Re: Idiot_self+trojans+administrative privs = Disaster

[Bob Jones <lists () pavlodarproductions com>]

Zach,

What I do in cases like this (and its been quite a few times over the 
last couple of years) is to get a good command line virus scanner (I use 
McAfee's), put it on a flash drive, and boot the machine from a WinPE 
CD.  Once the machine is at the command prompt, I empty all the temp 
folders for all user profiles and in windows (usually by rmdir /s temp, 
mkdir temp), as well as the temporary internet files/content.ie5 folders 
(again, delete it and recreate it).

Once the trash cleanup is complete, then I run the virus scanner against 
the C: drive. Make sure you use the command options to clean any bugs it 
finds, use heuristic analysis, traverse all sub-folders, and if 
available, scan for potentiall unwanted programs/spyware (mcafee only I 
think), and dump a log/report file to the flash drive.  Now grab a cup 
of coffee and/or watch a show as a full scan on the C: drive will likely 
take an hour or more.

Once you have scanned/cleaned up any virii and bugs, boot back into 
windows, run Ad-Aware, spybot, and a trial version of Spysweeper (make 
sure they are up-to-date first).  Let them clean up any crap.  Follow 
this up with running autoruns from sysinternals.com (look for anything 
suspicious -- not related to any programs or hardware on your PC) and 
delete the entries.  Pay attention to anything found in appinit_dll and 
winlogon notifications -- basically, I delete anything that is not a MS 
entry.  You can change the user you are scanning from the menu, so 
running it once is enough -- with the spyware cleaners you need to run 
them under all profiles.

As far as the HijackThis log goes, I find the ccleaner and all 
windows\ehome suspicious, only because I have never run into them in the 
past -- but they might be legit.

At this point, you should be in pretty good shape -- good/clean enough 
to at least backup your data to usb drive prior to a format/reinstall.

Drop me a line directly if you have any questions.

Bob Jones

wymerzp () sbu edu wrote:
> I noticed that my OS (WinXP Media Center Ed. SP2) was acting extrodinarily buggy and throwing several different errors. I had used 
> bittorent and Limewire while running as Administrator (I know,I know, I don't need a lecture of how stupid this was... I was a 
> moron). I wasn't being my usual careful self because I'm going to wipe my comp and install linux. And a new version of WinXP.
> Anyway, I have a Trojan that I can't seem to get rid of: Trojan.Popuper.Downloader. 
> This is the result of a Scan by Spyware Doctor
> Scan Results: (edited to just show location)
> C:\Program Files\BitTorrent\uninstall.exe 
> C:\Program Files\CCleaner\uninst.exe	
> C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP233\A0427654.exe
>
> I attempted to access the C:\System Volume Information... file but it would not allow me to access this; I attepted this because it seemed to continue to instantiate itself after removal and reboot. I was considering running as System permissions to manually uninstall the restore loction, but didn't want to give the Trojan any more power (Administrator is bad enough). On the third time of removing and rebooting the infection is no longer being picked up by Spyware Doctor... My question that I pose to the online community is this: Do you think the infection is actually gone? It seemed to continue to instantiate itself each time, and then suddenly dissapeared. Here is my HijackThis! scan: 
>
> Logfile of HijackThis v1.99.1
> Scan saved at 3:32:46 PM, on 12/1/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5730.0011)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\csrss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\system32\Ati2evxx.exe
> C:\WINDOWS\Explorer.EXE
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> C:\WINDOWS\eHome\ehRecvr.exe
> C:\WINDOWS\eHome\ehSched.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
> C:\WINDOWS\ehome\ehtray.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
> C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\PROGRA~1\SPYWAR~1\swdoctor.exe
> C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
> C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
> C:\WINDOWS\ehome\RMSvc.exe
> C:\Program Files\Spyware Doctor\sdhelp.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\system32\wdfmgr.exe
> C:\WINDOWS\ehome\McrdSvc.exe
> C:\Program Files\Windows Media Connect 2\wmccds.exe
> C:\WINDOWS\system32\dllhost.exe
> C:\WINDOWS\eHome\ehmsas.exe
> C:\WINDOWS\System32\alg.exe
> C:\Program Files\CCleaner\ccleaner.exe
> C:\Program Files\Mozilla Firefox\firefox.exe
> C:\Program Files\AIM95\aim.exe
> C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\hijackthis\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = 
> http://us.mcafee.com/apps/mpfplus/en-us/mpfplus7/default.asp?affid=370-9
> O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program 
> Files\Yahoo!\Companion\Installs\cpn\yt.dll
> O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 
> 7.0\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
> O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
> O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
> O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
> O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program 
> Files\Yahoo!\Companion\Installs\cpn\yt.dll
> O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
> O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
> O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed 
> Components" /v "NoIE4StubProcessing" /f
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
> O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
> O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
> O4 - HKCU\..\Run: [Eraser] C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\Eraser\eraser.exe -hide
> O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
> O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file 
> missing)
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network 
> Diagnostic\xpnetdiag.exe (file missing)
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
> Files\Messenger\msmsgs.exe
> O11 - Options group: [INTERNATIONAL] International*
> O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - 
> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
> O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - 
> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159142629587
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MSHOME
> O17 - HKLM\Software\..\Telephony: DomainName = MSHOME
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MSHOME
> O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = MSHOME
> O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft 
> Shared\Help\hxds.dll
> O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
> O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
> O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
> O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia 
> Shared\Service\Macromedia Licensing.exe
> O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 
> 1.0\PrfldSvc.exe
> O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New 
> Boundary\PrismXL\PRISMXL.SYS
> O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - 
> %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
> O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware 
> Doctor\sdhelp.exe
> O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe" -service -install (file missing)
> O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware 
> Server\vmware-authd.exe
> O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
> O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common 
> Files\VMware\VMware Virtual Image Editing\vmount2.exe
> O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware 
> Server\vmserverdWin32.exe
> O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
>
> Any help will be greatly appreciated. Thanks to all who will respond!
> Peace,
> Zach

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------