Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   TrojanClicker.mscfg.100		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TrojanClicker.mscfg.100  (Read 2044 times)
stevem99
Newbie
*





   


Posts: 3
TrojanClicker.mscfg.100
« on: Apr 23rd, 2006, 12:24pm »		 Quote Quote  Modify Modify
A few days ago I started to get a warning from my Trend Micro Firewall that an application was trying to connect to the internet using port 25. The file was in my local user temp folder and was named "57exmodul32.exe"   I deleted this file but variations still are being created such as 45exmodul32.exe. It's almost everyday it creates a new file and tries to connect to the internet sometimes at startup but not always. I tried several trojan programs but Trojan Hunter was the only one to detect TrojanClicker.mscfg.100 Registry entries.
 
Registry key exists: HKEY_CLASSES_ROOT\mscfg.Cfg.1 (matches TrojanClicker.mscfg.100)  
(Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\mscfg.Cfg (matches TrojanClicker.mscfg.100)  
(Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{40205287-E793-41AC-B95C-D8D064BA33CA} (matches TrojanClicker.mscfg.100)  
 
Trojan Hunter cleaned the files, but somewhere there is a higher level program that recreates these reg entries and the modul32.exe files in my temp folder, and is not being detected by Trojan Hunter or my Trend AV program.
 
I am not absolutely sure these reg entries and the modul32.exe file are related, but it is most likely the same trojan. My question is,
how do I find and eradicate the file that is creating all this.
 
Thanks for any help.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: TrojanClicker.mscfg.100
« Reply #1 on: Apr 23rd, 2006, 12:31pm »		 Quote Quote  Modify Modify
Run a disk search for    modul32  and then also for   mscfg  
 
Post back what you find and where they are located.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
stevem99
Newbie
*





   


Posts: 3
Re: TrojanClicker.mscfg.100
« Reply #2 on: Apr 23rd, 2006, 4:15pm »		 Quote Quote  Modify Modify
There are no files *modul32* except the ones that I have deleted which are in the recycler.
 
I did find an mscfg.dll file in system32 folder. When I check company name in version tab it says TODO and version 1.0.01 and the date modified shows the same date as when this trojan started. Very Suspicious.
 
Also I forgot to mention that .nvsvc   smss.exe /w is periodically put into my startup as I see in my msconfig startup tab.  
 
And now TrojanHunter just reported it removed balckhole109 from my  system
 
Maybe I do have multiple trojans... damn
 
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: TrojanClicker.mscfg.100
« Reply #3 on: Apr 24th, 2006, 12:20am »		 Quote Quote  Modify Modify
Please submit the mscfg.dll, nvsvc.exe, and smss.exe files per the instructions found at  
 
http://forum.misec.net/board/FAQ/1139308293
 
I'd recommend renaming it on your system to say  mscfgBAD.dll until you get the results back from the analysis.
 
I also strongly recommend that you do a few remote scans starting with Kaspersky.  It sounds to me like you have a worm.
 
http://forum.misec.net/board/FAQ/1141894786
 
« Last Edit: Apr 24th, 2006, 12:25am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3912
Re: TrojanClicker.mscfg.100
« Reply #4 on: Apr 24th, 2006, 4:22pm »		 Quote Quote  Modify Modify
You sent me some files ? I've added detection for everything (dropped files etc) that's why the BlackHole detection. This was actually just because TH already detected the keyhooker.
 
I'd suggest send me a hijackthis log at the submit address, and also change any important passwords etc
IP Logged
stevem99
Newbie
*





   


Posts: 3
Re: TrojanClicker.mscfg.100
« Reply #5 on: Apr 25th, 2006, 3:47pm »		 Quote Quote  Modify Modify
I just sent the 2 files... Thanks for the help!
IP Logged
lesley
Newbie
*





   


Posts: 5
Re: TrojanClicker.mscfg.100
« Reply #6 on: May 10th, 2006, 3:52am »		 Quote Quote  Modify Modify
I have come across this as the same symptoms have turned up on my pc except that the file detected by AVG in the C:\documents and settings\username\local settings\temp\XXmodul32.exe is reported as Proxy.cfs.
 
