Help to identify what my PC is infected with

Hi,

Somehow a Trojan has got onto my PC.
It was downloading loads of viruses (Dialer mainly).

I run Norton Internet Security, but that did not catch the installation of
the trojan. I does however catch the viruses as they are downloaded by the
trojan.

I have ran AVG, which found Dialer.tg infected in a file called
DrInstall.exe and cleaned that, as well as some dodgy registry entries.
But, I am still seeing some wierd things like thousands of 0byte files being
written to windows\temp. These are normally names SOSxxxx.TMP (replace xxxx
with a random number) or TMPxxxx.TMP

Now, I ran Trojan hunter tongiht also, that didn't find anything, bu tthere
is clearly something going on to keep creating these files.

Can anyone point me to what might be the cause of this and how I can get
rid?

Steve

From: "SPG" <(E-Mail Removed)>

| Hi,
|
| Somehow a Trojan has got onto my PC.
| It was downloading loads of viruses (Dialer mainly).
|
| I run Norton Internet Security, but that did not catch the installation of
| the trojan. I does however catch the viruses as they are downloaded by the
| trojan.
|
| I have ran AVG, which found Dialer.tg infected in a file called
| DrInstall.exe and cleaned that, as well as some dodgy registry entries.
| But, I am still seeing some wierd things like thousands of 0byte files being
| written to windows\temp. These are normally names SOSxxxx.TMP (replace xxxx
| with a random number) or TMPxxxx.TMP
|
| Now, I ran Trojan hunter tongiht also, that didn't find anything, bu tthere
| is clearly something going on to keep creating these files.
|
| Can anyone point me to what might be the cause of this and how I can get
| rid?
|
| Steve
|

Dialers are Trojans, not viruses.

Start with the McAfee module in the below Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
> From: "SPG" <(E-Mail Removed)>
>
> | Hi,
> |
> | Somehow a Trojan has got onto my PC.
> | It was downloading loads of viruses (Dialer mainly).
> |
> | I run Norton Internet Security, but that did not catch the installation
> of
> | the trojan. I does however catch the viruses as they are downloaded by
> the
> | trojan.
> |
> | I have ran AVG, which found Dialer.tg infected in a file called
> | DrInstall.exe and cleaned that, as well as some dodgy registry entries.
> | But, I am still seeing some wierd things like thousands of 0byte files
> being
> | written to windows\temp. These are normally names SOSxxxx.TMP (replace
> xxxx
> | with a random number) or TMPxxxx.TMP
> |
> | Now, I ran Trojan hunter tongiht also, that didn't find anything, bu
> tthere
> | is clearly something going on to keep creating these files.
> |
> | Can anyone point me to what might be the cause of this and how I can get
> | rid?
> |
> | Steve
> |
>
> Dialers are Trojans, not viruses.
>
> Start with the McAfee module in the below Multi AV Scanning Tool...
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
> site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can
> download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Hi,

I did what you suggested. I tried running the scanners but I am getting a
16bit system error to do with not being able to find the temp directory
which actually exists and has full permissions set.

I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
This ran all night and when I came back down this morning I had a black
screen and the system was non-responsive.

This morning I am still seeing thousands of these sosxxxx.tmp files being
created, although I have used the sysinternals process manager and found out
that the files are being creted via the CCAPP.exe which is a norton NIS
scanner, so Norton appears to be unable to detect what the torjan/virus is
that is causing this to happen.

Is there a way to find out what app is writing these files via NIS?

Steve

From: "SPG" <(E-Mail Removed)>


| Hi,
|
| I did what you suggested. I tried running the scanners but I am getting a
| 16bit system error to do with not being able to find the temp directory
| which actually exists and has full permissions set.
|
| I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
| This ran all night and when I came back down this morning I had a black
| screen and the system was non-responsive.
|
| This morning I am still seeing thousands of these sosxxxx.tmp files being
| created, although I have used the sysinternals process manager and found out
| that the files are being creted via the CCAPP.exe which is a norton NIS
| scanner, so Norton appears to be unable to detect what the torjan/virus is
| that is causing this to happen.
|
| Is there a way to find out what app is writing these files via NIS?
|
| Steve
|



Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
http://castlecops.com/forum67.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "SPG" <(E-Mail Removed)>

| Hi,
|
| I did what you suggested. I tried running the scanners but I am getting a
| 16bit system error to do with not being able to find the temp directory
| which actually exists and has full permissions set.
|
| I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
| This ran all night and when I came back down this morning I had a black
| screen and the system was non-responsive.
|
| This morning I am still seeing thousands of these sosxxxx.tmp files being
| created, although I have used the sysinternals process manager and found out
| that the files are being creted via the CCAPP.exe which is a norton NIS
| scanner, so Norton appears to be unable to detect what the torjan/virus is
| that is causing this to happen.
|
| Is there a way to find out what app is writing these files via NIS?
|
| Steve
|

Plaese post the contents of;
C:\AV-CLS\McAfee\ScanRepo.HTM


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
> From: "SPG" <(E-Mail Removed)>
>
> | Hi,
> |
> | I did what you suggested. I tried running the scanners but I am getting
> a
> | 16bit system error to do with not being able to find the temp directory
> | which actually exists and has full permissions set.
> |
> | I then made a dos boot disk and booted to dos (ntfs) and run the
> DOSClean.
> | This ran all night and when I came back down this morning I had a black
> | screen and the system was non-responsive.
> |
> | This morning I am still seeing thousands of these sosxxxx.tmp files
> being
> | created, although I have used the sysinternals process manager and found
> out
> | that the files are being creted via the CCAPP.exe which is a norton NIS
> | scanner, so Norton appears to be unable to detect what the torjan/virus
> is
> | that is causing this to happen.
> |
> | Is there a way to find out what app is writing these files via NIS?
> |
> | Steve
> |
>
> Plaese post the contents of;
> C:\AV-CLS\McAfee\ScanRepo.HTM
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for DOS/PM v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for DOS/PM.
Virus data file v4842 created Aug 31 2006
Scanning for 207495 viruses, trojans and variants.

--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------



08/31/2006 21:28:56


Options:
/ADL /UNZIP /SUB /ANALYZE /PANALYZE /CLEAN /ALL /DEL /PROGRAM /MIME /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [Programs]
Scanning C:\*.*

From: "SPG" <(E-Mail Removed)>

| Virus Scan Report File
|
| --------------------------------------------------------------------------------
| Virus Scan Information
| --------------------------------------------------------------------------------
|
| McAfee VirusScan for DOS/PM v4.40.0
| Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
| reserved.
| (408) 988-3832 LICENSED COPY - Sep 23 2004
|
| Scan engine v4.4.00 for DOS/PM.
| Virus data file v4842 created Aug 31 2006
| Scanning for 207495 viruses, trojans and variants.
|
| --------------------------------------------------------------------------------
| Virus Scan Results
| --------------------------------------------------------------------------------
|
| 08/31/2006 21:28:56
|
| Options:
| /ADL /UNZIP /SUB /ANALYZE /PANALYZE /CLEAN /ALL /DEL /PROGRAM /MIME /HTML
| "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: [Programs]
| Scanning C:\*.*
|

It never completed :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Fri, 1 Sep 2006 15:01:03 -0400, "David H. Lipman"
>From: "SPG" <(E-Mail Removed)>

PMFJI, but I'm back after a long non-illness ;-)

>| I did what you suggested. I tried running the scanners but I am getting a
>| 16bit system error to do with not being able to find the temp directory
>| which actually exists and has full permissions set.

>| I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
>| This ran all night and when I came back down this morning I had a black
>| screen and the system was non-responsive.

What is this "DOSClean"? If it's an av scanning process that works on
NTFS via a DOS NTFS driver, then this may not be unexpected mileage.
The DOS NTFS TSR is large (leaving little space for DOS programs) and
buggy, in that it may show NTFS file structures as files to be
scanned, and it usually fails to properly traverse the directory tree.

Bart PE CDR boot would be a better way to formally scan the system.

>Download and execute HiJack This! (HJT)
>http://www.spywareinfo.com/~merijn/files/HijackThis.exe
>
>Create a HJT log file and post it in one of the below locations...
>
>{ Please - Do NOT post the HJT Log here ! }
>
>Forums where you can get expert advice for HiJack This! (HJT) logs.

There are two assumptions (and a third one that hopefully hasn't been
exploited yet) that this advice rests on:
- that there is an explicit integration point for HJT to see
- that the active malware will allow HJT to see it

If you have an intrafile infector, or malware has replaced an existing
code file, then there's no reason to use an explicit integration point
that HJT would be able to see.

Intrafile infectors aren't easy to write, and don't travel in
source-editable form - so they are slower to mutate. They nearly
always fan out via multi-generation spread, so they spread slowly
enough for av signatures to keep up. As you can't "see" an intrafile
infector with the naked eye, signature-based av remains the most
useful (if not infallable) tool for these.


The other problem is that if the malware's running, it is in a
position to defend itself, or even counter-attack. Most malware
doesn't take up this opportunity, while those that do are often
referred to as "root kits".

You can detect such malware in one of two ways:
- by running "dirty" and looking for rootkit behavior
- by running clean so that the root kit can't hide anymore

The latter is safer, but more difficult to do - Google( Bart PE ) for
the best way to obtain what MS didn't bother to provide, namely an
off-HD maintenance OS from which an infected PC can be scanned without
first running any malware that's infecting it.


