Insidious trojan not detected by NIS

Norton Security | Norton Internet Security
1

I apologize in advance for the lenght of this post, my English and for treating basic punctuation as a game of chance. Still, I would appreciate it if someone could wade through it all and offer some ideas.

 

 

For the last week or so I have struggled with a virus infection that is slowly driving me to drink[1].

 

It started with me noticing that a process that I did not really recognize was running on my computer; Nothing uncommon there really, but this process' name was "file33.exe", was located in my local temp directory and was adorned with the default VB project icon. It might as well have been  named "virus.exe" and have a skull and cross-bone icon.

After swearing profusely for a few minutes, mostly at NIS 2009, I decided to try to scan the file with NIS just in case. No dice. NIS happily pronounced the file clean and a pillar of the community. Not to be hampered by that I proceeded to manually quarantine the file via NIS' interface and promply had it sent to Symantec using the built in feature. Being slightly paranoid by this point I restarted my machine, booted it up with the NIS CD and scanned it. It was -according to NIS- clean.

 

The next day I noticed something else; I had two instances of csrss.exe running. Thinking that it could maybe be quite natural I nontheless fired up Sysinternals Process Explorer for a better view. One of the csrss instances was running from "C:\WINDOWS\Config" which is -as far as I know- the wrong place for it. So, well, I scanned it with NIS; No dice, NIS called it safe. This time however before comitting the file to isolation I sent it off to Jotti ( http://virusscan.jotti.org/en/ ) for a second opinion. Three of the scanners (whose names i can't remember) called it some variation of RBot (r.Bot, rbot.. etc.). So I isolated that one too and shipped it off to Symantec.

 

The next day I noticed that NIS, without my help, had identified the fact that the phony csrss.exe had resurfaced and had blocked and removed it.. 4 times in a span of 1 minute during the night. Goodie.. So something is downloading malware to my computer between 1 and 2am every night. Because this continue to happen every night at around the same time, but with different files.

Some of the files NIS tags with the generic "Trojan Horse" and some are tagged the same way but labeled as detected by SONAR. The last thing(s) NIS detected (at 01:05 CET+1 this morning) was 9 .tmp files lodged in (drumroll): "C:\Documents and Settings\All Users\Programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\" called bhc1.tmp to bhc7.tmp with 2 more files called bhc1a.tmp and bhcc.tmp.

So now I get malware installing itself into my Norton installation...  Or is NIS detecting itself?

 

Normally I would have just reinstalled my computer, but now I am really curious. I have tried 5 other virus scanners with nothing found. And yet.. Every night new malware tries to install itself in different locations. I think I have a prime suspect in an elusive reg key called something ending in: winlogon ->shell. That shows up for a second when it makes HijackThis crash on a first run. Subsequent runs works fine but shows nothing out of the ordinary...

 

I really would like to find the root cause of this, especially since it it will not be detected by anything...

 

I run Windows XP SP3 fully patched with NIS 2009 and for the last two days with the addition of ThreatFire (http://www.threatfire.com/) which tends to play well with others (it have not detected any root cause either).

 

 

[1] - Not that I need any excuse.

 

Regards,

 

R. Growler.
2

I have done a little more research and you were right to suspect file33.exe and csrss.exe to be threats.

 

The following link takes you to a list of articles about the csrss.exe process from a very reputable site called processlibrary.com

 

csrss.exe is a process that is known to be run by at least 5 different types of trojans. There was no record of the file33.exe process in this site's database so I think it's safe to assume that it to was also a threat and not a part of the windows xp operating system or any other programs.

 

Let me know what the results of the malwarebytes scan are.

3

I applaud your curiosity; but first things first.  Since the odds are good (bad?) that you will have to reimage your harddrive, I wouldn't wait on making backups of everything vital - just in case this malware eats or contaminates data files.  Remember everything that is important:  Financial (tax, bookkeeping, spreadsheets, etc.); Media (sound, video, pictures); Documents (letters, PDFs,?); Communications (email, etc).

