Backdoor.LittleWitch issue

[LilBob]

I recently downloaded & extacted files from an ISO file (foolish me thought I had enough safeguards installed to protect my PC from harm). After extracting the files (using WinRAR) to my Desktop, I scanned them with Norton AV and it found a trojan, Backdoor.LittleWitch. Norton informed me it could not be removed from an unsupported file. A check of their website gave me directions on manually removing the threat. Armed with that & the results I got from googling the bug, I went on my merry way to stomp the life out of it. Unfortunately, a search of the registry could not locate any of the Keys mentioned for it or any variable/aka. I had previously deleted the ISO file & all extracted files, checked and installed updates for all my AS & AV apps, rebooted in Safe mode and ran the following: Ad-Aware 2008, Spybot S & D, SUPERAntiSpyware, Rootkit Revealer, Avast! AV as well as Norton. Norton was the only 1 to find this. I ran Task Manager as well as Process Explorer, nothing. I also ran msconfig, checked startup & services & again found nothing. After rebooting in normal mode, Norton, & only Norton, again found this threat. Ran HijackThis and found nothing unusual there either. Could this be a false alarm from them? Before I breathe a sigh of relief, I wonder if anybody has any other suggestions.

Thanks for any help you can offer.
LilBob

 

[linney]

If you don't have any of the footprints of infection, especially by that piece of malware, then you probably don't have it, and perhaps never did.

If you want, there are many free online virus scans you can try, just Google for them.

 

[BadBigBen]

I'm with Linney: When you unpacked the file, and scanned them, the malware was not installed and alife on the system, as you had not executed the file...

thus I would not worry...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[G0AOZ]

I thought that after Norton (and most other AV progs) had detected a trojan, it its report it would give a path/location for the item(s) concerned.

What version of Norton are you running?

ROGER - G0AOZ.

 

[LilBob]

Thanks for your replies. I'm running Norton SystemWorks 2008 Premier Edition. I downloaded, installed, updated & ran AVG Free 8.0 (full scan). It turns out Norton AV, in their 'wisdom', decided to move, instead of delete, the infected files into their Protected Recycle Bin. They must have thought I might change my mind & decide to re-infect my system. No matter how many times I purged it, those files (and a few others) would come back to haunt me (pun intended). I finally had to run msconfig, go into Services and disable that service. I did notice while I was there 2 other services that I could find no data on: EEGXU and IHXVXDYFAFKSH. Both have been disabled without any problems (so far). My subscription to Norton expires in 90 days & so will our relationship. Besides these recent problems, it's a resource hog.
If anybody knows what the above services are, please let me know. Thanks again for all your help.

LilBob

 

[linney]

If you go in Services and right-click on the two Services you mention, do you get a path to the .exe responsible for the Services (displayed on the Properties page)?

If you do, see if that gives you any further information from the .exe Properties. It is not unusual for malware to use auto-generated names.

 

[BadBigBen]

EEGXU and IHXVXDYFAFKSH

These are non-standard services, and even if they are disabled, there is a chance that you are infected by some sort of malware which has spawned these services in the first place...

I suggest you download HiJackThis from Trend Micro's website:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

and run a scan with LOG, then paste the LOG here for our perusal... PS: create a subfolder on a drive and run it from there...

another good anti malware program to use, is Malwarebytes' Anti-Malware, free trial after which you'd have to purchase it...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[LilBob]

Right clicking on the 2 services displays no path or description. If memory serves me right, EEGXU, has to do with Process Explorer, but not sure. I still have no idea as to IHXVXDYFAFKSH. A check of Registry Editor finds the service, besides in MSConfig, located in:
SYSTEM\ControlSet001\Enum\Root\LEGACY_IHXVXDYFAFKSH

Here's a copy of my last HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:54 PM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\HijackThis\HiJackThis2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Premier\osCheck.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\Gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\helpspot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks Premier\Norton GoBack\GBPoll.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8344 bytes

Again, I can't find anything unusual. Thanks for your suggestion on the Anti-Malware Ben. I'll check it out shortly. Any suggestions?

Thanks once more for all your help. LilBob

 

[linney]

If I remember correctly, doesn't RootKit Revealer also install some funny Service names?

 

[BadBigBen]

@ LilBob - Log is clean... but I noticed that you have an outdated Java and it seems as if you are running two or more AntiVirals solutions (Norton, Avast and AVG) which is never a good idea...

SYSTEM\ControlSet001\Enum\Root\LEGACY_IHXVXDYFAFKSH
if you open up the branch it should reveal what it is for, if it has nothing under that entry then go ahead and right click it and remove it (delete), but I would make a back up of it first just in case...

about RootKit Revealer and it installing funny service names, I dunno haven't used that program in ages...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[LilBob]

Thanks Ben for catching Java. I should have run Secunia PSI. I'll do that next to make sure all apps are current. I normally only run Norton; Avast is run periodically as a double check. Usually, it's disabled. AVG was downloaded & installed as a further check for LittleWitch. I plan on unistalling it but will save the set-up app in case I decide to use that in place of Norton. Now that I'm sure all is clean, I'll renable System Restore.

Thanks again to all for your help! LilBob

 

[BadBigBen]

You're welcome...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."