Again, sorry if all this has been covered already :-/



>------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
>------------ ----- --- -- - - - -

From: "cquirke (MVP Windows shell/user)" <(E-Mail Removed)>

| On Fri, 1 Sep 2006 15:01:03 -0400, "David H. Lipman"
>> From: "SPG" <(E-Mail Removed)>
|
| PMFJI, but I'm back after a long non-illness ;-)
|
>|> I did what you suggested. I tried running the scanners but I am getting a
>|> 16bit system error to do with not being able to find the temp directory
>|> which actually exists and has full permissions set.
|
>|> I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
>|> This ran all night and when I came back down this morning I had a black
>|> screen and the system was non-responsive.
|
| What is this "DOSClean"? If it's an av scanning process that works on
| NTFS via a DOS NTFS driver, then this may not be unexpected mileage.
| The DOS NTFS TSR is large (leaving little space for DOS programs) and
| buggy, in that it may show NTFS file structures as files to be
| scanned, and it usually fails to properly traverse the directory tree.


DOSClean.bat is the DOS scanner for use after booting from a DOS Disk or a DOS Disk with
NTFS4DOS.


|
| Bart PE CDR boot would be a better way to formally scan the system.


I haven't created such a kit so that's all there is with the Multi AV Scanning tool --
so far :-)


|
>> Download and execute HiJack This! (HJT)
>> http://www.spywareinfo.com/~merijn/files/HijackThis.exe
>>
>> Create a HJT log file and post it in one of the below locations...
>>
>> { Please - Do NOT post the HJT Log here ! }
>>
>> Forums where you can get expert advice for HiJack This! (HJT) logs.
|
| There are two assumptions (and a third one that hopefully hasn't been
| exploited yet) that this advice rests on:
| - that there is an explicit integration point for HJT to see
| - that the active malware will allow HJT to see it
|
| If you have an intrafile infector, or malware has replaced an existing
| code file, then there's no reason to use an explicit integration point
| that HJT would be able to see.
|
| Intrafile infectors aren't easy to write, and don't travel in
| source-editable form - so they are slower to mutate. They nearly
| always fan out via multi-generation spread, so they spread slowly
| enough for av signatures to keep up. As you can't "see" an intrafile
| infector with the naked eye, signature-based av remains the most
| useful (if not infallable) tool for these.
|
| The other problem is that if the malware's running, it is in a
| position to defend itself, or even counter-attack. Most malware
| doesn't take up this opportunity, while those that do are often
| referred to as "root kits".
|
| You can detect such malware in one of two ways:
| - by running "dirty" and looking for rootkit behavior
| - by running clean so that the root kit can't hide anymore
|
| The latter is safer, but more difficult to do - Google( Bart PE ) for
| the best way to obtain what MS didn't bother to provide, namely an
| off-HD maintenance OS from which an infected PC can be scanned without
| first running any malware that's infecting it.
|
| Again, sorry if all this has been covered already :-/
|
>> ------------ ----- --- -- - - - -
| Drugs are usually safe. Inject? (Y/n)
>> ------------ ----- --- -- - - - -


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Fri, 8 Sep 2006 21:45:17 -0400, "David H. Lipman"
>From: "cquirke (MVP Windows shell/user)"
>| On Fri, 1 Sep 2006 15:01:03 -0400, "David H. Lipman"
>>> From: "SPG" <(E-Mail Removed)>

>>|> I then made a dos boot disk and booted to dos (ntfs) and run the DOSClean.
>>|> This ran all night and when I came back down this morning I had a black
>>|> screen and the system was non-responsive.

>| What is this "DOSClean"? If it's an av scanning process that works on
>| NTFS via a DOS NTFS driver, then this may not be unexpected mileage.
>| The DOS NTFS TSR is large (leaving little space for DOS programs) and
>| buggy, in that it may show NTFS file structures as files to be
>| scanned, and it usually fails to properly traverse the directory tree.

>DOSClean.bat is the DOS scanner for use after booting from a DOS Disk
>or a DOS Disk with NTFS4DOS.

OK - the only DOS scanners I tried through the TSR was F-Prot. That
worked, byt didn't scan the full directory tree.

What engines does DOSClean.bat use?

>| Bart PE CDR boot would be a better way to formally scan the system.

>I haven't created such a kit so that's all there is with the Multi AV Scanning tool --
>so far :-)

Have you started playing with it yet? I haven't done any new "dev" on
it (other than sig updates) for a while now, but want to try adding
A-squared, Ewido 4, BitDefender 8 and unerase tools. I also want to
use the newer Bart builder (currently using 3.13)



>------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
>------------ ----- --- -- - - - -