 

If your curiosity is still aroused, you might want to experiment with what you can do in and from Safe Mode; and also by using the Norton Recovery Disk (aka Norton Recovery Tool).  Do a search on these boards and you can find out more about that; but the main thing is that using another computer you can make an up-do-date power-on scanner that won't be affected by any malware of the system (unless it is in the BIOS).  You will need your Norton Activation Code to do this.

 

Have fun.

4

I apologize in advance for the lenght of this post, my English and for treating basic punctuation as a game of chance. Still, I would appreciate it if someone could wade through it all and offer some ideas.

 

 

For the last week or so I have struggled with a virus infection that is slowly driving me to drink[1].

 

It started with me noticing that a process that I did not really recognize was running on my computer; Nothing uncommon there really, but this process' name was "file33.exe", was located in my local temp directory and was adorned with the default VB project icon. It might as well have been  named "virus.exe" and have a skull and cross-bone icon.

After swearing profusely for a few minutes, mostly at NIS 2009, I decided to try to scan the file with NIS just in case. No dice. NIS happily pronounced the file clean and a pillar of the community. Not to be hampered by that I proceeded to manually quarantine the file via NIS' interface and promply had it sent to Symantec using the built in feature. Being slightly paranoid by this point I restarted my machine, booted it up with the NIS CD and scanned it. It was -according to NIS- clean.

 

The next day I noticed something else; I had two instances of csrss.exe running. Thinking that it could maybe be quite natural I nontheless fired up Sysinternals Process Explorer for a better view. One of the csrss instances was running from "C:\WINDOWS\Config" which is -as far as I know- the wrong place for it. So, well, I scanned it with NIS; No dice, NIS called it safe. This time however before comitting the file to isolation I sent it off to Jotti ( http://virusscan.jotti.org/en/ ) for a second opinion. Three of the scanners (whose names i can't remember) called it some variation of RBot (r.Bot, rbot.. etc.). So I isolated that one too and shipped it off to Symantec.

 

The next day I noticed that NIS, without my help, had identified the fact that the phony csrss.exe had resurfaced and had blocked and removed it.. 4 times in a span of 1 minute during the night. Goodie.. So something is downloading malware to my computer between 1 and 2am every night. Because this continue to happen every night at around the same time, but with different files.

Some of the files NIS tags with the generic "Trojan Horse" and some are tagged the same way but labeled as detected by SONAR. The last thing(s) NIS detected (at 01:05 CET+1 this morning) was 9 .tmp files lodged in (drumroll): "C:\Documents and Settings\All Users\Programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\" called bhc1.tmp to bhc7.tmp with 2 more files called bhc1a.tmp and bhcc.tmp.

So now I get malware installing itself into my Norton installation...  Or is NIS detecting itself?

 

Normally I would have just reinstalled my computer, but now I am really curious. I have tried 5 other virus scanners with nothing found. And yet.. Every night new malware tries to install itself in different locations. I think I have a prime suspect in an elusive reg key called something ending in: winlogon ->shell. That shows up for a second when it makes HijackThis crash on a first run. Subsequent runs works fine but shows nothing out of the ordinary...

 

I really would like to find the root cause of this, especially since it it will not be detected by anything...

 

I run Windows XP SP3 fully patched with NIS 2009 and for the last two days with the addition of ThreatFire (http://www.threatfire.com/) which tends to play well with others (it have not detected any root cause either).

 

 

[1] - Not that I need any excuse.

 

Regards,

 

R. Growler.
5

Yes your first priority should be get all personally identifiable info off of the computer. If you must save your office documents, emails, etc save them to a flash drive. With these files on the drive plug them into a non-infected computer (with fully patched copies of microsoft office and any other programs you need for using the files) with auto-play disabled and scan with norton, malwarebytes, and perhaps a third free security scan if you feel it is necessary.

