-
What else will I find..
OK another machine.. with a population of unwanted's..
PLEASE: If these threads are not what YOU want in this forum please tell me and I will stop. These are Repairs that arrive on my work bench.. I am posting the info here as it is not the standared.. ooops I got Sasser run the removal tool.. install the patch.. and have another coffee..
Todays MAchine: A PIII-1Ghz, with 256Mb Sd, on WinXP.. no patches or updates..
1/ Started the Toy.. When the Desktop finaly appeared managed to get Taskmanager up.
....SUS Items In list included
.........swchost
.........svchosd
.........sachost
.........scchost
2/ copied my tools onto the hdd
..... first strange happening: my tools foldet include Spybot s&d and HJT.. Guess what isnt in the folder both on the hdd or appearing on the cd.. a quick check in my service hack.. show yes ALL are present on the CD..
3/ restart in safemode and remove these sus files, and quick registry check and fix..
..... yep copied the little beggers to my USB-RAMdrive.. removed the references in the registyy..HKLM\software\ms.........\run the files were in the Windows and windows\system32 folders
...... a quick check in Windows\system32\drivers for svchost.exe.. not present
.......HJT and Spybot still not showing on my CD or on the HDD
....... Run CWShredder.. Googlems and AutoBlank Removed
........ Ran Stinger.. nothing to report..
........ ran NAV .. Backdoor.Hackdefender
........Emptied the Windows\prefetch folder (remembered this time)
4/ a quick scann of the removed files isn't to good.. only swchost is identified by my NAV as "Download.trojan"
5/ Tried to run the Gaobot removal tool.. would fail each time after scanning for about 5 mins.. got to check this out..
Ain't Google a good friend .. just learnt that there are some problems with some CWS varients.. and CWShredder.. hmmm looks like it is out with the simple tools and back to full manual.. Now to trying to get HJT to appear on my CD so I can run it..
Oh other strange files I have not Identified are E_SIcN03.exe.. and for a brief 1 or 2 seconds "Power Saving"appears in the Tasks window in the Win Task Manager.. it then dissappears.. note the Spybot s&d and HJT problem is both normal and safemode..
About to start the Toy up in the Recovery Console and see what i can find in the XP-Dos mode..
Will be back with more..
Cheers
-
Just a quick question...
You said it "arrived on your workbench"... do you work in public computer repair?
What type of place do you work in?
These sound like machines that some of our employees will bring in from home for me to fix.
Just wondering because you always seem to be coming into all these boxes that are infected with one or more pieces of malware...
If that were happening to my corp network... I'd be really pissed off and worried.
I'd be looking for better solutions to protect my machines/network.
I can't remember the last time we've had a "bad" virus... let alone an outbreak.
The worst we seem to get is adware... and thats not even that bad because users have very limited privleges. (But... we may have a solution for that too... if I can convince ppl to spend some $$)
Don't mean to be intrusive... just curious.
I do like these types of posts though. I run into this type of stuff on computers that I don't admin. Its always nice to know what solution helped fixed which problem and how you went about troubleshooting it.
-
Had a look for this, i cant find any reference to it being a nasty. It looks as though its part of Epsom Colour printer software.
-
Yep a Joe Public job these have been.. I have been doing out of hours repairs .. and it is completly different to the single virus/worm problems I get at work..
Most of my time is spent as a general service tech in a Electrical Retail store.. So my work starts at the Store computer System Administration, ordering of the retail PC stock.. this includes custom building systems, EFT-POS systems installation, Computer Hardware warranty repair.. The odd System upgrade.. the odd customer software repair.. and making sure that one subnet allows the play of Half Life deathmatch very well.. oh and then i get to go ion the floor and sell the PC's as well as the odd toaster ..(hey wher the heck do I put the USB lead in this?)
Cheers
-
Thanks jinxy..
Yep the best I could figure was registry..
Resorted to a external scan..
Two files I had suspected in the c:\Windows\System32 folder mstasks1.exe and R3.exe were detected as "Trojan" a nice generic name.... Submitted to see what comes up..
Best sign is I have just rebooted the Toy.. and I can now see HJT and Spybot in the setup folders as well as on the CD.. My suspicion it was a version of CWS ..
now to get this thing patched and AV updated..
By theway.. the "External scann" I mention.. the HDD is removed from the patient and placed into another machine as the Slave..
Care needs to be taken as this will remove the executables and not the Registry entries.. the reg entry could be pointing to a web dowload site....not a good idea..
anyway that is two in as many days..
I would have liked to given a better description.. unfortubnatly.. I had some phone calls and it isa now past midnight.. and I work again tomorrow (sat)
Cheers
-
-
Hi undies,
I personally find these posts very interesting as you only mention unusual cases and I never know when I may come across something similar myself.
It is also nice to know that I don't have a World monopoly on id10ts, and that joe public over there is the same as over here :D
With the Toy in question I would sell them some more RAM, 256Mb is a bit lightweight for XP IMHO. Of course that does depend on what they do with the machine of course.
Cheers
-
jinxy is correct...
E_SIcN03.exe is a printer status monitor used for checking ink levels.
http://www.sysinfo.org/startuplist.php?filter=E_SIcN03
-
In closing on this one..
After getting the full set of Windows updates, and updateing the AV defs..
A final run of both Spybot s&d and Adaware
then
Clean The following
1/ Tempory Internet File
2/ Windows Temp
3/ Windows PRefetch..
Then Run:
1/ A full Virus scann (we can now trust the machines own AV prog)
2/ a chkdsk and a defrag
On returning to customer
a pamphlet on the use and importance of Windows update and Anti Virus Updates, as well a quick guide to email safety..
a recommendation of a good firewall prog or external firewall hardware.
And a quick warning about 15yr old male childeren and their curiosity and attraction to certain websites
Cheers
off to the salt mine..
-
http://www.winguides.com/
I have been using the Registry Mechanic, found it very good an easy.
Found it to be very scary at what it finds..........
Just another Windoze tool.........