[Resolved] very bad Trojan

[Darlene C]

I am in big trouble, I don't know where to start. Someone tried to send me w32Sobig. virus, norton caught it and I deleted it. I did a complete scan, no virus. I could not open e-mail, it kept coming 3 in a row. I took my computer to the shop and they removed part of the trojan it was trying to connect to, scanned it 3 times. Put in Norton's firewall, everything was clear. Last night I brought it home and 15 min. later the firewall was blinking. It was Rat Trojan Horse, every half hour, then a couple back-door sub Seven Trojans. The rat trojan was coming from Pittsburgh on adelphia, that is what I am on. The subSeven came from Va. and some other state. It's blinking now as I write this. Msmsgs keeps trying to load, Kelly's korner said to delete it in H key current user/software/microsoft/windows/current version/run. I did and it keeps putting it back the minute I click another folder, I deleted it 5 times. My computer place said they did everything, notify adelphia. I did, they are backed up. I sent them the logs, picture of location and address to Abuse. I think something is still in here and it is connecting at least from msmsgs, because it had it to run in background. When loaded into system tray, can not shut off. Please help!

 

[Balzac]

From TonyKlein:

Go to http://www.spywareinfo.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Or click here to download the program:

http://www.spywareinfo.com/~merijn/files/startuplist.zip

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here

 

[Darlene C]

StartupList report, 1/21/2003, 9:08:56 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist[1]\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\startuplist[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Works Calendar Reminders.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
WFXSwtch = C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
WinFaxAppPortStarter = wfxsnt40.exe
PS2 = C:\hp\drivers\keyboard\PS2.exe
KBD = C:\HP\KBD\KBD.EXE
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {2662BDD7-05D6-408F-B241-FF98FACE6054}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37611.5252893519

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

[Live365Player Class]
InProcServer32 = C:\Play365.dll
CODEBASE = http://www.live365.com/players/play365.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\OUTC.DLL
CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

--------------------------------------------------
End of report, 5,204 bytes
Report generated in 0.972 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

You're new to firewalls Darlene. Those blinking messages just mean they've been knocking at the door and no one answered. The firewall keeps them from knowing anyone's even home. Just ignore that stuff.

Your startups look absolutely fine to me!

 

[Dark Star]

Darlene ...

Like Rollin' Rog said the blinking lights that you see on the the firewall just means that it's doing it's job and nothing is getting in your system.

I do however see one problem in your startup list that Rog might have overlooked since there's quite a few line entries and its easy to miss one.

Enumerating Browser Helper Objects:
(no name) - (no file) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

That BHO was a prior install as ...

(no name) - C:\PROGRAM FILES\XUPITER\UPDATES\XTUPDATE.DLL (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

or as...

(no name) - C:\Program Files\Xupiter\Updates\XTUpdate.dll - {2662BDD7-05D6-408F-B241-FF98FACE6054}

Xupiter foistware: http://allentech.net/parasite/Xupiter.html

Xupiter components may still remain to be sure that all it's components are removed...

The text below is standard step by step instructions suggested by TonyKlein for the install and setup of Spybot

Let's do this first:

Download Spybot - Search & Destroy

It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .

These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check All', and have SpyBot remove all it finds.

Next, go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

Rightclick each one in turn, chose 'properties', and check the Version tab.

If the company is anyone else but Macromedia, Apple, or Microsoft, rightclick the file, and choose 'remove'.

 

[Rollin' Rog]

Yup, good catch Dark Star, I overlooked that; it's probably residual, I don't know if Spybot will catch it. If it doesn't, another way to delete it is to get HijackThis, run the scan log and check it for removal from there.

http://www.lurkhere.com/~nicefiles/

 

[Darlene C]

Thank you Rolling Rog and Dark Star,
I downloaded Spybot Search and Destroy and did as Dark Star suggested. That number that you were concerned about was from Xupiter, I had to remove most of it in Sept 2002, I didn't know how to get that number out. There were other things that Spybot found, some from Gator, a lot from Xupiter. I thought I got rid of everything but that number. I don't know a lot about the registry, I am older and self taught. There is something else that I am concerned about. Msmsgs keeps trying to load even though I un-checked it. I went to Kelly's corner and she said to just delete it from H key/current user/software/Microsoft/Windows/Current version/run/ and every time I delete it, it comes back as soon as I close the folder. I never used it and don't want to. When it loads in my system tray I can not right click and close it. It says another program is using it. In the registry it is listed in the right as C:\Program Files\Messenger\Msmsgs.exe/Background. I keep deleting it and it comes back, this never happened before the initial W32.Sobig virus tried to get in. That is what the computer place said that part of it was in my computer and they got it out. I recently joined a newsgroup for Stardock, window blinds. Could that have put something in to make the Msmsgs keep trying to come in. I un-subscribed, but How can I get Msmsgs permanently out of my computer? It wants to run in the background, before I just unchecked it. Thanks again for all your help.

 

[Rollin' Rog]

I think I know what you mean about MS Messenger. I went about in circles trying to keep it out of the System Tray too when I first got XP. It would stay out for a while, then come back. Unchecking or deleting the msconfig entry did not help.

At first I just renamed msmsgs.exe to msmsgs.bak -- and that did work, although I could see some "errors" in the applications "event" log when it couldn't be found, although no other error messages were produced.

Then I noticed that "messenger" is also configured to start as a "Service". I was under the impression that this was not associated with MS Messenger, but when I disabled it and restored the original name to msmsgs.exe -- it worked too, with no errors in the event log.

To disable "messenger" as a service (which is desirable for other reasons as well), go to Administrative Tools and open your Services Profile. Look for it there and either double click it or right click and select "properties", you will see a drop menu with the option to "disable". Then make sure you have deleted the startup entries once more.

If that doesn't work for you, just try renaming the exe as I did first.

 

[Darlene C]

Rolling Rog,
The Messenger in services has been disabled since about Sept. when they started to send spam on that grey box. I saw it on Teck TV, and disabled it. It is still disabled is there another name it could be under? If I rename it where should I rename it at. In C/programs, where there is a whole folder and which one, the white box Msmsgsin, or the two guys msmsgs, or in the registry.

 

[Rollin' Rog]

That was the one I was referring to. What I'd do then is delete that startup entry again, and before you reboot rename the msmsgs.exe in this path to msmsgs.bak

C:\Program Files\Messenger\msmsgs.exe

Then when you reboot see if you get a "can't find" error; it may give some clue as to what is starting it. If you don't get an error message it should be all right to leave it renamed. If you do, we need to figure out what is calling it. Unfortunately I don't see anything in Startups. You might need to post the problem in XP and see if anyone there knows more about Messenger. I've never used it all myself and right now I don't know what might be launching it on your system.

>>>> I also just remembered that it has a Tools > Options > Preferences dialog to set options to "run when windows starts" and "allow program to run in background". Have you unchecked both of those? I had the first unchecked; if you didn't then that is probably why it is returning

 

[Darlene C]

Rollin'Rog and Dark Star,
A very special thanks to both of you. That un-checking messenger from running in the background and on startup, seems to be what was needed. I had never signed up for it or used it. I am hoping this is not premature, but the firewall only went off 2 times since running Spybot, I am greatly relieved and reassured I just hope it doesn't start again every half hour. A Very Special Thanks to Dark Star for leading me step by step through the installation of Sbybot, I would never have known what to do with it if she didn't. I never did find the settings in Internet Options, show Objects to examine all Active X objects, but it seems better already, there was something called back-door light in there that he had checked. Maybe that was it. I will be sending a special thanks and prayer to him also. Thank you once again. What a great place Teck Support Guy is and all the people that help. Again I hope I am not being premature.
Regards Darlene

 

[Rollin' Rog]

Happy to put a "resolved" on this one for you, hopefully

 

[Darlene C]

I almost forgot to thank Balzac, and Tony Klein who got me started. Thanks Guys!
Darlene