Link to home
Start Free TrialLog in
Avatar of jebschmied
jebschmied

asked on

TrojanDownloader.Win32.Agent.j virus!

I’ve been finding solutions on this site for some time, but this is the first time I’ve posted for help.  I’m working on a computer that was totally infected with spyware and viruses.  It is XP Home and is now up to date with all service packs, anti-spyware tools and anti-virus software.  I’ve cleaned up all the spyware and viruses except for one remaining one that I can’t get rid of.  It is detected in memory by Kaspersky and Antiy Ghost as  TrojanDownloader.Win32.Agent.j  but it is not detected anywhere on the hard drive. Therefore, the file containing the infection cannot be cleaned or deleted.  Other software, such as Norton Antivirus Corporate Edition does not detect it at all.  It was originally detected in several files by AVG 6.0 and all those files were removed, but it is still showing up in memory with all startups disabled.  I might have assumed that the system was clean and that it was just a mis-detection if it wasn’t for the fact that symptoms are still showing up.  The start and search pages are constantly changing.  The virus still shows up in memory even when booting into safe mode, so it is something that is not easily disabled by just removing it from startup.  It must be loading as a dll required by some system device that is needed even in safe mode.  It is not loading as a task or a process that can be killed either.  It shows up in memory as a loaded dll module with a location of “c:\windows\system32\logphip.dll”  but on the hard drive, no such file exists.  I’ve run updated versions of AdAware, Spybot, SpySweeper, AVG 6.0, CW Shredder, and HijackThis, and have removed everything that is suspicious. Below is the current log from HijackThis.  Notice the entries for the search pages.  I’ve removed them many times, but they keep coming back….. even in safe mode. Let me know what other information I can provide.  I’m and my wits end with this one.

   Logfile of HijackThis v1.97.7
Scan saved at 3:40:11 PM, on 6/19/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Linda\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\LINDAS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\LINDAS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\LINDAS~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\LINDAS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)



ASKER CERTIFIED SOLUTION
Avatar of Newjack64
Newjack64
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jebschmied
jebschmied

ASKER

Thanks Jack,  I tried the suggestion you posted.  Unfortunately the AppInit_DLLs= <%malware path%>  stated in the Trend Micro write up was blank, and the Trend Micro virus scanner was unable to detect any infected files on the hard drive.  

As to the R1 entires in HijackThis,  that log was from a boot in safe mode where the entries were deleted in safe mode, and then a short while later they returned while still in safe mode.  

You are right as far as the processes are concerned.  It looks like nothing is wrong with them.  However, on the loaded modules page of System Information there is an entry that is not.   It is:

Name      Version      Size      File Date      Manufacturer      Path      
"c:\windows\system32\logphip.dll"                  "c:\windows\system32\logphip.dll"

That is the same file and path that the other virus scanners recognized as the source of the virus in memory.  However, the stated file does not exist anywhere on the hard drive.
Avatar of ajsaasta
ajsaasta
You don't have to do it "by the hard way", just install Ad-Aware, update the spyware -definitions and run Ad-Aware. Ad-aware identifies the malware on your PC and deletes it if possible.

See http://www.lavasoftusa.com and the software documentation on more details and definitions.

Ad-Aware is avilible as FREEWARE.

My 1st hand knowledge is that Ad-Aware detects 99% of malware (when malware db's are up-to-date), quarantines it (if selected) and deletes it. All in 2 to 5 mins, depending on the PC's hardware and software.

Avatar of jebschmied
jebschmied

ASKER


ajsaasta must not have read the original post.  I tried Ad-Aware and this one must be in the other 1% because it would not find this one.  

Newjack64's post put me on right track.  Part 1 of Trend Micro's write up said to:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>WindowsNT>CurrentVersion>Windows
In the right panel, locate and delete the entry:
AppInit_DLLs = <%Malware Path%>
(Note: %Malware Path% is the path where the Trojan is located.)  

Well, the trojan set permissions on the key so that it appeared to be empty but in fact it did have the entry  
AppInit_DLLs = c:\windows\system32\loghpip.dll once the permission were reset.

The second part of their write up said to:
Right-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT> CurrentVersion>Windows
Select Permissions, check the boxes that corresponds to the Deny option for each item under the Name field then click OK.
Close Registry Editor.

After setting all permissions on the entire key and all child objects to deny and rebooting, the trojan could not load, and suddenly the file appeared in the location it was said to have existed.  It looks like when the trojan was loaded into memory, it hid it's own dll file along with several other files so that they were completely invisible to me as well as all of the virus checkers (I did have show hidden and system files on). Even though the Trend Micro virus checker still would not detect the virus in the logphip.dll file, AVG did and it found the other infected files that were invisible as well.  

I guess this means:
a) Booting into safe more does not necessarily disable ALL possible startups of trojans.  This one ran in safe mode as well.

b) Trojans do not always show up as tasks that can be killed.  The only reference to this one was in loaded dll modules. However, after it was in memory for a while it would create a new exe file and start it as a task.

c) Show hidden and system files does not necessarily show all files. If a trojan is programmed to hide it's own dll file, and said trojan is active in memory, the infected dll file may remain completely invisible to you and virus checkers.  (even in safe mode)

If anyone has a trojan that keeps coming back even after removing every instance of it you can find in safe mode, set permissions and delete AppInit_DLLs in HKEY_LOCAL_MACHINE>Software>Microsoft>WindowsNT>CurrentVersion>Windows (even though it already appears to be empty, permissions may have been set by it so that it just appears empty to you.)

Thanks Jack for putting me on the right track with Trend Micro!
Avatar of Newjack64
Newjack64
Not a problem jebschmied.  I am glad that you figured out the problem.   I also appreciate the feedback you gave me.  It was good to hear your feedback on this situation.  Congradulations with the fix!