windows apps and punctuation

[djpolstee]

Yea, so I'm working on a laptop that seems to have the troj.haxdoor.b. In the registry, there's a key for it in "hkey_/.../.../run" for "mszx32" = "c:\windows\system32\mszc32.exe !!"

My question is, what does the "!!" signify? What does it do??

Yea, sry, google didn't help me.

 

[screw3d]

It's just part of the filename..

If you know for sure that it is a trojan, just remove that key!

 

[djpolstee]

Yea, well this is just part of the problem.

Removing the key does not work.

Back to the original question. If !! were part of the file name, then why would there be a space inbetween the exe and the !!?

 

[screw3d]

The space is also part of the filename.. you are aware that '!' and ' ' are all valid characters for filenames? It's just a filename the author decided to give.

What do you mean removing the key does not work? It comes back after a restart? That probably just means the trojan is adding the registry entry.. run antivirus in safe mode?

 

[djpolstee]

Ok, if this is what your looking for... the troj, as mentioned above, is rewritting keys and even files as I del them. Even in safemode running different antivirus scans and progs. The troj even rewrites things in safe mode, so this says to me that the kernel is hooked.

!! to me is some sort of signifier to the code that the program is executing. Just like to run a rootkit hidden, you would run the command "asdf.exe hidden" In these cases, hidden is not a part of the filename, instead it is a command that is being executed along with the prog.

 

[screw3d]

Hmm ok I see what you mean.. post your HijackThis! log?

 

[djpolstee]

ok, well, I think that I killed half of it, cuz it's no longer appearing in the hijack this. I still can't del the mszc32.exe however. But anyways, here's the log for giggles

Logfile of HijackThis v1.99.0
Scan saved at 4:32:21 PM, on 2/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe