Nasty Trojan disables regedit, msconfig, antivirus, firewall, task manager, etc

Status
Not open for further replies.
I never thought it would happen to me...

As I have just contracted a nasty piece of uber-malware that whipped through NAV as if it weren't there, I thought I would post a compilation of what I have learnt through personal experience and on this and other forums. I have noticed that about 4 people have complained about this beast in the last couple of days in different places, so I thought I would post what I have learnt.

It's a bit rough, but it's a start.

My system, which runs Microsoft Windows XP Pro with SP2, has become infected with a particularly nasty little Trojan.

For the record, my security tools are:

1) Ad-Adware Professional, with Adwatch running constantly. I do a full scan each start-up
2) Norton Anti-Virus, with definitions updated as of Thursday, Dec 30, 2004, system is scanned weekly
3) Fully updated XP patches through Microsoft Automatic Update
4) SP2 firewall, plus hardware firewall on my Cisco router

I have no idea how I got infected – I became aware of it when I noticed the Adwatch icon flashing in the start-up menu and found that 4 attempts or so per minute were being made to modify the registry files. I then noticed that NAV was inactive (no icon present) and that the Microsoft security icon was flashing for my attention. However, each time I attempted to open it, the window shut immediately.

Safe mode changed nothing – NAV was still unable to open. Here’s what I have learnt from research:

Properties of the Trojan:

1) Disables antivirus software
2) Disables all firewall software (including MS security Center and SP2 Firewall)
3) Disables access to Windows updates
4) Closes Mozilla and IE browser windows if you search on certain topics like `antivirus’
5) Prevents web access to all major AV sites, similar to MyDoom
a. Changes the hosts file in C:\WINDOWS\system32\drivers\etc to block major AV sites and online virus scans. I was able to access and run the Trendmicro scan by accessing it through their European page but the scan found nothing. I was also able to run McAfee’s Stinger, which found nothing.
6) Regedit and msconfig are both disabled – attempting to run will display a window for a fraction of a second before reclosing
a. DisableRegistryTools value is set under HKEY_CURRENT+USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ & Explorer
b. One program – Registrar Lite – allowed registry access. However, editing the registry without killing the main process meant that registry edits were immediately restored.
7) Certain programs will not run or will not install if not loaded. These include registry editors, Process managers, AVscanners, HijackThis.
8) All of the above `features’ still apply in safe mode.
9) Spybot was one of the few relevant apps I was able to install without a hitch. It revealed an instance of Kazaa.Irc.Spybot13.World running, which is strange because I have never installed Kazaa before. Although the Kazaa process was fixed by spybot, it reoccurred on follow-up searches and so I suspect it is part of, or responsible for the Trojan.

I put a call in to my ISP to let them know I had this Trojan and to ask if they could monitor my account for any untoward activity. They called me this evening to let me know that they had been watching and hadn’t seen any unusual mail server or port activity. However, one TechSpot forum poster, Ranalin, pointed out on Dec 25, 2004, that there was some evidence his system was being used for a ddos attack
Microsoft AV support was pretty unhelpful as they didn’t seem to have come across this behavior before. They were friendly enough, but I spent several hours on the phone with different techs to no avail. However, as I have found five almost identical reports of this behavior in the last five days, I thought it might be useful to pool the information learned. It is possible that these are different variants of the same Trojan or even different Trojans/viruses, but the behavior in each case is sufficiently similar to make it interesting.

I was also able to run CWShredder which found copies of SmartSearch and TheRealSearch but was unable to remove them. However, research suggests that these two programs could not be responsible for all of the symptoms.

The only way it seems possible to regain control of your machine is to find a registry editing program that the Trojan does not block, install it and end the malware process.

I used Uniblue WinTasks Pro 5 application to finally access the processes.

I was also able to open the registry using a program called Registrar Lite. However, until I killed the main process, any registry edits made to the Windows\CurrentVersion\Policies entries were immediately changed back to trojan’s disallowance settings.

The descriptions I have read of the problem each differ on which process to kill. You might look for:

1) chkinit.exe & rmctrl.exe
2) dllserv.exe or regserv.exe
I didn’t have any of these processes. I did, however, find a process I didn’t recognize:

3) svcxnw32.exe, which another person infected with Kazaa.Irc.Spybot13 reported in a HijackThis log.

I used Uniblue’s WinTasks Pro 5 to kill the svcnw32 process. Finally, I had some control of my machine again.

I am currently running NAV and will run a number of online scans to see if I can rid myself of this Trojan. I was also able to access the registry and remove the DisallowRun keys that locked me out of the registry without their reappearance. However, although running msconfig was now possible, and I was able to uncheck the two svcxnw32 entries in the startup tab of the System Configuration Utility, on rerunning msconfig without a reboot, they had become rechecked, so the thing is probably still active.

I am not confident I will be free of this virus easily, although I have much improved my position. I hope NAV, panda, or RAV will be able to locate and finally kill the thing before I reboot. I have never had a Trojan or virus on my home system before, but I have troubleshot plenty of other systems that have had viruses, and I have never encountered anything quite so persistent and with so little good information available on it from sophos/Symantec/etc. This is why I am not hazarding a guess at which one it is – I just don’t know. This is why I compiled this document – hopefully anyone who reads it won’t have to spend an entire day on the phone with Microsoft or reading forum entries to try and find out how to start getting back control of their own system.

Update – NAV has not found anything untoward, despite the fact that the Trojan was able to cripple it. So much for Norton – I will be looking for some new AV protection before I reboot this machine.

I really hope that this BS piece of malware payload doesn’t get fitted with slick sasser-like delivery system or things are going to be very ugly on the internet for a while. And if I ever met the guy who wrote this, I would be inclined to shove a glass bottle up his *** then kick it until it breaks. Good luck to anyone else who finds themselves dealing with this.

Additional info:

Bradshawd on the TechSpot forums also had a problem with the mysterious Kazaa.Irc.Spybot13.World, reporting similar symptoms to me:

Three registry keys keep getting remade each restart.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\DisallowRun]
"0"="blackd.exe"
"1"="blackice.exe"
"2"="lockdown.exe"
"3"="lockdown2000.exe"
"4"="netmon.exe"
"5"="processmonitor.exe"
"6"="taskkill.exe"
"7"="tskill.exe"
"8"="smc.exe"
"9"="sniffem.exe"
"10"="zapro.exe"
"11"="zlclient.exe"
"12"="zonealarm.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
"DisableRegistryTools"=dword:00000001


I have posted this to the forums where I got the information to compile. Other versions include URLs which violate Techspot's terms. Please feel free to add to, modify, and circulate elsewhere if you found it useful.
 
What a small world. I am having the same problem as you and Sacki123. Keep me posted on any updates that might help. I'm on the verge of a complete reinstall, yuk.
Jay
 
hi mcridercoach ...

check out this thread aswell : tp://www.techspot.com/vb/topic18481.html

this thread and the one i posted should help you out ..just read everything posted.. i described most things i did and my system works perfect now .. (read everything first though.. i made alof of unnecessary steps to figure out how to beat this problem)
 
Got it!

I submitted it to Norton, and got this reply:


Dear Steve Walker,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: chkinit.exe
machine: MAIN-PC
result: This file is infected with Backdoor.Abebot

Developer notes:
chkinit.exe is non-
repairable threat. Please delete this file and replace it if necessary.
Please follow the instruction at the end of this email message to
install the latest rapidrelease definitions.


The current monthly definitions are capable of detecting and repairing
this virus. Please update your definitions by clicking the "LiveUpdate"
button in your NAV program.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact our
regional technical support from the Symantec website and give them the tracking number in the
subject of this message.


Steve
 
Back up your sensitive data.
Clean install new os.
Keep your new os up to date using windows update
Install firewall (i saw zonealarm in your comp...it's very usefull)
Usually the viruses comes via sex sites or warez/serials/cracks sites so be aware in the future be more suspicious when surfing this places
 
Nasty Indeed!!

Though I realize this thread started in January 05....and it's June now. I encountered this exact problem today with a client PC. I started by editing the registry in safe mode for all the traditional garbage that shouldn't be there. The main problem with this machine, once I got it home and on my workbench, was that it was missing a bajillion security patches and updates. But alas, the automatic update service would get disabled as soon as I started it, couldn't get to MSCONFIG, or REGEDIT or TASK MANAGER. Trend's PcCillian wouldn't update the definitions, and Trend's HOUSECALL wouldn't work either. None of the definitions would update for the Spyware removers either, I had to manually download the defs to a flash drive. So after Hijack this, Adaware, Spybot, Regcleaner, etc.....and multiple scans and multiple removals.....I hit the Microsoft Beta Tool.....WOW...did that find some crap But it still missed stuff that made alot of the spyware and adware come right back.

Meanwhile, I'm searching the net for weird file names I'm coming across and more posts similar to this one. One Post on another site recommended the PANDA online scanner...so what the hey...I'll try that too.

I was shocked. That free online scanner fixed it all. Not kidding. I really don't think any of the registry changes I made did a thing....I am a new believer in Panda. If you are getting the symptoms described in this post...try the PANDA scanner. Automatic Updates started working, anti-virus updated, regedit came back, task manager came back and the poor PC is good as new. (And service packed to the hilt now)

Good luck....you'll really only come across this puppy if your updates are out of date and anti-virus out of date because you're protected against it now, it's old news.

Viruses found and removed by Panda were:
Downloader.BWM - file name ftplog[2].rar, ftplog.exe, trg.dtl,
GAOBOT.EIK - file name CISCV.EXE
GAOBOT.FED - file name codq.exe
GAOBOT.ALK - file name tftp1780, tftp2120, TFTP3112
GAOBOT.ETP - file name tftp2340
SDBOT.DOF - file name TFTP2784
GAOBot.EJU - file name TFTP4036

I can't even tell you how many pieces of spyware and adware this thing found even after I ran ALL the above tools with updated definitions. As I said...PANDA is my new favorite friend. For viruses AND Spyware\Adware.

Jan
 
Dead Serious

Nope....not kidding. In fact, I've never used Panda before today. I am still cleaning spyware off the machine, but the viruses that were keeping me from all the utilities are totally gone. I'm an avid Trend Micro user. And I don't work for either company. I work as a Support Technician for a Medical University.
 
A little more info

Keep in mind that I did remove ALOT from the registry too. And as PCCillian was detecting viruses and spyware, I was deleting the files. I'm just saying, after the Panda Scan...it was up and running. I realize you guys worked on this problem for a VERY long time....but in 6 months...I would think that Panda, along with a ton of other online scanners, and Anti-viruses programs have added things to the defs to protect against it. Problem was...NOTHING would update the defs.....Whichever virus out of the 6 or 7 was restricting the more popular sites from being contacted for updates, perhaps it forgot about Panda and that's why it got through.
 
jcmit said:
Whichever virus out of the 6 or 7 was restricting the more popular sites from being contacted for updates, perhaps it forgot about Panda and that's why it got through.
I suppose you got lucky indeed.
I never even think of Panda. My own PCs are all protected using the free AVG and the bought Agnitum Outpost. The home-network is also protected by an SMC Barricade router with hardware firewall and NAT, with allowed-MAC-only settings.
Personally I surf anywhere I like, and have never been 'bitten'.

PS: Make sure to update that PC with M$'s latest when you are done.
 
Stressbattle, you need to start your own thread if you need help.

It's pure luck that i spotted you post in this old thread!!
 
Status
Not open for further replies.
Back