Win32: Trojano-1165

[spookytone]

Ive unfortunately found this (Win32: Trojano-1165)  load of shit nesting in my PC. Bootscan dosnt get rid of it and every reboot calls for a deletion.

should also add that Ad-aware has had no luck in depleting the bastard from my system.

Help! .. i love Avast but my system needs its hygiene.

[FreewheelinFrank]

Hi spookytone,

What was the name and location of the infected file reported by avast?

In addition to Ad-Aware, I suggest you try Spybot Search & Destroy (another anti-Spyware program) and Ewido and/or a-Squared anti-Trojan programs (Ewido requires Win2000/XP).

Make sure you update before scanning.

Run these in safe mode if possible (Tap F8 while rebooting).

[polonus]

Hi spookytone,

Download the vundoo removal tool, and run it. Link for this is to be found here: http://securityresponse.symantec.com/avcenter/FixVundo.exe

polonus

[spookytone]

Hi spookytone,

What was the name and location of the infected file reported by avast?

Documents And Settings/User/Local/Temp/ vsansyke.dll
 -||-                                                            : kuuwexr.dll
 -||-                                                            : jymhnhyw.dll

the list could be done longer but i see no real cause as to why.  the dll files seems to be created by the trojan and i cant seem to find them when i manually look for em.

[FreewheelinFrank]

Google doesn't return anything on the file names, so it's either something new, or they are just random names- two do indeed look like random names- so that doesn't give us any information on the malware.

Have you tried running a scan with Ewido?

http://www.ewido.net/en/

[FreewheelinFrank]

If Ewido and the other programs I mentioned before fail to find anything, it may be worth looking for rootkits. There are some free programs available that will remove hidden malware that is otherwise difficult to remove:

F-Secure BlackLight:

http://www.f-secure.com/blacklight

AVG Anti-Rootkit (Beta)

http://www.freewarefiles.com/downloads_counter.php?programid=22524

Sophos Anti-Rootkit:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

UnHackMe is not free but used to have a free working trial, maybe still does:

http://www.greatis.com/unhackme/

If you are unsure about the results of the programs, post them here for advice before proceeding, or open a thread at CastleCops where you will be advised on these and other programs you can run in order to remove rootkits.

http://www.castlecops.com/f233-Rootkit_Revelations.html

[spookytone]

Google doesn't return anything on the file names, so it's either something new, or they are just random names- two do indeed look like random names- so that doesn't give us any information on the malware.

Have you tried running a scan with Ewido?

http://www.ewido.net/en/

FIXvundo didnt fix anything, im trying Ewido now. . . . . . .        

C:\WINDOWS\system32\drivers\DP.sys -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\juotxdfq.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kkllepsb.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\laqrdhwv.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\skqfania.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xmvjliyq.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bqrcrnvs.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gsofmorq.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvlqjymf.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\odwpwbmt.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rufwcymu.exe -> Trojan.Small.ju : Cleaned with backup (quarantined).

holy mother of crap! ..  ive not added the other foul 184 hits of lesser importance that Ewido found   

im rebooting to see what actually happened in practical terms.

[spookytone]

oh well. tho Ewido did find great shit in the systen32 folder, this Trojano-1165 malware still seems unaffected and continues to trouble my PC at startup.

im going for the other preferred solutions. 

[DavidR]

In order to create/place files in the systems folders and create registry entries you need permissions.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Some of this stuff may also have been the result of a downloader. So what is your firewall ? It should have been a line of defence against this stuff if it has outbound protection, which XP's doesn't.

[hollywood63]

I also have the exact same problem I will try the removers noted and let everyone know

[FreewheelinFrank]

It looks like Polonus was right with the Vundo call, but it may be a new variant protected by a rootkit that the Symantec tool cannot touch. DP.sys certainly indicates this:

http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

spookytone: you need to download the VundoFix.exe tooland run it as described in section 8 of the link above.

[spookytone]

F-secure Blacklight: didnt find anything.

AVG Anti-rootkit: no rootkits found.
--------------------------------------------------

 the virus is most probably the result of Download other than that, im using the Windows firewall.

stepping off to buy a router this week. hopefully this shitty Trojano-1165 piss malware is getting its ass kicked sometime soon.


Freewheelin FRank: wonderful, running the VundoFix now. 

[FreewheelinFrank]

It may not be vundo after all: dp.sys is also a symptom of the Agent.ny Trojan:

http://www.sophos.com/security/analyses/trojpuperru.html

If you're still having problems, try updating and running all the programs again in safe mode. They often find more malware the second time around.

http://www.pchell.com/support/safemode.shtml

Run Ad-Aware, Spybot search & Destroy, Ewido and a-Squared in safe mode, then do a boot time scan with avast!

a-Squared http://www.emsisoft.com/en/

Spybot Search & Destroy http://www.safer-networking.org/

[spookytone]

OK! .. i can gladly report that the VundoFIx/er did the trick, i was forced to delete One file after reboot but after that it seems to have cleared my Sys.

Thank you very much for lending a helping hand in this subject, i will continue to enforce Avast.

Hail the Avast Evangelists! 

[polonus]

Hi spookytone,

That means we are right in sniffing the right one out, and we were on the right track. Glad we could help.

polonus