Post by: Gar999 on February 28, 2005, 11:24:18 AM
When I first got it, it was a mess, norton was dissabled and msconfig couldn't be opened. It was running very very slow . After a reading a few threads it was clear that there was a problem with a trojan.
Using the follwing thread as a guide, I've been attempting to clean the system up.
Other Thread (http://\"http://www.thetechguide.com/forum/lofiversion/index.php/t12681.html\")
So far I've:
Disabled NT LOgin Service
Restored original hosts with HOSTER
DOwnloaded TDS-3, updated latest Radius file and used it to scan in safe mode. I then deleted all POSITIVE ID'ed alarms
Downloaded AD AWARE 1.05, updated it and scanned the system(full scan in safe mode) and removed all bad objects.
After restart i've used WINDOWS CleanUp in safe mode.
Restart in Normal mode and run the Trend Micro online scan and deleted all bad files that were found.
Here's the latest HJT log, I'd appreciate if someone might check it for me and tell me how i'm doing so far.
Logfile of HijackThis v1.99.1
Scan saved at 15:45:53, on 28/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Celine\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ (http://\"http://www.google.ie/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteswy32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Post by: guestolo on February 28, 2005, 05:24:26 PM
the file I've uploaded
[attachment=44:attachment]
UNZIP the contents to your desktop, now you will have Elite.reg on the desktop
We'll need this later
Print the rest of this out please, or save too a Notepad file on the desktop
Close down all browser windows
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Access the add/remove programs and remove if found
Elitebar or similiar, don't restart yet
Find and delete these files or folders if they exist
C:\WINDOWS\shch.exe <--this file
C:\WINDOWS\sssasasb32.exe <--file
C:\windows\system32\eliteswy32.exe <--file
C:\windows\EliteSideBar <--folder, if found
C:\windows\Elitebar or similiar
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteswy32.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Stay in safe mode and run Windows CleanUp! one more time
Don't log off or Restart yet
Double click on Elite.reg and allow it to merge to the registry
Restart back to Normal mode
This would be a good time to Reinstall Norton's and update and run a full virus scan
If you don't intend on reinstalling Norton's and need a free solution let me know, I can link you to one
Post back with a fresh Hijackthis log afterwards
Post by: Gar999 on March 01, 2005, 05:11:56 PM
In SAFE MODE
Checked for Elitebar in Add/Remove programs list. Not listed.
Deleted those files you listed
Fixed the Hijack files listed
Run Windows CleanUp
Used the Elite.reg file
RESTARTED - Back to NORMAL mode
Reinstalled Norton and updated. (This took forever, I'm still using dialup)
Did a full system scan, 3 infected files were found.
C.bat listed as Bat.Trojan
TFTP1912 listed as W32.spybot.worm
TFTP2900 listed as W32.spybot.worm
Are these serious? Sorted of pissed, thought the system was nearly clean. I've quarantined the 3 of them. Thanks for all the help!!!
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:53:15, on 01/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Celine\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ (http://\"http://www.google.ie/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm (http://\"http://www.euro.dell.com/countries/uk/enu/gen/default.htm\")
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on March 01, 2005, 09:44:15 PM
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Your way behind on Windows Updates, this is very important in keeping the system secure
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx\")
Before installing Service pack2 I usually recommend running an Online virus scan
at either
Housecall's or Panda's
Make sure you check for updates with Ad-Aware and run a scan
Restart the computer
Empty those temp folders, do a Disk CleanUp
Temporarily Disable any Security software such as Trojan Guard before visiting so it won't interfere with the installation
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Gar999 on March 03, 2005, 10:16:47 AM
SpywareBlaster & IE-SpyAd installed, updated and running.
I also installed Spybot S&D, updated and immunised. Do you know if having all these spyware programs installed together will cause any problems(conflicts)?
XP SP2 installed and updated (This took awhile)
One last thing after scanning with Spybot S&D, it found 2 bad entries listed as Elitum - Elitebar. Spybot has failed to remove these entries even on startup stating that they cannot be removed. Should I worry or are these entries just harmless remnants of past nasties?
Gar999
Post by: guestolo on March 03, 2005, 05:39:13 PM
Actually I use Spyware Blaster>>IE-Spyad>>Spybot Immunization feature
and SpywareGuard on my system
Don't notice no conflicts at all
If you could
Would you run another scan with Spybot
When it's done scanning Right click on the results and Save a report to desktop
And then post that back here, thanks
Post by: Gar999 on March 03, 2005, 06:18:24 PM
Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\LQ
Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\LQ
--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-02-16 Includes\Dialer.sbi
2005-02-16 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-02-16 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-02-16 Includes\Spybots.sbi
2005-02-16 Includes\Tracks.uti
2005-02-16 Includes\Trojans.sbi
Should I delete those two reg. keys with regedit, if I can?
Post by: guestolo on March 03, 2005, 06:28:59 PM
and then delete these 2 in bold
HKEY_USERS\S-1-5-18\Software\LQ
HKEY_USERS\.DEFAULT\Software\LQ
Can you do the same for these ones if found
HKEY_CURRENT_USER\Software\LQ
HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
Post by: Gar999 on March 03, 2005, 06:59:31 PM
Deleted
HKEY_USERS\S-1-5-18\Software\LQ
and
HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup
(never would have found this!)
I didn't find the other three.
Did a final scan with Spybot S&D and got the green light.
Thanks again for all your help.
Best Regards,
Gar999
Post by: guestolo on March 04, 2005, 12:26:34 AM
I'll lock this topic as your problems appear resolved
If you need it reopened
Please PM a Mod or the site Admin and supply a link to this thread
Take Care