Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Weirdest malware I have ever seen [RESOLVED]


  • This topic is locked This topic is locked

#1
semmel

semmel

    Member

  • Member
  • PipPip
  • 36 posts
Hi, on a client's PC (Windows 2000 SP4) I found a bunch of malware which I managed to clean, but one file keeps coming back no matter what.
The file is called sdkgks.exe - if deleted it comes back with the same name and the current time/date, and it is 91,648 Bytes. It has a RUN entry in the registry (found by HiJackThis). After a restart both the file and the RUN entry are back.

I think this may be related: When I first started to work on the PC, there was an entry in the startup folder to start rcdk.exe which I cleaned, and it stayed gone or so it seemed. But after a restart I started HiJackThis very fast, and it found the same entry again. I scanned again a minute later without changing anything in between, and the entry was gone. I never found the file.

My guess is there is yet a third file involved.

The one file I found (sdkgks.exe) keeps coming back with the same name, but I found nothing at all during my google search for it.
I know the file is there because I can use the Dos Prompt to look at it, and I viewed it in Notepad (inet.dll is referenced in it, so I bet this is the cause for the popups we are getting). But Windows Explorer does not see it, even if I enabled viewing invisible and protected files.

I copied the file to my PC in a password protected ZIP file, and here it shows in Windows Explorer.

I scanned the client's PC with Trendmicro Housecall, Spybot, Adaware and Ewido, and Norton is installed. Neither of them found the file, but my home PC with AVG Antivirus identified it as "Trojan Horse Downloader.Generic.CVH".

Now I know that AVG could identify this one file, but deleting it will not help if it keeps coming back, and I don't know if AVG will detect the other components it probably has.

Any idea how to get rid of it?

I will gladly post the file inside a password protected ZIP file on my website if someone has the tools to find out how to stop it from coming back, so please let me know (should I attach it to this forum post?). I can also post HiJackThis logs here, but I am not sure if it will help. Please let me know what you think.

Thanks!
  • 0

Advertisements


#2
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Hi semmel, Welcome to GTG !! :tazz:

Sorry for the delay in responding to your post !!

In order for us to help you you must help us !

I need you to go HERE and scroll down to Step Five: Posting a Hijack This Log Read and follow the intructions to post a log.

Post the HijackThis log here !

Thank You !

Edited by Linkmaster, 10 October 2005 - 08:19 AM.

  • 0

#3
semmel

semmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Here we go:

Logfile of HijackThis v1.99.1
Scan saved at 4:25:19 PM, on 10/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\EscKey\HiJackThis1991 050510\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\sdkgks.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128627991361
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = norcapdom.dom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = norcapdom.dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = norcapdom.dom
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I found out in the meantime that it's a form of qoologic.

I find it alarming that the file sdkgks.exe was not visible at all in Explorer (even with all show visible/system files enabled) and that no scanner I tried on site found it. I tried TrendMicro Housecall, Adaware, Spybot, Ewido and Norton. At home, AVG Antivirus detected the file immediately.

The things I'd like to know the most are:
-How can the file stay hidden in Explorer (but not in dos prompt)?
-How does it recreate the startup entries?

Thanks!
  • 0

#4
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
I am working on your log. As soon as a GTG Staff Member reviews my fix, I will post it for you.
Thank you for being patient.


This trojans drops 2 DLLs which use the same method of filename generation as for the executable.

One of these DLLs keeps itself registered as a service process that is used to initialize and maintain the activity of the second DLL which contains the core functionality of Qoologic.

Qoologic trojan is able to hide processes/files/registry values from other programs

Edited by Linkmaster, 10 October 2005 - 09:35 AM.

  • 0

#5
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Please Download the following tools to assist us in removing this infection!

Download WinPFind
Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Download Track qoo
Save it somewhere you will remember like the Desktop

Download Pocket KillBox. There is a Direct Download and a description of what the Program does inside this link.

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy the Track qoo results along with the results of WinPFind! and post them here .
  • 0

#6
semmel

semmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Thanks, I'll put these tools on my thumbdrive with the others.

I don't know when I or someone else will have a chance to go to that client again to do these things. Most likely we won't be able to just go there to get answers, post them here and then go back a few days later with the solution, so could you explain what these tools do and what we should do with the results?
We do professional computer support, so I know my way around the registry and how to use ProcessExplorer and Killbox etc.

Oh, one thing I don't know that I have seen with some virus removal instructions: I vaguely know what regsvr32.exe does, but where is the information stored that it creates? Registry? What difference does it make to use regsvr32 or remove it from the Registry manually?

Thanks!
  • 0

#7
semmel

semmel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Just found out we won't be going back there - seems Spysweeper managed to kill it.

I'd still like to find out more about this one (see questions in previous post).

Thanks!
  • 0

#8
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
OK, Glad to help !! :tazz:

Have a look here about Regsvr32.exe

WinPFind

Edited by Linkmaster, 11 October 2005 - 06:36 AM.

  • 0

#9
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Here are a few tools that I recommend for protecting your system and keeping your system clean !!

Real Time Prevention
SpywareBlaster

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
IESpyad : This will add several hundred Restricted Sites to the Restricted site zone in IE.

Cleaner:
CCleaner is a good app to clean out temp files, cookies, recent folder(win2000) and Prefetch folder(XP), etc

Spyware Scanners:
Ad-aware SE Scans your system for spyware and other threats
a² Scanner : Scans for Malware and Trojans on your system.

Good Free Antivirus Programs:
AVG
Avast!

Windows Update:
It's also very important to keep your system up to date to avoid unnecessary security risks
Windows Update

Firewalls:
If you have an "always on " internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
2 very good Firewalls:
Sygate
ZoneAlarm

These next steps are optional, but will provide the greatest protection
Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness.
Alternative Browsers:
FireFox
Opera

Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the HijackThis folder if everything is working okay.

Remember always have just 1 antivirus program running at a time. Having more than one running causes a conflict between the programs !! You can use one as a backup to run manually

Using these apps, your system will be thoroughly protected from future threats. :tazz:
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP