Trojen that I can't get Rid of

[JCO]

I have a friends laptop that was full of Trojans and a few Virus problems.
I updated his Norton definitions (he hadn't done so since 11/2/04) and I
installed SpyBot. I got rid of everything except one problem. I can't
figure out how it keeps loading.

The system.ini and Win.ini are okay. The HKCU-Run has one item in which
appears to be legitimate. It has to do with the network. There's nothing
in the Start folder that would cause it either.

However, there is a process running and there is a suspicious item in the
HKLM-Run section:
When I do Ctrl-Alt-Del, that I cannot get rid of. It is random letters with
a dot exe. When I delete it, another random letters.exe file is created.
When I check HKLM-Run, there is one item that is running that I can't
identify or find any information on. When I delete it, it reappears too.
The name of that is "CheckRun=something"

When booting in Safe-Mode, I can clear both of these items out with no
problem and they don't come back. When I boot back to normal windows XP,
the problem returns. When I delete the item (process), it re-creates
another instance (process running) and makes an entry in the Registry
(HKLM-Run)

An endless cycle that I can't break up.
What can I do? Where else can it be launching from?

 

[Rattleon]

Delete every entry in the HKLM "Run" and then it may leave. You didn't give
the name of the files you had there......

 

[Frankster]

You didn't give the example filename, but...

Trend Micro has an agent that has a naming convention of 5-characters.exe.
They look like, F56K3.EXE, FTI94.EXE, GH10E.EXE, 4RTY5.EXE, etc., etc. Each
boot one is initialized with a new random filename, always following this
convention. The purpose is to monitor the status of the AV software to
ensure that a malware has not turned it off. They are regenerated each time
with a new name to ensure that a malware cannot be programmed against their
name to turn THEM off.

Sound like what you've got? In the case of Trend Micro products this
perfectly normal and desired. Although it puzzled me for a while.

-Frank

 

[Rob graham]

I have a friends laptop that was full of Trojans and a few Virus problems.
I updated his Norton definitions (he hadn't done so since 11/2/04) and I
installed SpyBot. I got rid of everything except one problem. I can't
figure out how it keeps loading.

The system.ini and Win.ini are okay. The HKCU-Run has one item in which
appears to be legitimate. It has to do with the network. There's
nothing
in the Start folder that would cause it either.

However, there is a process running and there is a suspicious item in the
HKLM-Run section:
When I do Ctrl-Alt-Del, that I cannot get rid of. It is random letters
with
a dot exe. When I delete it, another random letters.exe file is created.
When I check HKLM-Run, there is one item that is running that I can't
identify or find any information on. When I delete it, it reappears too.
The name of that is "CheckRun=something"

When booting in Safe-Mode, I can clear both of these items out with no
problem and they don't come back. When I boot back to normal windows XP,
the problem returns. When I delete the item (process), it re-creates
another instance (process running) and makes an entry in the Registry
(HKLM-Run)

An endless cycle that I can't break up.
What can I do? Where else can it be launching from?

Run HijackThis and post the log without altering your Registry and someone
will come back to you with what to do.

Rob Graham

 

[JCO]

In the Windows Task Manager, the file that is running has this format,
6-letters.exe. The letters are random, it doesn't matter what they are.
When I delete it, it reappears with a 6-different letters.

Norton Antivirus found several files. One file is the same as what is
running in the Task Manager, however, this file can't be found (yes I'm set
to see hidden/system files). One file found is named "Nail.exe". When I
delete it, it comes back. Several other files are shown to be in folders
that cannot be seen with Windows Explorer or a dos prompt. They are;
EliteSliderBar_08.dll, EliteToolBarVersion_60.dll

 

[Rock]

Run HijackThis and post the log without altering your Registry and someone
will come back to you with what to do.

Rob Graham

Don't post the Hijackthis log here. There are specialty forums for that.

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

 

[JCO]

I will give this a try. The laptop is not connected to the Internet
because. Its a friends computer that can only connect via his wireless
connection and it has no connector for me to hook up directly. I will have
to, somehow, get the results, copy to a flash drive then post it from my
computer (hoping that nothing transmits to my system).

 

[JCO]

What is strange about this 6-letter.exe file, in the Task Manager is this:
Once I delete it from the Task Manager, a new Task is created.
Then that item is put into the HKLM-Run (which I can delete easily).
I can't delete this file because it is running in the Task Manager. If I
kill the process, I can delete it but that does no good since a new file is
re-created & added to the HKLM-Run again.
Does this sound like a normal process to you? I believe this is Spyware for
sure.

Also, the file running in the Task Manager is detected as spyware by NSW
2004 Pro.

 

[Jim Byrd]

Hi JCO - In addition to getting help using HijackThis as recommended by
others, it is reported that Spy Sweeper, here:
http://www.webroot.com/downloads/?WRSID=b99f644201acacf259801d61fdf2e4a1
when run in Safe mode will eleminate EliteBar (including the Trial version,
so I've been told.) YMMV, and use at your own risk, of course.

You might want to take a look at my Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/ for some suggestions (at the
bottom) for ways to help prevent this from occuring again.

 

[JCO]

I finally solved the problem buy using a number of different products.
Spyware, Spybot, Adaware. They all helped but nothing got rid of the
Nail.exe infection. The problem was that it ran as a Service. I had to
bring up the Service Panel and disable it, then delete the file that it
pointed too. Then I had to delete the registry entries too. I then
rebooted into Safe Mode to delete a few more files and other Registry
Entries. Finally the problem stayed away.

It's not easy solving a Trojan Problem when it is installed as a Service.
It kept reinserting itself into the Registry and recreating several files.
I found the information a website that help me out.

Thanks for the help.