Freckles HJT log #1

[Ripley]

Oh, the saga continues.
Spybot scan was clean as it always had been during this infection.
But AdAware in normal mode detected purity scan in memory as it did in the previous AdAware logs posted above.  :(

[winchester73]

ripley ...

Die Hard has had some computer issues of his own ...  :shock: ... so I thought I'd look in on this thread.

When searching for those three files, did you have Windows show the hidden files?

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

[Ripley]

Hey winchester 73  :)

I thought about that too.  To my knowlegde, and discussion with Freckles, this was done:

Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

But to be sure I'll verify that.  Thanks for dropping in.

ripley

[winchester73]

It seemed odd that a search for these didn't produce what you were looking for ...

t?skmgr.exe
j?vaw.exe
m?hta.exe

How about you post the snippet from the Ad-Aware log that finds Purity Scan.

[Ripley]

1-20-2006 8:32:54 PM - Scan started. (Full System Scan)

#:60 [t?skmgr.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 3980
    ThreadCreationTime : 1-20-2006 10:12:51 PM
    BasePriority       : Normal


PurityScan Object Recognized!
    Type               : Process
    Data               : t?skmgr.exe
    TAC Rating         : 6
    Category           : Malware
    Comment            : (CSI MATCH)
    Object             : C:\WINDOWS\system32\


Warning! PurityScan Object found in memory(C:\WINDOWS\system32\t?skmgr.exe)

"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully
"C:\WINDOWS\system32\t?skmgr.exe"Process terminated successfully

The user isn't at her computer til later, but the entry above from AdAware log a few days ago has been what she's been getting last 4-5 scans.

I know it was odd.  That's why I posted exactly what the user was telling me she was seeing when she did the search and how she did the search.
What if she deleted them even if the number of bytes doesn't match?

[winchester73]

What if she deleted them even if the number of bytes doesn't match?

I wouldn't delete things in that manner ...

The "?" means the character is not in the standard set.  The names of valid Windows files will be found if you replace the "?" with the correct character.  To delete these files, you have to manually look for them, as searching is often a problem because of the wildcard character. A search will show valid files that you DO NOT want to delete.

You might try this trick to spot the rogue files ... open up the C:\windows\system32 directory and sort the files by name. The valid files will be in the proper order and the invalid files will be in the bottom, out of order. They will also have a newer date than the valid files.

You could also try Start > Run > cmd ... navigate to the system32 directory and then type dir /a ... that might see the weird ones.

The exploit using '?' in filename is a purity scan trojan.  You might try Ewido ...

Let's also see a fresh HJT log.

[Ripley]

Will check looking for those rogue files w/ those 2 suggestions above and post a new HJT log.
As far as Ewido, here's the history:

1-18-06 in safe mode detected nothing, but AdAware did.
1-19-06 in normal mode detected !update (purity scan?) and said cleaned.
1-20-06 in normal mode detected local settings/temp file/content/01G1W/!update-319 was cleaned,
            but then repeat scan with F-Secure A/V right after detected !update.exe, but couldn't
            disinfect.
1-25-06 in safe mode detected nothing.

And w/ the rest of the thread you can see the additional scanning in between Ewido scans.  It seems Ewido detects this problem in normal mode, but not safe mode.  We can try again in normal mode if you think that will help.  Any thing that might have been quarantined w/ any scanner was purged too.

[winchester73]

To explain the sorting in more detail ... go into Windows Explorer and open the system32 folder.

Go to View > Details.  You'll be presented with Name, Type, Size, Modified.

You could also sort your files by the date they were modified, and look for 09/29/2005  ...

[winchester73]

I was typing while you were ...  :D

Any interference from a real time monitor?

[Ripley]

She has Spybot with tea-timer not on, Counterspy which I had her disable, and looking thru notes, she has SpywareBlaster, which I thought was disabled, but not sure now...we've done so many scans!
Will make sure SpywareBlaster is disabled too.
What about the F-Secure A/V?  Should we disable that during Ewido or AdAware scans?  I know we started out having it disabled, but not sure if for all of the scans, or if it makes a difference.  I personally am unfamiliar w/ F-Secure security products.

[winchester73]

You can leave SpywareBlaster alone ... it sets Active-X killbits, and won't interfere with this ...

Also search the computer for:  robot.exe

I don't know much about F-Secure either.  Let's see what the ^^^ suggestions turn up.

[winchester73]

Have you tried the a2 trojan scanner yet?

http://www.windowsecurity.com/trojanscan/checksystem.asp

[Ripley]

Pray tell

^^^ suggestions

?????

:tease:  Just kidding, I assume you mean, the 3 suggestions above on searching differently.

But if it some secret forum code I haven't learned yet, be sure to get back to me.

Have not tried an a-squared trojan scan, but we will do it.  Just went there, and it says if trojans are found to go the the a-squared home page.  Do we do that, or just post the log here.  And does it give us the option of saving a log?  Couldn't tell by reviewing the link you posted.
Also it says choose a folder to scan.  Do we choose windows/system32 folder or the whole c drive?
I've not done one of these before.

[winchester73]

Scan the whole computer ...

I just ran the scan on this box ... C:\ was the default presentation.  I didn't add any folders, just scanned.

[Ripley]

It seemed odd that a search for these didn't produce what you were looking for ...

t?skmgr.exe
j?vaw.exe
m?hta.exe

FYI, we're also looking for this one according to Panda online scan:

Adware:adware/swimsuitnetwork                                                                 C:\WINDOWS\system32\MYDLL.dll   (with 1,462,353 bytes according to the dat.Find log.)

There were 2 others that Panda detected, but user was able to find and delete those.

Just got your post while I was adding this.
Will scan whole computer.