Worms, Trojans, Spyware.........format? 1

[Kesser]

A machine I have been working on today - has had severe infection from several worms such as:

Blaster; Sasser; SDBOT; Donk; RBOT;& more that escape me for the moment - the machine has also been infected with many trojans that seem to change each time I run Sysclean through. Also lots of spy/adware including hijacks and cool web search. At first, I could do nothing in 'normal' mode - Antivirus, hijack this, msconfig, regedit - all disappear as soon as you try to launch them. I have run through several instances of sysclean in safe mode as well as spybot, adaware and the fix tools from symantec for blaster & sasser. I have made some progress and can now do a certain amount in normal mode but still have some autostart entries coming back despite heavy editing of the registry, editing system files with notepad and even sysedit - the processes which keep coming back are:

hostsvc.exe
spoolsvc.exe

I know that a format would be the easiest way around this but i'm annoyed now and don't want to be beaten....

I managed eventually to get hijack this to run in safe mode but deleting the processes in there hasn't helped either - just comes back again..........

Any ideas guys?

Thanking you

Kes

 

[carrr]

XP machine?
Are you running your cleanup efforts with system restore disabled?
How about posting the log?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Kesser]

hi carrr,

system restore is disabled yes - the log is difficult as it's not currently connected to the net and can only generate in safe mode....

However, the only real worries in the log I could see were the above mentioned processes which keep coming back....

 

[Kesser]

oh and sorry, yes XP home,

Also when I say I can't 'do' anything in normal mode this is because any thing you try to run relating to clean up is immediately 'eaten' - ie, it disappears as soon as it's clicked on, including hijack this, avg, regedit, msconfig etc and task manager won't work at all!

 

[carrr]

Have you tried to restore back to a point before this mess manifested itself?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Kesser]

I haven't in all honesty and is this now poss since I have turned off sys restore and rebooted several hundred times?

Ooh, another running process i have just remembered is regsvc32.exe - this little monkey closed regedit as soon as i found it & went to delete - do you think this is fatal then? As you say it is a mess and the machine's owner only told me about 1/100th of the story when they droppped it off - should i just give up and format????

 

[carrr]

In retrospect...that was a pretty stupid suggestion my part.
Write it off to Friday.
Have you tried going up against some of the recurring processes with KillBox (

http://download.broadbandmedic.com/)

or Delete Doctor 2.0 (

http://www.softandco.com/a/13734/delete-doctor.html)?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[Kesser]

I shall download and give them a try in the morning but i am worried that since i have already edited the processes out of the registry (several times) there is something in there that is morphing.......... I will give you an update and poss a log or two on the morrow, thanks for your help so far

 

[diogenes10]

Kesser

Re net connection you might try
a) checking for a hosts file (no extension) and renaming it if it exists.
b) running lspfix from cexx.org.

You can put hijackthis on a floppy and tranport it to sick machine, and bring log back same way. Letting the folks here see all process info together is your best shot at getting good comments relating to your specific situation.

Dont give up and format right now.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Kesser]

Thanks diogenes10

will do

is there any other info I can give other than hijack this that may help me solve the prob?

 

[diogenes10]

I would defer to carrr on that one.
I think the hijack log will give a good start. If there is a coolwebsearch loading from hidden dlls, that may take some additional info - but I don't understand those tools so I'd wait to see what he thinks in that area.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Kesser]

Ok,

One Hijack this log for your perusal:

Logfile of HijackThis v1.97.7
Scan saved at 13:45:18, on 28/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hostsvc.exe
C:\Documents and Settings\home user\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.ukonline.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =

http://products.webroot.com/disp0201.php?pc=64000&rc=1&oc=11&ps=F

F0 - system.ini: Shell=explorer.exe hostsvc.exe
F2 - REG:system.ini: Shell=explorer.exe hostsvc.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NT Video API32] NTAPI32.exe
O4 - HKLM\..\RunServices: [NT Video API32] NTAPI32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Windows Host Device] hostsvc.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -

http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1092857951774

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab

As you can see - hostsvc is present - despite being delete millions of times!

Anyone see anything else?

Kes

 

[Zech]

Hi,

Bear in mind that HijackThis deals primarily with browser hijackers (adware, spyware). It's not as useful when dealing with conventional viruses and worms - that is where antivirus software comes in.

For CoolWebSearch problem, you may want to try CWShredder. It is the ultimate tool against CWS. The tool itself has not been updated for quite a while (the author quitted), but nonetheless it still does a good job against most versions of CWS.

My safest bet will still with reformating your machine, and reinstalling WinXP. This ensures that you clean everything up. Remember to update the XP before you do anything else.

I hope it helps.

Zech

 

[diogenes10]

Just checked in for a few minutes.
These two don't look good either:

O4 - HKLM\..\Run: [NT Video API32] NTAPI32.exe
O4 - HKLM\..\RunServices: [NT Video API32] NTAPI32.exe

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RBOT.GL

First I think you should get the current version of hijackthis 1.98.2 .
That way all backups fixing etc will be with same version.
(try majorgeeks download page if you dont have any other ideas for it)

(& before I say anymore here I want you to understand the difference between carrr and me in regard to this stuff. carrr removes this stuff himself from machines for recreation, my knowledge is all second hand based on reading and a little feedback. If you want to wait for additional feedback before trying any of this-no problem.)

After you get new version of hijackthis, try to get machine up in safe mode again.

http://www.bleepingcomputer.com/forums/index.php?s=c5a5ae25f46d6b26c4ccab30b8e5e2fe&showtutorial=42

Here is a tutorial on hijackthis-it includes comments about the process manager. Look in the hijackthis process manager for NTAPI32.exe and
hostsvc.exe. Kill/stop them if they are running.

Then have hijackthis fix the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=explorer.exe hostsvc.exe
F2 - REG:system.ini: Shell=explorer.exe hostsvc.exe
O4 - HKLM\..\Run: [NT Video API32] NTAPI32.exe
O4 - HKLM\..\RunServices: [NT Video API32] NTAPI32.exe
O4 - HKCU\..\Run: [Windows Host Device] hostsvc.exe

Then try deleting
hostsvc.exe
NTAPI32.exe

again.

Reboot and see what things look like.

If you want to try the killbox that carrr talked about, you can get that here (go ahead and get dllcompare too while you're at it):

http://download.broadbandmedic.com

You can get the process explorer that carrr likes here:

http://www.sysinternals.com/

If the above and/or experiments with killbox and process explorer don't get it for you, Post a 1.98.2 hijack this log (we're looking for stuff in o18-o21 lines and a dllcompare log and we'll see if we can figure out a next step.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Kesser]

Thanks for that diogenes - I had assumed that the NT Video thing was to do with the graphics card so maybe getting rid of that will stop it coming back??? I won't be on the machine again until tuesday as it's bank holiday on monday so I'll let you know how I get on...


Zech - I have already run CWShredder through several times thanks and as for the virus infection, I have used Sysclean (also several times) as Anti-virus packages just immediately get 'eaten'. I have some experience in removal but this machine is so badly infected with so much that I needed additional help - hence the post!!!!

 

[jbrackett]

diogenes10,

Thanks for the link to the HJT tutorial. Looks a bit more detailed than the one I have.

Star to you.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[Kesser]

Hi guys

Went for the format in the end as this machine could have been in the shop forever and said punter needed it back - have now given her lots of protection and hope never to see the machine in that state again! In the meantime, it has been a learning process - thanks muchly for all your help.

Kes

 

[diogenes10]

Kes
Sorry you couldn't get it the other way, Thanks for letting us know.

jrbracket
Thank you.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?