs\Update.exe

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\Spool\prtprocs\Update.exe
    C:\WINNT\system32\vncmailswenumer.sys
    C:\WINNT\Help\agt0975.hlp
    C:\WINNT\sysmgnr.exe
    C:\WINNT\system32\carun.dll
    C:\WINNT\system32\carun.ocx
    C:\WINNT\system32\chkdrv.vxd
    C:\WINNT\system32\drivers\sysdrvr.sys
    C:\WINNT\system32\tskman.dll
    C:\WINNT\system32\tskman.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!
     
    chaslang, Feb 16, 2007
    #9
  10. JMNorris

    JMNorris Private E-2

    What's the difference? I thought Windows was malware! :D
    The people who are supposed to be using this computer wouldn't know how to do that. Unfortunately, it's a lab computer in a lab with very poor (read: no) access security. Might some malware have been trying to install it???

    Yes, Norton could not delete HideRun.exe. Well, I am not wasting any money. But my employer, with 10's of thousands of computers, is wasting plenty. I work for a large university better known for football than for IT. At one time, Norton had a reputation for being one of the worst AV's in the business. PCMag type publications loved it for its flashy interface, but its detection rate was dismal. (Not as bad as Microsoft's now gratefully departed AV, that was in a league by itself.) Symantec bought IBM's AV operations and, as it absorbed that know-how, became quite respectable. That respectability, though, really only extended/extends to traditional viruses and worms. It was never so good at trojans and has been very slow at adapting to newer types of malware such as rootkits and spyware. I am rather stunned, though, that it could not delete HideRun.exe. That was not supposed to be one of its weaknesses. Unlike ExplorerXP, it could not delete HideRun.exe even after the ministrations below.

    Before the ministrations below, no. After the ministrations below, yes, with ExplorerXP. None of these files were ever listed when opening (double-clicking on) the Recycle Bin. They were only listed when getting a directory listing manually through DEL /A (or with ExplorerXP). Windows Explorer did not show them.

    I did the following:

    • Fixed O4 - HKLM\..\Run: [AV UpDate] C:\WINDOWS\System32\Spool\prtprocs\Update.exe with HJT.
    • Used Pocket Killbox to delete on reboot the specified files. The ones found to delete were:
      • C:\WINNT\system32\vncmailswenumer.sys
      • C:\WINNT\system32\carun.ocx
      • C:\WINNT\system32\chkdrv.vxd
      • C:\WINNT\system32\tskman.dll
      No PendingFileRenameOperations prompt appeared.
    • Ran CCleaner
    • Generated new logs (attached) for:
      • GetRunKey
      • ShowNew
      • HJT

    I'm not sure what you want me to check for. It is perhaps not as slow now, especially at startup--but I am not the best judge of that since I use it only rarely. I was able to delete all those extraneous files from the RECYLCLER subdirectory with ExplorerXP; that's a good sign. Before todays efforts, it could not do that (well, I think I had only tried HideRun.exe and the files in the temp subdirectory).

    BTW, I am very grateful for the excellent assistance you are providing. :clap
     

    Attached Files:

    JMNorris, Feb 16, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    I don't want to get into a long discussion on Symantec/Norton, so I will keep it short. Don't like and would never recommend it!

    Okay sounds like we are basically finished. Your logs are clean, but here are a few additional steps to take.

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also have HJT fix the below un-necessary line for Sun Java.
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

    Doing the above two steps will also speed things up some more.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Feb 17, 2007
    #11
  12. JMNorris

    JMNorris Private E-2

    Done. Thanks again for the help.

    Just curious. Do you have an opinion about Clam AV? I use several open source products (OpenOffice, Gimp, VideoLAN), but an AV does not seem a natural for open source work. After all, an update to OpenOffice can wait until next month, but an update to an AV can't. So I was curious how you thought they were doing.
     
    JMNorris, Feb 22, 2007
    #12
  13. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Clam AV, even though it is getting better, misses quite a few things and has a high False Positive rate. There are far better Anti-Virus applications currently available that are free.
     
    Shadow_Puter_Dude, Feb 22, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Agreed. We recommend that you use one of the applications mentioned in step 2 of the How to Protect yourself from malware! link. Give AVG a try,
     
    chaslang, Feb 26, 2007
    #14
  15. JMNorris

    JMNorris Private E-2

    I have been using Avira AntiVir on my on computer; my employer supplies Symantec AV for work computers. As for Clam AV, I was curious but not really considering using it. Thanks for the info.
     
    JMNorris, Feb 27, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Antivir is also one of our recommended free choices. ;)
     
    chaslang, Feb 28, 2007
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds