Eyecu Posted August 31, 2008 Good day, For the past week or so I've been trying eradicate this Trojan.BZUB-IPV6 trojan that SAS keeps popping up a detection poppup on bootup. So far the three file names I can remember it saying it was is c:\windows\system32\skeys.dll c:\windows\system32\write.dll c:\windows\system32\twunk_16.dll The following is one of the scan logs with the registry entries it finds SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 08/29/2008 at 06:21 PM Application Version : 4.20.1046 Core Rules Database Version : 3551 Trace Rules Database Version: 1539 Scan type : Quick Scan Total Scan Time : 00:33:53 Memory items scanned : 429 Memory threats detected : 0 Registry items scanned : 477 Registry threats detected : 5 File items scanned : 18866 File threats detected : 1 Trojan.BZub-IPV6 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32 HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\SKEYS.DLL HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} So far I've run SAS, Malwarebytes, hijackthis, and trojan hunter to attempt to get rid of this pesky rodent. I've run all of these both in normal mode, safe mode, and safe mode with command prompt. Everytime it says it successfully removed it, and on the next start up I don't get the warning. But on following startups I do. Any help would be appreciated. P.S. for every other issue SAS has done extremely well. Good job on this product, I have been recommending it to everyone I know. Share this post Link to post Share on other sites
fatdcuk Posted August 31, 2008 Ok first off can you upload skeys.dll to Virustotal service for 36 second opinions.If it is being flagged by any of them there then can you copy and paste the link to the Virustotal report in your next reply http://www.virustotal.com/ Next up we need to dig a bit deeper to see if another file is spawning the reappearance of the originally detected file(s). Download a copy of Autoruns : http://technet.microsoft.com/en-us/sysi ... 63902.aspx Run a scan but then after it completes Click options . Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter . Now press F5 to rerun the scan with the new settings.When this completes click file tab then select "Export as" and save the log(autoruns.txt) to your desktop. Copy and paste the contents of autoruns.txt to your next post. Share this post Link to post Share on other sites
fatdcuk Posted September 1, 2008 lol thats a large output log...Like looking for a needle in a haystack Okey can you please upload "msoflex.exe" to Virustotal for malware checking and post back the results + msoflex.exe c:\documents and settings\all users\start menu\programs\startup\msoflex.exe Share this post Link to post Share on other sites
Eyecu Posted September 1, 2008 Ok well that seems to be the culprit. The virustotal site found that it had the TR/Crypt.XPACK.Gen as per Avira. Share this post Link to post Share on other sites
fatdcuk Posted September 1, 2008 Okey then boot into safe mode and delete the sucker If possible can i grab a copy of it before ya nuke it for distribution/research purposes http://www.castlecops.com/f81-Unknown_Files.html Start a new topic there titled for my attention and attach/upload the file with your post ,no membership is required to do this LMK if the detections persist after its removal & a couple of reboots. Share this post Link to post Share on other sites
Eyecu Posted September 1, 2008 Thanks for al your help. The file is posted i think. Can't tell I attempted to attach it twice but its not showing up on the thread. Topic title is Attn: Fatdcuk. Thank you for all your help greatly appreciated...My fiance also says to say thank you as it was on her computer that the infection was. Share this post Link to post Share on other sites
fatdcuk Posted September 1, 2008 Okey just got your uploaded sample at CC,thankyou for uploading http://www.virustotal.com/analisis/069c ... cb36eb7c28 ThreatExpert info: http://www.threatexpert.com/report.aspx ... 04fbe15fb6 I must advise you that this is a "password stealer" bot designed to harvest PSW's on the infected system It is highly advisable that you change all your used passwords as a matter of priority Share this post Link to post Share on other sites
Eyecu Posted September 1, 2008 Already on it. Figured as much. I'm pretty computer literate on the hardware/software side of things. This one just had me stumped as no program I used found the base file...that msoflex.exe. Even though i saw it in the startup folder i should have googled it, but thought it was one of her graphics programs or something she uses. Anyways. Im on the passwrod changing. Thanks again. Share this post Link to post Share on other sites
fatdcuk Posted September 1, 2008 Your welcome and i will also get your * bot* off to SAS HQ for inclusion in their target database Share this post Link to post Share on other sites
Eyecu Posted September 2, 2008 Awesome. Just as an update no further detection as of yet so looks lilke we nailed it. Thanks again for all your help. Share this post Link to post Share on other sites
fatdcuk Posted September 3, 2008 All good then:) As of Database Version 3555 - 09-02-2008 SAS now has your particular variant in its target database so thankyou again for uploading this malware variant Trojan.Dropper/Gen-NV C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MALWARE SAMPLES\MSOFLEX.EXE Share this post Link to post Share on other sites