 

Two other good free scans are AVG anti-virus and superantispyware. You could try them as well to clean your harddrive however you should consider skipping all of the sherlok holmes detective work and begin the reformatting process. The future of your current hard drive configuration does not look bright.

6

Hi Growler -

 

It looked like something slipped through the NIS 2009 real-time engine.

 

Please submit that file33.exe to Symantec at this site: https://submit.symantec.com/websubmit/retail.cgi

 

Booting the PC with the NIS CD is *not* going to do it, since the definitions on the CD are probably way out of date.

 

Download the Norton Recovery Tool and configure on a different PC (if possible) here.Then use the Tool on the infected PC.

 

See if that helps. Then disconnect from the internet, reboot into Safe Mode and run a Full System Scan.

 

Does it find anything and put it in quarantine? We can go from there.

 

Let us know.

 

Thanks.

 

:smileysurprised:

Message Edited by Compumind on 05-25-2009 10:50 PM
7

Let us know is you hear anything from symantec about the files you have sent them so far.

8

Hi -

 

Actually, if you wish to put this on a faster track, submit the file at this link -

 

http://www.threatexpert.com/submit.aspx

 

You will be notified faster and also have the ability  to *track* your submission.

 

Hope this helps.

 

 

9

Pexley,

 

First of all; Thank you for your intrest, prompt reply and help. I am sorry that I did not respond sooner, but I had to rescue all of the data that I cared about. I am a photographer by occupation and I had 3,2Tb of pics on my SAN, raw files mostly and all open to my computers. I just had to move them somewhere safe before I continued with this. As all photographers I get pathologically protective of my pictures ;-) Even the bad ones (which, admittedly is probably most of them ;-) ).

 

I do have *some* experience with computers and figured that both the csrss.exe and file33.exe was kinda bogus. I just wanted to find out how they got there really. I do run well patched computers. That is; They are updated immediatly when there is a patch for them. (this is for my Windows systems, I have yet to get a Virus for my Slackware based systems but then again who would bother and I need Windows until the time Lightroom and Photoshop is released for Linux.. I.e. Never ;-) )

 

To your first reply:

 

"Before the time you sent the one process to jotti did norton ever mark file33.exe or csrss.exe as threats? It is odd that sonar would have to kick in to identify the one threat near the end of your post. Could you post some details about what sonar found out about it in the norton history."

 

NIS did not detect these as threats until after a few days (well, more than 24 hours) after I had sent them in, which admittedly is quite good in this day and age. SONAR got csrss.exe but only gave it the name of "Trojan.Horse", same for "file33". I could not find any more relevant details for it in the NIS logs apart from the file locations.

 

Before performing the following actions disconnect your computer from the internet and go to an uninfected computer to use the following links [rest snipped..].

 

I did follow your instructions to the letter (regarding Malwarebytes -Nice program btw- which took some time, I do have a few harddrives) It came up empty.. Unfortunatly. It did not find anything...

 

I did -after sending my data offsite- put my other computers offline, and started Wireshark in promicuous mode on a laptop connected straight into the router just to see if something else would be downloaded. It did..at 01:17 CET+1... I am no closer to what is downloading this, but I did manage to capture the following file which NIS pronounced safe too after I scanned it.

 

Don't think the powers that be will look kindly on this, but you can probably unmangle the filename if you really want to and I will pray for forgiveness in the name of research:

 

***** WARNING DO NOT UNMANGLE & DOWNLOAD UNLESS YOU KNOW WHAT YOU ARE DOING *****

hxxp://68.113.109.46/pid=1000/s**up.exe

*************************************************************************************************************************

 

I sent this one too in via NIS' interface yesterday (after it scanned clean) and today it suddenly was detected and had a name:  "w32.spybot.worm". It actually impressed me that it only took a day, but then I searched the Symantec website:

 
Discovered: April 16, 2003
Updated: November 30, 2007 10:19:46 AM
 
I wonder why it was not detected immediatly? I do understand that detecting every single virus under the sun and still be light on resources is a pretty tall order, but I still would prefer it if viruses (virii?) was detected immediatly and not 24 hours after it gets run and embedded in my OS... Sorta defeats the purpose methinks.
 
Anyway, not any closer to the real culprit, but I got to admit I am beginning to enjoy it a little now that my vital data is safe. Beats sudoku at least for a puzzle. Who knows, I might learn something ;-)
 
Thanks.
-RG.
 
(Edited for clarity... well, some clarity)
Message Edited by Growler on 05-29-2009 04:00 AM
10

@mijcar & pexley

 

You are right. The odds are that I will have to reinstall from scratch, and probably not only this machine. I have performed a complete (that is, only documents and pics) backup and are not using any but my Linux systems for banking and business communications now.

Luckily I have other options for photo editing right now, but I will have to deal with it soon and that will include a reinstall.....

Not really looking forward to that, but the whole ordeal kinda makes me feel unsafe.

 

Thank you for your input.

 

Rgds,

 

R. Growler.

11

Compumind,

 

Compumind wrote:

Hi -

 

Actually, if you wish to put this on a faster track, submit the file at this link -

 

http://www.threatexpert.com/submit.aspx

 

You will be notified faster and also have the ability  to *track* your submission.

 

Hope this helps.

 

 

Thanks a lot, I will.

I was not aware about that site.

 

Rgds,

 

R. Growler.

 

12

Growler -

 

Now that you have backed your valuables off the system, try this to see if it will catch the offender.  Please download, install to a USB stick drive  and update the a-squared Emergency USB Stick Files from here .  Instructions on the use of this scanner are linked on this page also.  Stick the drive in a USB slot on your system and boot from it on power up.  Scan your system and tell us what that finds (and fixes) please.  Thank you.

13

Hi 

 

I demangled your web address and downloaded the file, then installed.

 

These showed up in Hijackthis might show up different file names for you

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: 272329 helper - {437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD} - D:\WINDOWS\system32\sysloc\sysloc.dll

O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe 

O4 - HKCU\..\Run: [SYSDLL] SYSDLL 

O23 - Service: websrvx - Unknown owner - D:\Program Files\websrvx\websrvx.exe   (Hijackthis cannot remove this) 

 

 In the Task manager end the process "websrvx.exe"

 

Then go and delete these 2 files (and folder "webserx") 

 

D:\Program Files\websrvx\websrvx.exe

D:\WINDOWS\System32\SYSDLL.exe

D:\WINDOWS\system32\sysloc\sysloc.dll 

 

To remove the service use regedit and go down to  

 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\websrvx  and delete that one

 

Quads

Message Edited by Quads on 05-29-2009 03:00 PM
14

Hi

 

1. Another thing is the download, places files in  D:\Documents and Settings\[username]\Local Settings\temp" folder or Vista eq. Norton may now detect these after using the previous post.

 

2. Malwarebytes and SuperAntispyware Free detect the left overs as

 

Malwarebytes

HKEY_CLASSES_ROOT\ty667.ty667mgr.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\ty667.ty667mgr (Trojan.BHO) -> No action taken.
D:\Program Files\websrvx (Trojan.Downloader) -> No action taken.
d:\WINDOWS\sonce123198.dat (Worm.KoobFace) -> No action taken.
d:\documents and settings\John\Desktop\backups\backup-20090529-143233-381.dll (Trojan.BHO) -> No action taken.

 

SuperAntispyware

Adware.E404 Helper/Hij
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version
Trojan.Agent/Gen-Furious
D:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E36DS7S7\NFR[1].EXE

Adware.E404 Helper/Dropper
D:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KFYVUN6Z\6244[1].EXE

Trojan.Downloader-Gen/SysDLL
D:\WINDOWS\SYSTEM32\SYSDLL.EXE

Quads