can't stomp trojan.Tofger
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: can't stomp trojan.Tofger

  1. #1

    can't stomp trojan.Tofger

    So, there's a machine in the shop that was overrun with virii (350 instances of bagle, stuff like that). The machine is running xp home sp1 (not the latest updates, as you could guess). I have been able to kill 99% of all the problems... but there is constantly a problem with dltime.dll.

    Here's what I've done so far:
    note: all scanners were up-to-date
    1. turn off system restore
    2. cleaned out temps/cookies/prefetch/etc
    3. booted into winpe and removed the final _restoreXXXXXXXX files
    4. while in winpe I ran mcafee's command line scanner
    · Found dltime.dll, but it couldn't remove the file
    5. In winpe, attempted manual removal of dltime.dll, which sort of worked. But it returned on next boot
    6. removed hard drive from machine, ran norton scan. Found, but removal and quarantine failed
    7. played around with msconfig/regedit(hklm and hklu)/safemode/HJT/services to no avail
    8. Went online and found info from norton and other places.
    · learned of secondary file %windir%\svchost.dll
    9. Followed norton's manual removal guide, no dice
    I've repeated the above multiple times while manually removing both svchost.dll (the one in c:\windows) and dltime.dll. No matter what I do the files keep returning, keep executing, and look as though they are locked (all scans fail delete/quarantine). Is it possible for a virus to add itself to the winXP protected file list, so that it would be returned everytime I boot? There are no attributes on the files (not system or hidden) and this is just annoying me.

    So, any ideas?

    edit: yes, i also ran housecall from trendmicro
    You are so bored that you are reading my signature?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    I would get Spybot Search & Destroy, update it and run it in safe mode. Run the immunise option whilst you are at it.

    Then go into tools (you probably have to start it in advanced mode...............can't remember I always set that as the default)

    Take a look at BHOs, the Hosts File, scheduled tasks, etc and see if there is anything dodgy.

    Make sure to clear the Java cache, then disable it. A lot of crapware hides in there.

    Good luck

    EDIT: Pest Patrol claims to get rid of it so you might download a trial and see if their claims are justified?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    You must be missing something, possibly in the registry. In this situation I would be tempted to backup and then scratch the Hdd and re-install....................There does come a time when cleaning a system is more time consuming and difficult than is worth the effort.

    Not only the time aspect but as the box has been compromised with a keylogger, personaly, I would not trust it again untill it has been wiped. I appreciate that a fresh install is not always possible or warranted but in this instance I think that it maybe.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    Thanks for your replies before I head in to tackle this foe.

    Nihil: I will try pest patrol, thanks for recomending it. I have run aaw and sb:sod (yep, updated and all that jazz) but there was no change (no ad/spy ware on the machine, user was good about using aaw)

    Jinxy: Yeah, I'm the same way. The last time a machine of mine was compromised (3 years ago when i was using kazaa) I formatted my machines, changed passwords, all that good stuff. I would like to just format, but that's not what he wants.
    You are so bored that you are reading my signature?

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I would like to just format, but that's not what he wants.
    Fair enough.

    Ive attached a zip file with a prossess viewer that may help you track this beastie down. I would link you to the download page but I can't remember where I got it from.

    Anyway, Download at your own discretion.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    go to the folder the virus was found in. look for files with the same date. check the properties of all the exes and dlls in that folder to make sure they show version information. there are many ways to download that av's wont detect, legit apps that are used to hide files and processs and start processes. rename them just incase they are not malicious and necessary for something to run

    use pslist.exe or any good process viewer to show processes. check them on http://www.answersthatwork.com/Taskl...s/tasklist.htm kill processes you dont know. did this on a box last week. after killing a strange process and running pslist again a few more processes were visable including firedeamon

    run hijackthis to have a better look threw the reg.

    run tasklist /svc to see what is being started using svchost.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    tedob:
    I started process explorer via hklm/s/m/w/cv/run and saw the process tree which was starting all the problems. Strangely, there was a windowsupdateXXXXXXX.exe (or something like that) being started from the start menu's start folder (which I cleared out before, it must've been replaced during a reboot). This program created a file in temporary files which started the false svchost. If you sit and watch it, the program runs some cmd windows in the background which makes svchost a stand alone process (removes it from the other process tree). Finally, the false windowsupdate program exits leaving svchost.

    So anyway, i killed the processes, deleted the files, and now it's all good. Thanks.

    Nihil: Pest patrol did find the false svchost, but it couldn't do anything other than delete it, at which point the file would come back. Good idea, but it didn't help in this application.
    You are so bored that you are reading my signature?

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    annihilator_god, just a quick question. Do you have Spybot's TeaTimer on? If I remember correctly, someone mentioned that TeaTimer can inadvertently protect malicious registry entries by denying changes to the registry. Also, in addition to what Tedob said, maybe you could post your results from a HiJackThis scan.
    Anyways, I checked around and compiled a list of registry entries that I could find in relation to Trofger:

    From Symantec:
    %Windir%\MSTO32.DLL
    %Windir%\[File1]
    %Windir%\SYSINI.INI
    %System%\[File2]
    %System%\[File3]
    %Windir%\msrt32.dll
    %Windir%\msin32.dll
    %Windir%\dorta32.dll
    %Windir%\durta32.dll
    %Windir%\sufer32.dll
    %Windir%\byrta32.dll
    %Windir%\dltime.dll
    [File1] can be one of SVCHOST.EXE, SACHOST.EXE, SLHOST.EXE, SUHOST.EXE, SXHOST.EXE, SYSTEM.EXE, or WINUPD.EXE.
    [File2] can be one of SVCHOSTC.EXE, SACHOSTC.EXE, WINU.EXE, or STROPEN.EXE.
    [File3] can be either of SVCHOSTS.EXE or SACHOSTS.EXE.

    In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Online Service" = "%Windir%\%File1%..."
    "Onlune Sarvice" = "%Windir%\sachost.exe"
    "Upgrade Service" = "%Windir%\%File1%..."
    "Systems Restart" = "%Windir%\%File1%..."
    "Setup Experation" = "%Windir%\File1%..."
    It also apparently adds url's and changes browser startpage defaults.

    From Sophos:
    When run, the Trojan creates the files svchost.exe and dltime.dll in the %windows% directory.
    The Trojan creates the following registry keys
    HKLM\SOFTWARE\Microsoft\DownloadManager\
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Setup experation = "C:\\WINDOWS\\svchost.exe"
    Maybe these can better help isolate all the entries. I know you mentioned going to some sites and following the removal instructions but maybe we can help you double check your registry and compare it to the lists from Sophos and Symantec. With the HiJackThis log (if you can post it), I'm sure we can figure this one out.

    **I see you have resolved the problem above. It took me too damn long to reply . Good Job.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    Logfile of HijackThis v1.97.7
    Scan saved at 12:09:36 PM, on 1/17/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Documents and Settings\Jay\Start Menu\Programs\Startup\winupdate23036105[1].exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\PestPatrol\PestPatrol.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: winupdate23036105[1].exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab

    sure, not the most recent version of hjt, but that's what's on my troubleshooting disc. yeah, i'll update it at some point.

    anywho...
    O4 - Startup: winupdate23036105[1].exe
    O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe

    also nuked these
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    You are so bored that you are reading my signature?

  10. #10
    Banned
    Join Date
    Apr 2004
    Posts
    843
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe

    Why are those still even on the list? I mean, here it is, looks like some pretty random file-names and not to mention they are in system32 and windows directorys... thats probably the first thing I'd screw around with.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •