Donwload.Trojan (videocntl.exe) on WinXP

[RyanWirth]

Hello All,

One of my employees came into work yesterday saying that his laptops
homepage was being hijacked, and favorites were being changed to porn
sites. After changing the homepage to something else, it would
automatically change back to whoispokavik.com or something like that.
Obviously a Virus or Spy Ware, so with Norton Anti 2004 right up to
date 11/25, and with Adware SE also upto date, I scanned the machine
in safe mode (no restore etc.), but it came up clean. So its a new
version of an old virus. I check the registry and there are two
strange entries, a jslvboo.exe and a videocntl.exe, both of which I
quarentine and send to Norton. I remove the Reg values, but they pop
up agian right away. So I stop their processes, and remove the
Values, and its fine. I change the names of the two files, and
reboot. I get two complant windows on boot up saying that
"videocntl.exe" can't be found, so I think its still in the reg
somewhere, and when I look a new value has been entered to
currentversion/run "avaadmb.exe" and a new .exe is added to the
windows directory. When I look in that directory, I find jslvboo and
avaabmd both at 45k and about 20 others just like them. By this time,
Notron gets back to me with an updated Virus Def for the
videocntl.exe, the anti-virus finds it and deletes it (Nov 26, 04).
But Norton says that jsvlboo.exe is not a virus and is getting passed
to an engineer for further analysis.
The computer has two virus then, a remake on an old download.trojan,
and a new one creating new files to keep it self up. Once the new one
is out of the registry (jslvboo and avaabmd) the web pages stop being
highjacked and its process's dont start up again, so its done until
Norton gets an update for it. But this videocntl.exe, which is
deleted, and doesnt exist anywhere in the registry still causes two
errors on boot up since it can't find the file.

"Unfortunately, this is worse than the virus" says my fellow employee.
So its no where in the reg, and I scan the computer for anything
containing "videocntl" and I find one prefetch file (and delete it)
and two xml files responsible for the registry mods (and delete it).
But, on a reboot I still get two errors (well, one error and one
warning) looking for this removed file. I ran out of time to explore
this problem further, so I created a blank exe file called
videocntl.exe and put it in the directory so that it is not "missing"
and doesnt do any harm. Which made the errors stop comming up, and
the employee happy.

Hopefully Norton can solve the other file jslvboo.exe, before this
spreads around my office. Is anyone else experiencing these problems?

Thanks all,
Ryan Wirth

P.S. Window XP Home all up to date (SP2 etc.)
Norton 2004
Adware SE

videocntl.exe is download.trojan
jslvboo.exe 45k not named yet
avaadmb.exe 45k not named yet

 

[Carey Frisch [MVP]]

There is a very helpful virus removal newsgroup you may wish to post to:
news://msnews.microsoft.com/microsoft.public.security.virus

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

3 Simple Steps to Insure the Security of Your PC
http://www.microsoft.com/athome/security/protect/default.aspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

-------------------------------------------------------------------------

"RyanWirth" wrote:

| Hello All,
|
| One of my employees came into work yesterday saying that his laptops
| homepage was being hijacked, and favorites were being changed to porn
| sites. After changing the homepage to something else, it would
| automatically change back to whoispokavik.com or something like that.
| Obviously a Virus or Spy Ware, so with Norton Anti 2004 right up to
| date 11/25, and with Adware SE also upto date, I scanned the machine
| in safe mode (no restore etc.), but it came up clean. So its a new
| version of an old virus. I check the registry and there are two
| strange entries, a jslvboo.exe and a videocntl.exe, both of which I
| quarentine and send to Norton. I remove the Reg values, but they pop
| up agian right away. So I stop their processes, and remove the
| Values, and its fine. I change the names of the two files, and
| reboot. I get two complant windows on boot up saying that
| "videocntl.exe" can't be found, so I think its still in the reg
| somewhere, and when I look a new value has been entered to
| currentversion/run "avaadmb.exe" and a new .exe is added to the
| windows directory. When I look in that directory, I find jslvboo and
| avaabmd both at 45k and about 20 others just like them. By this time,
| Notron gets back to me with an updated Virus Def for the
| videocntl.exe, the anti-virus finds it and deletes it (Nov 26, 04).
| But Norton says that jsvlboo.exe is not a virus and is getting passed
| to an engineer for further analysis.
| The computer has two virus then, a remake on an old download.trojan,
| and a new one creating new files to keep it self up. Once the new one
| is out of the registry (jslvboo and avaabmd) the web pages stop being
| highjacked and its process's dont start up again, so its done until
| Norton gets an update for it. But this videocntl.exe, which is
| deleted, and doesnt exist anywhere in the registry still causes two
| errors on boot up since it can't find the file.
|
| "Unfortunately, this is worse than the virus" says my fellow employee.
| So its no where in the reg, and I scan the computer for anything
| containing "videocntl" and I find one prefetch file (and delete it)
| and two xml files responsible for the registry mods (and delete it).
| But, on a reboot I still get two errors (well, one error and one
| warning) looking for this removed file. I ran out of time to explore
| this problem further, so I created a blank exe file called
| videocntl.exe and put it in the directory so that it is not "missing"
| and doesnt do any harm. Which made the errors stop comming up, and
| the employee happy.
|
| Hopefully Norton can solve the other file jslvboo.exe, before this
| spreads around my office. Is anyone else experiencing these problems?
|
| Thanks all,
| Ryan Wirth
|
| P.S. Window XP Home all up to date (SP2 etc.)
| Norton 2004
| Adware SE
|
| videocntl.exe is download.trojan
| jslvboo.exe 45k not named yet
| avaadmb.exe 45k not named yet

 

[David H. Lipman]

Ryan:

| jslvboo.exe 45k not named yet
| avaadmb.exe 45k not named yet

You can submit the above suspect files to Virus Total (URL below) and it will check the
suspect files against several AV vendor's scanners..
http://www.virustotal.com/flash/index_en.html

In addition, please perform the following...

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt263.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point


* * * Please report back your results * * *

Dave





| Hello All,
|
| One of my employees came into work yesterday saying that his laptops
| homepage was being hijacked, and favorites were being changed to porn
| sites. After changing the homepage to something else, it would
| automatically change back to whoispokavik.com or something like that.
| Obviously a Virus or Spy Ware, so with Norton Anti 2004 right up to
| date 11/25, and with Adware SE also upto date, I scanned the machine
| in safe mode (no restore etc.), but it came up clean. So its a new
| version of an old virus. I check the registry and there are two
| strange entries, a jslvboo.exe and a videocntl.exe, both of which I
| quarentine and send to Norton. I remove the Reg values, but they pop
| up agian right away. So I stop their processes, and remove the
| Values, and its fine. I change the names of the two files, and
| reboot. I get two complant windows on boot up saying that
| "videocntl.exe" can't be found, so I think its still in the reg
| somewhere, and when I look a new value has been entered to
| currentversion/run "avaadmb.exe" and a new .exe is added to the
| windows directory. When I look in that directory, I find jslvboo and
| avaabmd both at 45k and about 20 others just like them. By this time,
| Notron gets back to me with an updated Virus Def for the
| videocntl.exe, the anti-virus finds it and deletes it (Nov 26, 04).
| But Norton says that jsvlboo.exe is not a virus and is getting passed
| to an engineer for further analysis.
| The computer has two virus then, a remake on an old download.trojan,
| and a new one creating new files to keep it self up. Once the new one
| is out of the registry (jslvboo and avaabmd) the web pages stop being
| highjacked and its process's dont start up again, so its done until
| Norton gets an update for it. But this videocntl.exe, which is
| deleted, and doesnt exist anywhere in the registry still causes two
| errors on boot up since it can't find the file.
|
| "Unfortunately, this is worse than the virus" says my fellow employee.
| So its no where in the reg, and I scan the computer for anything
| containing "videocntl" and I find one prefetch file (and delete it)
| and two xml files responsible for the registry mods (and delete it).
| But, on a reboot I still get two errors (well, one error and one
| warning) looking for this removed file. I ran out of time to explore
| this problem further, so I created a blank exe file called
| videocntl.exe and put it in the directory so that it is not "missing"
| and doesnt do any harm. Which made the errors stop comming up, and
| the employee happy.
|
| Hopefully Norton can solve the other file jslvboo.exe, before this
| spreads around my office. Is anyone else experiencing these problems?
|
| Thanks all,
| Ryan Wirth
|
| P.S. Window XP Home all up to date (SP2 etc.)
| Norton 2004
| Adware SE
|
| videocntl.exe is download.trojan
| jslvboo.exe 45k not named yet
| avaadmb.exe 45k not named yet

 

[RyanWirth]

Thanks for your help David! I have not been able to run your
procedure below yet as the computer is not mine and the owner has been
busy. It turns out that when I submitted the jsvlboo file to Norton,
I screwed up a little. I can only submit one file a day to norton
from each computer. And on that perticular day I had already
submitted the trojan.downloader, so I wanted to email the jsvlboo file
to my other computer, so I renamed it as a txt file, sent it, then
renamed it back to an .exe. But I guess that seriously altered the
file since virustotal didnt see it as a virus either. So I sent the
original file (unaltered by me) and virustotal saw it as
"Startpage.trojan" and I have resubmitted the original file to norton
to get the definitions updated.

Hopefully I will get a chance to further scan the computer when it is
back in my office.

thanks again,
Ryan