Update on my Trojan infection

External Since: Oct 29, 2004 Posts: 18

FYI:
Several weeks ago I started a thread asking for help with a "virus". I had
a very hard time with this one It was finally discovered by Kaspersky
support staff. Here are some of the symptoms.
- can use IE, but cannot get to common anti-virus web sites or Windows
updates
- can use Google for searches, but IE exits whenever a search term such as
"virus" is used
- Outlook Express works, but some email addresses could not be used, such as
some anti-virus companies
- regedit will not run
- command line will not run, but exits if "dir" is executed on certain file
names
- Task Manager comes up, but Processes page is always blank
- can get to newsgroups with Outlook Express, but OE exits when trying to
get to alt.comp.anti-virus
- anti-virus programs such as Stinger will not run (although it would run if
renamed)
- anti-virus software installation programs will not run (even if renamed)

Needless to say, the above make the Trojan extremely difficult to detect and
remove. To make a *long* story short, since Kaspersky was one of the
anti-virus apps I tried to install, I asked them for help. They sent me a
tool called TroyanFindInfo that reported info from my registry and task list
and created a report. I sent a report to Kaspersky, and they asked for a
few of the files. They then identified 2 of the files as containing the
trojan. I then used a utility called Iarsn TaskInfo2003 to display running
processes. The 2 were running as a service and I stopped them. All the
above problems went away. I then ran Kaspersky AV and it identified
DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these is
Aebot.k and Pigbot.a respectively. Apparently other AV companies have
different names for these Trojans. Also, my hosts file was corrupted with
multiple entries to the types of web sites mentioned above, and I cleared
that out. As far as I can tell, nothing was "taken" from my computer in
terms of credit card numbers, etc. Not sure if this was a random "hit"
looking for a bigger network to play on or what.

Thanks to those who helped. By the way, I still am not able to access my
WinXP machine from my Win98 machine as connected through my router. But
that is for a rainy day...

External Since: May 25, 2004 Posts: 13

"jeffc" wrote in message

> FYI:
> Several weeks ago I started a thread asking for help with a "virus". I
had
> a very hard time with this one It was finally discovered by Kaspersky
> support staff. Here are some of the symptoms.
> - can use IE, but cannot get to common anti-virus web sites or Windows
> updates
> - can use Google for searches, but IE exits whenever a search term such as
> "virus" is used
> - Outlook Express works, but some email addresses could not be used, such
as
> some anti-virus companies
> - regedit will not run
> - command line will not run, but exits if "dir" is executed on certain
file
> names
> - Task Manager comes up, but Processes page is always blank
> - can get to newsgroups with Outlook Express, but OE exits when trying to
> get to alt.comp.anti-virus
> - anti-virus programs such as Stinger will not run (although it would run
if
> renamed)
> - anti-virus software installation programs will not run (even if renamed)
>
> Needless to say, the above make the Trojan extremely difficult to detect
and
> remove. To make a *long* story short, since Kaspersky was one of the
> anti-virus apps I tried to install, I asked them for help. They sent me a
> tool called TroyanFindInfo that reported info from my registry and task
list
> and created a report. I sent a report to Kaspersky, and they asked for a
> few of the files. They then identified 2 of the files as containing the
> trojan. I then used a utility called Iarsn TaskInfo2003 to display
running
> processes. The 2 were running as a service and I stopped them. All the
> above problems went away. I then ran Kaspersky AV and it identified
> DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these
is
> Aebot.k and Pigbot.a respectively. Apparently other AV companies have
> different names for these Trojans. Also, my hosts file was corrupted with
> multiple entries to the types of web sites mentioned above, and I cleared
> that out. As far as I can tell, nothing was "taken" from my computer in
> terms of credit card numbers, etc. Not sure if this was a random "hit"
> looking for a bigger network to play on or what.
>
> Thanks to those who helped. By the way, I still am not able to access my
> WinXP machine from my Win98 machine as connected through my router. But
> that is for a rainy day...
>
>

Thanks Jeff. Interesting information on what appears to be a very well
protected trojan.

Bob