Is there yet a way to detect and delete the file that starts all this happening Huh
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3912
Re: TrojanClicker.mscfg.100
« Reply #7 on: May 10th, 2006, 4:34pm »		 Quote Quote  Modify Modify
Can you get a sample of that file to me ? zipped and passworded would be best.
 
I did update detection for the particular variant suffered in the original post, and with the update it should have resolved the issue. So if you can get the file to me, we can help for sure Smiley
 
Alternatively, scanning in Safe Mode with your scanner might be enough to stop it. Doesn't it take care of it after a clean/reboot ?
IP Logged
lesley
Newbie
*





   


Posts: 5
Re: TrojanClicker.mscfg.100
« Reply #8 on: May 11th, 2006, 4:27am »		 Quote Quote  Modify Modify
We followed your instructions form above, the .nvsc smss.exe /w entry was in the registry which we removed, We found no mscf files on the system we found smss.exe in C:\windows\system  as well as in C:\windows\system32 and c:\windows\system32\dllcache the two under system32 both showed as microsoft files when the cursor was placed on them so we Deleted the on in system and left the ones under system32.   We then downloaded the test version of hunter and scanned the PC and found nothing else, we were hoping to find what had started it all.  As we have deleted the the files we can not supply copies, if it comes back we will copy the files before we start the repair.
 
Thanks for helpfull info Lesley Wink
IP Logged
lesley
Newbie
*





   


Posts: 5
Re: TrojanClicker.mscfg.100
« Reply #9 on: May 17th, 2006, 2:03am »		 Quote Quote  Modify Modify
Hi After only a few days of clean running it is all back there is an entry in the registry as before HKLM\software\microsoft\windows\run  which sets of the smaa.exe /w I found smss.exe in C:\windows\system,  C:\windows\system32, C:\windows\system32\dllcachee, and in C:\cmdcons\system32  these create xxexmodule32.exe (when the xx is just any to numbers) these are always in C:\documents and settings\cuan\local settings\temp  "cuan" being the user name. AVG is not now reporting the file as a problem but when they try to run they are reported as a run time error. I searched for but did not fine a file with mscf although when I searched the registry there is an entry there for mscf but I am not sure what it represents.
I have gone into regedit and exported the registry from the top, I have copies of C:\windows\system\smss.exe, C:\cmdcons\smss.exe I have copies of xxexmodule32.exe
these are all zipped into one file with a password of password what would you like me to do with the file. Trojan hunter has been updated but still does not find anything.
 
Lesley Huh
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: TrojanClicker.mscfg.100
« Reply #10 on: May 17th, 2006, 2:11am »		 Quote Quote  Modify Modify
Lesley,  
 
Sorry to hear that you have been revisited by the Internet criminals.  Angry
 
Please send the files you have zipped and password protected as per the instructions in the link below:
 
http://forum.misec.net/board/FAQ/1139308293
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
lesley
Newbie
*





   


Posts: 5
Re: TrojanClicker.mscfg.100
« Reply #11 on: May 17th, 2006, 2:20am »		 Quote Quote  Modify Modify
They will be on there way in next few minites
lesley Wink
IP Logged
lesley
Newbie
*





   


Posts: 5
Re: TrojanClicker.mscfg.100
« Reply #12 on: May 31st, 2006, 3:24am »		 Quote Quote  Modify Modify
Hi There    did the files arrive?  if so have you been able to find anything? Smiley
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3912
Re: TrojanClicker.mscfg.100
« Reply #13 on: Jun 1st, 2006, 10:51am »		 Quote Quote  Modify Modify
Pretty sure they did, I always reply by email after analysing files. You should be able to detect them with the latest update if they are trojans.
 
I'd suggest a scan in Safe Mode just in case !
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »