Trojan on WIN386.SWP file

Hi,

I’m not very familiar of all viruses and malwares problems but i take a look on the net before posting here.

I’m on XP.
I had the “svchost.exe false positive issue” and solved it by following the avast advice.

But when scanning with avast, it finds me a trojan Win32:Tibs-DGG [trj] on the file WIN386.SWP

When i ask to put it into quarantine, avast told me the disk has not enough space whereas it is not the case because the WIN386.SWP is 163 Mo and my disk has many Go available.

By the way, it seems this swap file must not be removed.

So i run a lot of antispyware, Spybot, Ad-Aware, AVG AS, and clean with CCleaner.

Then do a Hijack log here :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:13, on 22/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
F:\Program Files\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avast4\aswUpdSv.exe
D:\Program Files\Avast4\ashServ.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\Avast4\ashDisp.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\Mixer.exe
D:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\AVG Antispyware\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Office97\Office\OSA.EXE
E:\Office97\Office\FINDFAST.EXE
D:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AVG Antispyware\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\Program Files\Avast4\ashWebSv.exe
D:\Program Files\Avast4\ashMaiSv.exe
F:\A_graver\Hijackthis\Scanner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\xp\utils\Acrobat

Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -

D:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program

Files\FlashGet\getflash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Program

Files\FlashGet\fgiebar.dll
O4 - HKLM..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [basicsmssmenu] "D:\Program Files\Seagate\Basics\Basics

Status\MaxMenuMgrBasics.exe"
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] "F:\Program Files\AVG Antispyware\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Démarrage d’Office.lnk = E:\Office97\Office\OSA.EXE
O4 - Startup: Microsoft Recherche accélérée.lnk = E:\Office97\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Fichiers

communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - D:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - D:\PROGRA~1\FLASHGET\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

D:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program

Files\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program

Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\AVG Antispyware\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: Basics Service - Seagate Technology LLC - D:\Program

Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: Système d’événements de COM+ (EventSystem) - Unknown owner -

C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program

Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe


End of file - 6625 bytes

Many thanks in advance if someone could solve my problem.

Cheers.

well we do not that to swap back active again do we
quick check on the DGG variant did not find much
what version spybot? Did you ever have 1.3 or 1.4 installed?
did you update spybot Wednesday and re-immunize-- run ccleaner then run a scan? (so no cookies)

after that
I’d start with a rt click on the ball, update avast “program” then rt click and schedule a boot time scan
then a scan with both Malware Bytes rogue remover and anti-malware free scan
report back
run secunia software inspector and report

If someone else is familiar with this trojan or XP swap file infections jump in here

Hi Paillade,

To delete the Win386.swp on start up you go to your Autoexec.bat file in C:\ right click and chose “Edit”…

Type this:

cd
Cd windows
del win386.swp
cd\

Or make a file with notepad where you type this, and save this as swap.batch

With hijackthis fix the following entries:
D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\WINDOWS\System32\svchost.exe (file missing) This is a nasty one

Upload to VirusTotal: D:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
to check if some scanners flag this, but if this is the info you have on it:
http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=16649
it is OK,

Update IE6 to version IE7 or install Firefox or Flock browser with NoScript extension,

je vous souhait le bon weekend!

polonus

thanks polonus
If I remember correctly windows will recreate the swap file- all clean

Yes.

Hi wyrmrider,

Hi you Tech, you beat me to it, man. Wyrmrider, you remembered that right, it will set the default swap file back. The first method I gave is a change to the autoexecute.bat file if the swap file has maliciously run out of proportion (remember the days of Win98 SE), the second is a way to do it on a later OS. Also you can see that Paillade had an vulnerable version of IE on his box, he should update to version 7. Also Service Pack 2 would be advisable to install.

polonus

right
thanks tech/ polonus
after he gets the immediate done I’d recommend running the secunia software inspector and getting all of his software current

Many thanks for all your answers !
I’m busy with other stuffs all the week-end but i will work on that on sunday night or monday and keep you aware of the progress.
Thanks again.

  • To Wyrmrider, i have Spybot version 1.5.2.20, and i have ran it with all the updates.
    For other things you wrote, i’m sorry but i didn’t catch everything…

  • To Polonus,

1/ I don’t find any autoexec.bat, do i need to do the thing you propose with the notepad file ?

2/ Actually, i use only Firefox and i thought i have completely uninstalled IE, but it’s indeed not the case. I then try to uninstall it in a clean way (with the menu install/uninstall program) but i don’t finf it anywhere.
So i went to the program files directory and find a IE directory. I try to remove it but it gives me a message which tells that “the resource is used by another person or another program”…

3/
“With hijackthis fix the following entries:
D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -”

How do i fix that ?

4/
“Upload to VirusTotal: D:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
to check if some scanners flag this, but if this is the info you have on it:
http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=16649

What do you mean “Upload to VirusTotal” ?

Thanks, i’m waiting for your advice, specially for the removal of the swapfile.

Bonne soirée.

great questions
measure twice cut once

1
let’s not fool with autoexec.bat
use the other method
open notepad and type in the text exactly as polonus mentioned
then
saveas
make a folder in you program files folder deleteswap
and saveas swap.batch
then go
RUN and navigate to programfiles/deleteswap/swap.batch
click OK or whatever and wipe that swp386 file

2
Even if you only use firefox and just use IE for windows update and other things that require it keep it up to date
trying to remove it completely takes real expertise and could completely hose your system

3
shout down all open windows including this one
runhijack this again
put checkmarks next to the entries Polonus mentions
then click FIX CHECKED

then
I’d start with a rt click on the ball, update avast “program” then rt click and schedule a boot time scan
reboot
then a scan with both Malware Bytes rogue remover and anti-malware free scan (ignore the buynow screen)
post the log if it finds anything
then
shutdown all browser windows and run HJT again
open your browser and
post the new HJT log here and any other logs

4
open firefox and go to virustotal
use the upload/ search function to find that file
upload
if Avast objects then PAUSE standard scan while you do this (rt click on the ball)
post a link to the results here

Hi Paillade,

I repeat it for you, but wyrmrider has beaten me to it,

I help you out here. Save what below is in a Notepad txt file and save as swp.bat.
on your desktop, then left click on it, you see a black window flash by, that is all.

  
cd\
Cd windows
del win386.swp
cd\

Fix something with hijackthis, run hijackthis and only checkmark the boxes before
D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -"
Then press Click FIX Checked.

Upload to VirusTotal,
Go to the page of virustotal.com with your browser.
In the box/field on this site search on your computer for the file you want to have scanned
Then click and it is send to the various scanners virustotal scans online against.
Later you get the results report, then you post a txt file of that in your next posting,

polonus

Hi wyrmrider,

He has to attach a txt file of what virustotal reports, or a link to his query, else we won’t know much,

pol

and he has to save that batch file as .bat not .batch
brain fade here

I’ll be out for an hour or so

Hi wyrmrider,

Corrected, it is save as swf.bat and then click, thanks for keeping typo’s out.

pol

Hi again,

I wrote the notepadfile, typed your text, saved as swf.bat, double-click on it, nothing happened, the swap file is still here.
Is there not a problem of directory path ? Since it seems to me (with my poor computer knowledge) that you specify a directory Windows whereas my swap file is at the root of my F:/ hard drive partition.

Now goin’ to sleep, cheers.

So, write down:

cd
Cd F:\windows
del win386.swp
cd\

Hi Tech,

There is also a way to do it on close down:
In Win XP Professional, the Group Policy Editor has a security option to clear the pagefile at
system shutdown. The same setting also forces the hibernation file to be wiped at shutdown.
To change the setting, click Start, Run, type GPEDIT.MSC click OK.
Drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies,
Security Options. In the right pane, find “Shutdown: Clear virtual memory pagefile”.
The default is “Disabled”.
If you enable it, be warned that deleting the pagefile takes such a long time to complete, that
you may think that shutdown has hung up. It will SUBSTANTIALY increase the shutdown time.

polonus

Hi,

The swap file has finally disappeared (i don’t know how…), but after rebooting windows, no more swap file, it has not been recreated as planned !

And it seems that my pc runs more and more in a weird way…

By the way, i ran avast boot scan, malwarebyte’s antimalware and lots of other softs, and nothing special seem to be infected, except that avast told i have two rar archives corrupted (with mp3 inside).

Also since then, i have updated spybot and it seems that i have now a process (teatimer.exe) that’s new and that doesn’t want to close when i shut off windows…(too many problems at a time for a newbie like me !). So i kill it each time i quit windows.

Other new strange behaviour, when i right click on the avast ball to run a scan, it checks lots of files as usual but after it stops, and i have to re-run it to launch a scan…

And finally, i wrote a post yesterday, posted it, and it never appears here…

Perhaps someone has put a spell on me ? :slight_smile:

Thanks a lot if you can keep on helping me…

Bye.

Hi,

Any idea to restore my swap file ?

Thanks.
Bye.

did windows recreate it on C?
try and change the size or change from automatic to fixed size and see what happens