War-Against-Worm

[HotSpot]

Originally posted here by coolnads
Hi guys here is the saga to my war-against-worms. The system is XP with NAV2K. Here I go....

I had Norton 2k installed on my system which I kept updating in about once a month, few months back the live update subscription of my Norton got expired and for few months I was on my non-updated AV system. Then one day I experienced my PC slowing down and its performance degrading, on a closer look I found multiple unknown processes and number of unexplained network connections when I used my dial-up. Being a computer guy (but not a sys admin) I rushed of to Internet searched for all the suspected processes. I removed as many files/registry entries/services etc. that I could from the information I received on the net.

I followed this up with online scans from adwarwe, Norton and trend and some more. They did find two worms and cleaned them, I did a fresh round of complete scans and my system was certified clean of virus. Oh! I forgot to mention that I had to download a utility from Symantec to remove Norton, as the virus had made Norton incapable of doing anything (even uninstall !!). I finally got CA's EzArmor firewall+Av suit and installed it. I completed the process by updating my XP to SP2.

I though that I had done enough to get rid of the menace but I had a surprise waiting. I suddenly found my system getting realllllly slowed down, no funny processes but lots of svchost eating up huge memories and having lots of I/O reads (above 1000 in 5 minutes) same for my lsass process. I checked these figures with other systems and did find the I/O read property abnormally high , coupled with this after about 5 days of usage my dial/up broke and then my lan access broke. I mean now I can not connect to outside world, reinstalling drivers doesn’t help (firewalls were disabled and there is nothing related to new AV or Sp2 that could be causing these problems) . Phew.... I could have easily formatted my system, but I was hell bent upon removing the worms/spyware without a reformat.

I just want to ask you guys one thing, What the heck did I do wrong. Is there something I can still do and get out of this mess. After my LAN-die out I really wanted to reformat my system, this is my last attempt to resolve this issue. Its been over a month and I dint keep track of my actions, that’s why you see stuff like "few more", "etc', "few worms" and all.

OK I should add this, some of the initial processes were, ftpd.exe, update32.exe, some service that said it was USB2 driver etc.



TIA.

What did you do wrong?
Answer you did not use a firewall.
After sp2 you do have one!

[axio]

A couple tools i would try as those scanners dont always pick up everything

Check for rootkits (unlikely but worth a shot)
http://3wdesign.es/security/

Currprocess from www.nirsoft.net can give you a good list of running processes, and if you see a svchost.exe in a location than C:\WINDOWS\system32\svchost.exe i would be wary of it

[slarty]

The reasons that we always advise a reformat following ANY compromise;

1. You do not know how many additional pieces of malware were piggybacked upon a known one
2. You do not know whether the malware opened up holes to allow opportunist attackers to install their own rootkits
3. You do not know whether an unknown piece of malware has leaked in some other way.

So as such, the normal procedure:

1. Back everything up
2. Reformat and reinstall
3. Secure your machine fully including using fully up to date malware scanners
4. Restore extremely carefully, avoiding anything which could possibly contain malware if at all possible- try not to restore .exes, word docs etc unless absolutely necessary
5. Change all passwords for third party systems that could have been keylogged by the malware while it was installed; if a compromise is suspected, repeat the process for those too.

In some cases, 5. will include a reformat of all machines in your organisation. It could be hard to convince the management that this is necessary, but you should try anyway.

Slarty

[coolnads]

Hi All

Thanks for all the help. We had a long weekend here and I was supposed to get you ppl HijackThis logs , I did get them on my USB stick, but guess what, the file that I got was empty !!! PS: I should get a new memory stick.

From the look of the things I should be better off with formating my system, The cleaner from moosoft reportes nothing, I am yet to try rootkits and CurrProcess, otherwise I am almost through with all the the other tools you guys mentioned, and they all say that my system is clean. I think I might have some compromised process, which is difficult to track down or something....

will wait for the weekend and then let it go...

[coolnads]

Here it is guys...
sorry it took so long..I was very busy at office with deadlines swooshing past me ....

I still think that there is nothing wrong in these logs..but then I could be wrong.

Thanks for all the help.

Logfile of HijackThis v1.97.7
Scan saved at 6:47:08 AM, on 12/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
E:\Program Files\CD tools\Deamon\daemon.exe
E:\WINDOWS\system32\NVATray.exe
E:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
E:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\CD tools\Nero 6\Nero\nero.exe
E:\Documents and Settings\Neo\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\windows\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\CD tools\Deamon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [VetTray] E:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKCU\..\Run: [STYLEXP] E:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://e:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Kaldanzia]

The FlashGet bar is spyware. Check and remove all those items and then delete the associated files off your HDD.


O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)


By the way, if you haven't already, be sure to run all your spyware/virus/trojan/worm scans in Safe Mode. In my experience, many of the boogers are easily able to hide from the scanners in regular mode. Safe Mode levels the playing field, and prevents most of the background spyware processes from running and interfering with the scans.

[coolnads]

I thought FG was a download-accelerator. I have been using it from last 3 yrs or so and havent really got any issue with it.

Yes It does show some ads, more like adobe acrobat.

Is it really bad. Bad in sense does it clogs network resourses, open backdoor, spams and all that unwanted stuff?