Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Trogan.net MSV/VPS (Dell2350)

1K views 1 reply 1 participant last post by  akmark5000 
#1 ·
Trogan.net MSV/VPS Virus.

Hi. First let me say thanks to all you folks here at Tech Support Guy. I've had a few problems resolve here and my HTJ analysis has gone from nothing to beginner!

Ok, so I have my dad's Dell 2350 sitting in front of me. It caught a Trogan.net MSV/VPS Virus.

The desktop had 3 new shortcuts and a warning kept popping up about security risk and to download something. The task manager didn’t work either. It said something about being disabled by the administrator. Oh, and the monitor keeps ‘auto adjusting” upon every reboot and startup… no idea what that one is about.

Anyway, I deleted the shortcuts and just xed out of the pop up windows and rebooted and started up into safe mode and ran Superantispyware, which found the Trogan.net MSV/VPS and 3 related registry keys and they were quarantined. Then I ran Norton, which fond nothing.

I rebooted and started up normally, but appearently that didn't do much. The desktop had those same three shortcuts and a warning kept popping up about security risk and to download something.

I then rebooted and restarted into safe mode and uninstalled the Hi. First let me say thanks to all you folks here at Tech Support Guy. I've had a few problems resolve here and my HTJ analysis has gone from nothing to beginner!

Ok, so I have my dad's Dell 2350 sitting in front of me. It caught a Trogan.net MSV/VPS Virus.

The desktop had 3 new shortcuts and a warning kept popping up about security risk and to download something. Anyway, I deleted the shortcuts and just xed out of the pop up windows and rebooted and started up into safe mode and ran Superantispyware, which found the Trogan.net MSV/VPS and 3 related registry keys and they were quarantined. Then I ran Norton, which fond nothing.

I rebooted and started up normally, but apparently that didn't do much. The desktop had those same three shortcuts and a warning kept popping up about security risk and to download something.

I then rebooted and restarted into safe mode and uninstalled the internet explorer browser and restarted normally.

The same old three shortcuts appeared along with that warning pop up. Plus, the internet explorer browser did not get uninstalled, but did not show up in the install/uninstall programs menu.

So, I rebooted and restarted into safe mode once again and did a system restore to yesterday… that seemed to work! After restarting normally those three icons were there, but blotted out (unrecognized) and no more pop up warning.

I am still not sure whether or not the thing is gone. I am also bothered by the fact that the internet explorer browser is on the system, but still does not appear in the install/uninstall programs menu.

Here’s the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:47 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dreamscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123887377312
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6695 bytes
 
See less See more
#2 ·
Three days and no answer… solved it with help elsewhere. Here’s a summery of what I did that might help someone out.

The three tools used:

1. SD Fix
2. Smit Fraud Fix
3. Combo Fix

After each of these three tools are used, I would recommend running and logging another Hijack This and an online web based scan such as:

http://usa.kaspersky.com/products_services/free-virus-scanner.php
http://housecall.trendmicro.com
http://www.pandasoftware.com
http://www.bitdefender.com

The details:

Detail 1. -

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.cmd to start the script.

* Type Y to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Detail 2. –

Also download smitfraud fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

follow the directions here
http://siri.geekstogo.com/SmitfraudFix.php

Detail 3. –

Download combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top