Help wanted - Removing trojandownloader.w32.agent

[Gar999]

I'm attempting to sort out my niece's computer and I'd appreciate some help and advice.
When I first got it, it was a mess, norton was dissabled and msconfig couldn't be opened. It was running very very slow . After a reading a few threads it was clear that there was a problem with a trojan.
Using the follwing thread as a guide, I've been attempting to clean the system up.
Other Thread
So far I've:

Disabled NT LOgin Service

Restored original hosts with HOSTER

DOwnloaded TDS-3, updated latest Radius file and used it to scan in safe mode. I then deleted all POSITIVE ID'ed alarms

Downloaded AD AWARE 1.05, updated it and scanned the system(full scan in safe mode) and removed all bad objects.

After restart i've used WINDOWS CleanUp in safe mode.

Restart in Normal mode and run the Trend Micro online scan and deleted all bad files that were found.

Here's  the latest HJT log, I'd appreciate if someone might check it for me and tell me how i'm doing so far.

Logfile of HijackThis v1.99.1
Scan saved at 15:45:53, on 28/02/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Celine\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteswy32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

[guestolo]

Can you download and save to the desktop
the file I've uploaded
[attachment=44:attachment]

UNZIP the contents to your desktop, now you will have Elite.reg on the desktop
We'll need this later

Print the rest of this out please, or save too a Notepad file on the desktop
Close down all browser windows

RESTART your Computer in SAFE MODE

Access the add/remove programs and remove if found
Elitebar or similiar, don't restart yet

Find and delete these files or folders if they exist

C:\WINDOWS\shch.exe <--this file
C:\WINDOWS\sssasasb32.exe <--file
C:\windows\system32\eliteswy32.exe <--file

C:\windows\EliteSideBar <--folder, if found
C:\windows\Elitebar or similiar

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteswy32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Stay in safe mode and run Windows CleanUp! one more time

Don't log off or Restart yet

Double click on Elite.reg and allow it to merge to the registry

Restart back to Normal mode

This would be a good time to Reinstall Norton's and update and run a full virus scan

If you don't intend on reinstalling Norton's and need a free solution let me know, I can link you to one

Post back with a fresh Hijackthis log afterwards

[Gar999]

Progress I hope! So far I've:

In SAFE MODE

Checked for Elitebar in Add/Remove programs list. Not listed.

Deleted those files you listed

Fixed the Hijack files listed

Run Windows CleanUp

Used the Elite.reg file

RESTARTED - Back to NORMAL mode

Reinstalled Norton and updated. (This took forever, I'm still using dialup)

Did a full system scan, 3 infected files were found.

C.bat             listed as           Bat.Trojan
TFTP1912       listed as          W32.spybot.worm
TFTP2900       listed as          W32.spybot.worm

Are these serious? Sorted of pissed, thought the system was nearly clean. I've quarantined the 3 of them. Thanks for all the help!!!

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:53:15, on 01/03/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Celine\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[guestolo]

Log looks good
If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Your way behind on Windows Updates, this is very important in keeping the system secure
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

Before installing Service pack2 I usually recommend running an Online virus scan
at either
Housecall's or Panda's
Make sure you check for updates with Ad-Aware and run a scan
Restart the computer
Empty those temp folders, do a Disk CleanUp
Temporarily Disable any Security software such as Trojan Guard before visiting so it won't interfere with the installation


Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Gar999]

Ok,

SpywareBlaster & IE-SpyAd installed, updated and running.
I also installed Spybot S&D, updated and immunised. Do you know if having all these spyware programs installed together will cause any problems(conflicts)?
XP SP2 installed and updated (This took awhile)

One last thing after scanning with Spybot S&D, it found 2 bad entries listed as Elitum - Elitebar. Spybot has failed to remove these entries even on startup stating that they cannot be removed. Should I worry or are these entries just harmless remnants of past nasties?

Gar999

[guestolo]

They won't conflict
Actually I use Spyware Blaster>>IE-Spyad>>Spybot Immunization feature
and SpywareGuard on my system
Don't notice no conflicts at all

If you could
Would you run another scan with Spybot
When it's done scanning Right click on the results and Save a report to desktop
And then post that back here, thanks

[Gar999]

Here's the Spybot S&D log:

Elitum.EliteBar: Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-18\Software\LQ

Elitum.EliteBar: Settings (Registry key, nothing done)
  HKEY_USERS\.DEFAULT\Software\LQ


--- Spybot - Search && Destroy version: 1.3  ---
2004-11-29 Includes\Cookies.sbi
2005-02-16 Includes\Dialer.sbi
2005-02-16 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-02-16 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-02-16 Includes\Spybots.sbi
2005-02-16 Includes\Tracks.uti
2005-02-16 Includes\Trojans.sbi

Should I delete those two reg. keys with regedit, if I can?

[guestolo]

Yup, You may want to Right click and EXPORT them first, just for backup purposes
and then delete these 2 in bold
HKEY_USERS\S-1-5-18\Software\LQ
HKEY_USERS\.DEFAULT\Software\LQ

Can you do the same for these ones if found

HKEY_CURRENT_USER\Software\LQ
HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum

[Gar999]

I think we're finally there. Thanks a million.

Deleted

HKEY_USERS\S-1-5-18\Software\LQ

and

HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup
(never would have found this!)

I didn't find the other three.

Did a final scan with Spybot S&D and got the green light.

Thanks again for all your help.
Best Regards,
Gar999

[guestolo]

Thanks for posting back, and thanks for the info

I'll lock this topic as your problems appear resolved
If you need it reopened
Please PM a Mod or the site Admin and supply a link to this thread

Take Care