netbus.w95.trojan keyhook.dll 2

[billnees]

My PC has been infected by NetBus.w95.trojan and unfortunately I can do nothing about it. I mean every time I scan with Norton Antivirus, it can not repair the infected file which, by the way, is KeyHook.dll. I cant delete the file either.
I was trying to look up at MsConfig but as it turned out, there is no MsConfig in my PC. And now I dont know what the heck to do.
I would really appreciate any help or tip.

The above was taken from a post in April, I Believe. I followed all the advise given then, but can't get rid of the virus. I ran the Cleaner. updated Norton, but this file (keyhook.dll) lists as infected every time I start up. In fact it lists twice. Please help

 

[AVChap]

What's your OS? If it's 9x, just boot to DOS and delete the file (pr rename it to a different extension). This should keep it out of memory, then you can clean it.

AVChap

 

[jnicks]

There's a good description that you may already have

http://www.europe.f-secure.com/v-descs/netbus.shtml

There's a DOS based removal tool, as Netbus is tricky about removal s long as Windows is running (see desc. above).

Free (home use) F-Prot via
ftp://ftp.europe.f-secure.com/anti-virus/free/

If your system will not let you into real DOS, you have to pick up the latest versions of a-v, or, get a Knoppix disk CD-boot to Linux, run Wine or dosemu and then run F-Prot once you can DOS 'See' all your files.

The Knoppix approach for NT/2k is getting good press as a non-invasive NTFS repairer since MS removed non-Win boots. I have not yet tried it. It "ought" to work, but it is software after all.

I did try DR-DOS for the same purpose, to get to NTFS without Windows. DR-DOS was repetitvely buggy and unhappy. Unless they have removed a lot of bugs it is no-go as a solution.

--------------

Can anyone tell me why the A-V products have so much trouble with busy files? I mean all it would seem thay have to do is create a WinInit.INI with a few NULL=.... in do delete the files before Win starts.

Whaddami missing?

 

[Kento]

billnees, try deleting keyhook.dll in safe mode. You said you have no msconfig so i'm guessing you have windows 95, is that right? If you have win95, 98, or ME go to the link and download Startlog.com into any folder then doubleclick on it and run it. It'll create 2 text files on your desktop. Copy and paste the results of just Startlog (not the stubpaths file) to your reply here. If you don't know how to copy and paste, when the Startlog appears at the top click edit--select all--edit--copy--then come here and right click in your reply window and select paste or click edit then paste at the top of your browser.

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

Also, since you don't have msconfig go here and download it to the system folder. It'll work in 95.

http://www2.whidbey.com/djdenham/Msconfig.htm

 

[billnees]

I do have windows 98 V2. (I misspoke)
Every time I start up Norton reports Keyhook.dll is infected with Netbus.W95.Trojan and cannot fix the file so it quarantines it. This happens twice with each startup.
Below is my startup log as requested.


---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 09-16-2002 10:42:13.41a
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"EN60C Taskbar"="C:\\WINDOWS\\SYSTEM\\\\EN60CTB.EXE"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~2\\NAVAPW32.EXE /LOADQUIET"
"SystemTray"="SysTray.Exe"
"AtiPTA"="Atiptaxx.exe"
"HydarVisionDesktopManager"="desk98.exe"
"Regx10EXE"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~2\\NAVAPW32.EXE"
"KERNEI32"="C:\\WINDOWS\\KERNEI32.EXE /nomsg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="\"C:\\PROGRAM FILES\\ATI MULTIMEDIA\\MAIN\\LAUNCHPD.EXE\""
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"Windows Kernel"="C:\\WINDOWS\\SYSTEM\\WinKernels.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=
;Rem TShoot: noload=c:\windows\system\wininit.exe
noload=c:\windows\system\wininit.exe c:\windows\system\wininit.exe
AUTOUNLOAD=No

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\SYMANTEC\PCANYW~1\;%PATH%
rem - By Windows Setup - MSCDEX /D:MSCD001 /V
rem - By Windows Setup - MSCDEX /D:MSCD001 /V

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\WinPoET.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Controller.LNK
C:\WINDOWS\Start Menu\Programs\StartUp\QuickBooks 2002 Delivery Agent.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\winkernels.exe

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\kerneI32.exe

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="\"C:\\PROGRAM FILES\\ATI MULTIMEDIA\\MAIN\\LAUNCHPD.EXE\""
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

MSCDEX /D:MSCD001 /V
C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE


-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 88 09-09-02 5:46p
-=================-

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
NUL=C:\PROGRA~1\GAMEHO~1\MAHJONG\UNWISE.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\SYMANTEC\PCANYW~1\;C:\WINDOWS;C:\WINDOWS\COMMAND
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

 

[Kento]

Ok, these entries were put there by netbus:

"KERNEI32"="C:\\WINDOWS\\KERNEI32.EXE /nomsg"

"Windows Kernel"="C:\\WINDOWS\\SYSTEM\\WinKernels.exe"

Restart into safe mode and do all this from there. I take it you downloaded msconfig from the link i gave? If not do so since you don't have it.

Click start--run--type regedit--ok. Doubleclick on each of these:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

After you open the Run key you'll see the "KERNEI32" entry I posted above in the right pane. Right click on it and delete it.

Then go here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

After opening the RunServices key you'll see this entry in the right pane:

"Windows Kernel"="C:\\WINDOWS\\SYSTEM\\WinKernels.exe"

Right click on it and delete it. Then close regedit.

Now open windows explorer and go to and open your startup folder at c:\windows\start menu\programs\startup. Delete the winkernels.exe shortcut there.

Then in explorer go here: c:\windows\all users\start menu\programs\startup. Delete the kerneI32.exe shortcut found there.

Then find KEYHOOK.DLL, WinKernels.exe and KERNEI32.EXE and delete them into the recycle bin while in safe mode. After doing all that restart the computer into normal mode and run another virus scan. Is netbus still detected? It shouldn't be but let us know.

 

[billnees]

Thank You Kento and everyone else. Followed your instructions and everything is fine.

Norton never did detect the virus during a scan. only quaranteened the file at start up.

Thanks again.

 

[Kento]

You're welcome. I'm curious why Norton didn't detect netbus during a scan but did find it at startup? I'm not sure why that would be unless i'm experiencing some brain freeze at the moment which is possible. But you might want to go to Symantec's site and ask them about that on their free tech help board.

By the way, netbus allowed a hacker to access your computer and get all kinds of info including passwords so you should change all your passwords everywhere especially if you have one at a banking site.

 

[AVChap]

It may have something to do with that court case the NetBus author filed against AV companies for branding his product as a trojan. Apparently, he claims this is a legit product. So in order to bypass this, AV companies only detect until NetBus 1.70(?) as a Trojan. All other later versions aren't detected as such. Note, this is unverified.

AVChap

 

[Kento]

That's the first i heard about a court case. But I saw this:

http://securityresponse.symantec.com/avcenter/venc/data/netbus.pro.2.1.as.trojan.html

My Norton detects 22 different versions of netbus including netbus 2.1.

"remote administration and monitoring tool" Sounds like it could be a trojan to me. "the silent install feature has been removed from NetBus Pro 2.1." Hmmm, I wonder why if it's not a trojan???

 

[Kento]

But billnees had NetBus.w95.trojan which is an older version. I still don't get why a full scan didn't find it. Maybe it fooled the scanner somehow I don't know. Anyhooo....