tr_dloader.dll and tr_keylog.dll problems

#1 Hi

Nicht zu fassen, eine Woche sauber un dann diesen MIST!!

Please be aware that this is a VERY long post as I have tried to present as much information as possible.

I am afraid it is in English again (Heron??). Reading, speaking and even translation is OK I just can't write German. Replies in German are ok.

I hope that the wood can be seen for the trees !

Symptoms
a.) Zone Alarm repeatedly sent a request for svrexc.exe to have access to the internet. This mad me suspicious (I don't know why it just did) so I started looking.
b.)My CAT software TRADOS started acting up and would not allow its front end to start.
c.) FrameMaker keeps on crashing with IPFs in the middle of a document.
d.) Whenever I select the print function in any program, Windows loads the driver database and then presents me with the print dialog. Probably, none of this is related but I have included them for completeness.

I have a WLAN here , my machine is cabled to the router and the other computer uses a USB WLAN stick. It runs XP and is clean.

Action taken
1. Scan with AVG Free turned turned up a clean !! system. :-(

2. Scanned with Symantec online test

Identified as betterinternet type adware were: Speeryox.dll, inetsxa.dll, omgrcd.exe

Identified as keylogger: Morphstb.exe, srvexc.exe

3. Scanned with House call from Trend
Results stated that the system was infected with TR_DLOADER.DLL and TR-KEYLOG.DLL

4. Scans with SpyBot and Adaware
Nothing wrong except for a couple of cookies - nothing else. ??

5. Scanned with TrojanHunter:
Registry scan - No suspicious entries found
Inifile scan - No suspicious entries found
Port scan - No suspicious open ports found
Memory scan - Found trojan running in memory: C:\WINDOWS\SYSTEM\OMGRDVL.EXE, PID: -311395 (Adware.VX2.104)
File scan - Found trojan file: C:\WINDOWS\SYSTEM\omgrdvl.exe (Adware.VX2.106)

Attempted to fix - File renamed and could not be deleted.

7. In addition a .cab file for Morphstb.exe was found and deleted. A temp directory was also located and deleted

6. Each of the files was then sent to the online scanner page at http://virusscan.jotti.org.de and the results are below, loads of info. The differences in the results is interesting though.

Speeryox.dll
Antivir - Nothing found
Avast - Win32:Trojan-gen (Other)
AVG AntiVir - Nothing found
BitDefender - Nothing found
ClamAV - Nothing found
Dr. Web - Trojan.Bispy
F-Prot Antivirus - Nothing found
Fortinet - Adware/Betterinternet.fam
KAV - not-a-virus:Adware.Bispy.u
mks_vir - Nothing found
NOD32 - Nothing found
Norman Virus Control - Nothing found
VBA32 - Adware.Bispy

Morphstb.exe
Program found - PE_PATCH, UPX
Antivir - TR/Dldr.Ipinsig
Avast - Nothing found
AVG AntiVir - Nothing found
BitDefender - Trojan.Downloader.Stubby.A
ClamAV - Trojan.Downloader.Stubby-1
Dr. Web - Trojan.Stubby
F-Prot Antivirus - W32/Downloader.AQL
Fortinet - Downloader/Stubby.C
KAV - Trojan-Downloader.Win32.Stubby.c
mks_vir - Trojan.Downloader.Stubby.C
NOD32 - W32/Trojan.Downloader.Stubby.C
Norman Virus Control - Nothing found
VBA32 - W32/Trojan.Downloader.Stubby.c

inetsxa.dll
Program found -
Antivir - Nothing found
Avast - Win32:Trojan-gen (Other)
AVG AntiVir - Nothing found
BitDefender - Nothing found
ClamAV - Nothing found
Dr. Web - Trojan.Bispy
F-Prot Antivirus - Nothing found
Fortinet - Adware/Betterinternet.fam
KAV - not-a-virus:Adware.Bispy.u
mks_vir - Nothing found
NOD32 - Nothing found
Norman Virus Control - Nothing found
VBA32 - Adware.Bispy

omgrvd~1.tcf (was omgrcd.exe changed by trojan hunter)
Program found -
Antivir - TR/Drop.Agent.AY
Avast - Nothing found
AVG AntiVir - Nothing found
BitDefender - Nothing found
ClamAV - Trojan.Agent-43
Dr. Web - Nothing found
F-Prot Antivirus - W32/Agent.MC
Fortinet - W32/Agent-tr
KAV - Trojan.Win32.Agent.ay
mks_vir - Trojan.Agent.Ay
NOD32 - W32/Agent.AY
Norman Virus Control - Nothing found
VBA32 - Trojan.Win32.Agent.ay

srvexc.exe
Program found -
Antivir - Nothing found
Avast - Win32:Trojan-gen (Other)
AVG AntiVir - Nothing found
BitDefender - Nothing found
ClamAV - Nothing found
Dr. Web - Trojan.Bispy
F-Prot Antivirus - Nothing found
Fortinet - Nothing found
KAV - Trojan-Spy.Win32.Filtek.b
mks_vir - Trojan.Trojanspy.Filtek.B
NOD32 - probably unknown NewHeur_PE (possible variant)
Norman Virus Control - Nothing found
VBA32 - Trojan-Spy.Win32.Filtek.b

Just what antivirus program should you use confused.gif

*****************

Here is the hjt file

Logfile of HijackThis v1.99.1
Scan saved at 23:43:48, on 07.04.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\ROXIO\WINONCD\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWAD.EXE
C:\WINDOWS\SYSTEM\ATIPTKAD.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAMME\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SRVEXC.EXE
C:\PROGRAMME\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE
C:\WINDOWS\TWAIN_32\A12U16K\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MARMIKO SHARED\MWLAMAS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lycos.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: sPeerObj Class - {00000097-7C67-4BA6-8B42-05128941688A} - C:\WINDOWS\SPEERYOX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAMME\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiKey] atiptkad.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [omgrdvl] c:\windows\system\omgrdvl.exe
O4 - HKLM\..\Run: [MORPHSTB] C:\WINDOWS\MORPHSTB.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [srvexc.exe] C:\WINDOWS\SYSTEM\srvexc.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAMME\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\sentstrt.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [T-Online_Software_5\WLAN-Access Finder] C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE /StartMinimized
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A12U16K\WATCH.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193a39b22b4a52...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab

**************


I believe that if I fix the BHO for 'speeryox' and th entries for the suspect files and then delete them from the system it will be ok confused.gif. But what may be left over.

But will there be problems with the inetsxa.dll ?

Each virus company has solutions for their variation of the virus and it is too very expensive to buy all these packages. Equally, I once tried running Symantec and KAV at the same time and ended up reformatting the drive. (dumb really, should have known better).

I have done the basics and gathered lots of info but am now stuck as how to proceed.

Any help will be gratefully accepted.

Regards

kistev

#2 Hi kristev,

ich antworte Dir diesmal auf Deutsch damit diejenigen User, deren Englisch nicht so gut ist, auch mitlesen können.

Dass Du nach so kurzer Zeit schon wieder hier auf der Matte stehst zeigt, dass Du mit Deinem System ein (oder mehrere) grundlegende Sicherheitsprobleme hast. Zusätzlich würde ich an Deiner Stelle mein Surfverhalten überdenken.

Du hättest Dir im Grunde genommen das lange Posting sparen können, das HJT Log hätte genügt. Wie man den verschiedenen Logs entnehmen kann , hast Du Dir wieder eine Menge Malware aufgeladen! Das schlimmste aber sind diese beiden Biester hier:
scanregw.exe = Troj/Opwin-11
http://www.sophos.de/virusinfo/analyses/trojopwin11.html
srvexc.exe = BKDR_SERVSAX.A
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.servsax.html
Beides Trojaner mit Backdoor-Funktionalität. Dein System ist also kompromittiert und die einzig saubere Lösung wäre, das System neu aufzusetzen. Infos dazu findest Du hier im Board genügend.

Gruß
Heron
__________
"Die Welt ist groß, weil der Kopf so klein"
Wilhelm Busch

#3 Hi Heron

Thanks for the reply

Wie peinlich - Ich bin total irritiert !!!!!

My surfing pattern is not at fault. I am normally very fussy about this machine as I need it to look for a new job - I have been unemployed for some time.

After I had cleaned the system the last time I started to work through the Hannover Messe Catalog, company by company, AfA and so on. I clicked on a link in google and landed on a 'Bewerbungshilfe website' It turned out to be similar to the type of 'Hausaufgaben' sites with a bad repuation. A window flashed open and closed so fast I almost didn't see it. Maybe it cane from there who knows.

The more amusing sites around (if you know what I mean) aren't very interesting and we all know that they are the biggest Thread areas.

However, the rest of the family have access to what is really a working machine. That will have to change.

I don't understand why this was not stopped by the AVG Antivir and not found by Spybot or Adaware.

I will have to do some research into the right tools to hide this machine and look at the the security settings again !

Can I do a fix with HJT for the malware and use the Sophos instructions for Scanregw? Or will it all simply reappeared when I reboot, and finally is there an easy way of getting rid of srvexc.exe ?

I wasn't very interested on what went on inside uptill now. It just had to work. I can see that life is more difficult than that. It's a very interesting area to study.

Sorry for going on at such length, I have to let my frustration out somewhere !

Once again many thanks and have a nice weekend.

Kistev

#4 Hi kistev,

Zitat

Can I do a fix with HJT for the malware and use the Sophos instructions for Scanregw? Or will it all simply reappeared when I reboot, and finally is there an easy way of getting rid of srvexc.exe ?

Prinzipiell kannst Du das fixen und die Programme mit den entsprechenden Tools löschen. Dennoch weißt Du nicht, was die Backdoor-Trojaner auf Deinem System alles schon angerichtet haben. Deshalb nochmal: neu aufsetzen wäre die beste Lösung.


Gruß
Heron
__________
"Die Welt ist groß, weil der Kopf so klein"
Wilhelm Busch

#5 Naja

Ich muss wohl in den saure Apfel beissen !

That means 'ade' for my trusty 450MHz AMD and I will have to invest in something with a few more PS ;-) This thing has never let me down though and I will keep it around. I will have to upgrade to XP at least.

As I said this has started an itch in me and I am going to start looking at this subject.

Once again thanks for the help and have a nice weekend. I hope (in the nicest possible way), that we do not meet again for a while :-)))))

kistev