Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: What else will I find..

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    What else will I find..

    OK another machine.. with a population of unwanted's..

    PLEASE: If these threads are not what YOU want in this forum please tell me and I will stop. These are Repairs that arrive on my work bench.. I am posting the info here as it is not the standared.. ooops I got Sasser run the removal tool.. install the patch.. and have another coffee..

    Todays MAchine: A PIII-1Ghz, with 256Mb Sd, on WinXP.. no patches or updates..

    1/ Started the Toy.. When the Desktop finaly appeared managed to get Taskmanager up.
    ....SUS Items In list included
    .........swchost
    .........svchosd
    .........sachost
    .........scchost
    2/ copied my tools onto the hdd
    ..... first strange happening: my tools foldet include Spybot s&d and HJT.. Guess what isnt in the folder both on the hdd or appearing on the cd.. a quick check in my service hack.. show yes ALL are present on the CD..
    3/ restart in safemode and remove these sus files, and quick registry check and fix..
    ..... yep copied the little beggers to my USB-RAMdrive.. removed the references in the registyy..HKLM\software\ms.........\run the files were in the Windows and windows\system32 folders
    ...... a quick check in Windows\system32\drivers for svchost.exe.. not present
    .......HJT and Spybot still not showing on my CD or on the HDD
    ....... Run CWShredder.. Googlems and AutoBlank Removed
    ........ Ran Stinger.. nothing to report..
    ........ ran NAV .. Backdoor.Hackdefender
    ........Emptied the Windows\prefetch folder (remembered this time)

    4/ a quick scann of the removed files isn't to good.. only swchost is identified by my NAV as "Download.trojan"

    5/ Tried to run the Gaobot removal tool.. would fail each time after scanning for about 5 mins.. got to check this out..

    Ain't Google a good friend .. just learnt that there are some problems with some CWS varients.. and CWShredder.. hmmm looks like it is out with the simple tools and back to full manual.. Now to trying to get HJT to appear on my CD so I can run it..

    Oh other strange files I have not Identified are E_SIcN03.exe.. and for a brief 1 or 2 seconds "Power Saving"appears in the Tasks window in the Win Task Manager.. it then dissappears.. note the Spybot s&d and HJT problem is both normal and safemode..

    About to start the Toy up in the Recovery Console and see what i can find in the XP-Dos mode..

    Will be back with more..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Just a quick question...

    You said it "arrived on your workbench"... do you work in public computer repair?
    What type of place do you work in?

    These sound like machines that some of our employees will bring in from home for me to fix.

    Just wondering because you always seem to be coming into all these boxes that are infected with one or more pieces of malware...

    If that were happening to my corp network... I'd be really pissed off and worried.
    I'd be looking for better solutions to protect my machines/network.

    I can't remember the last time we've had a "bad" virus... let alone an outbreak.

    The worst we seem to get is adware... and thats not even that bad because users have very limited privleges. (But... we may have a solution for that too... if I can convince ppl to spend some $$)

    Don't mean to be intrusive... just curious.

    I do like these types of posts though. I run into this type of stuff on computers that I don't admin. Its always nice to know what solution helped fixed which problem and how you went about troubleshooting it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    E_SIcN03.exe.
    Had a look for this, i cant find any reference to it being a nasty. It looks as though its part of Epsom Colour printer software.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Yep a Joe Public job these have been.. I have been doing out of hours repairs .. and it is completly different to the single virus/worm problems I get at work..

    Most of my time is spent as a general service tech in a Electrical Retail store.. So my work starts at the Store computer System Administration, ordering of the retail PC stock.. this includes custom building systems, EFT-POS systems installation, Computer Hardware warranty repair.. The odd System upgrade.. the odd customer software repair.. and making sure that one subnet allows the play of Half Life deathmatch very well.. oh and then i get to go ion the floor and sell the PC's as well as the odd toaster ..(hey wher the heck do I put the USB lead in this?)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Thanks jinxy..
    Yep the best I could figure was registry..

    Resorted to a external scan..

    Two files I had suspected in the c:\Windows\System32 folder mstasks1.exe and R3.exe were detected as "Trojan" a nice generic name.... Submitted to see what comes up..

    Best sign is I have just rebooted the Toy.. and I can now see HJT and Spybot in the setup folders as well as on the CD.. My suspicion it was a version of CWS ..

    now to get this thing patched and AV updated..

    By theway.. the "External scann" I mention.. the HDD is removed from the patient and placed into another machine as the Slave..
    Care needs to be taken as this will remove the executables and not the Registry entries.. the reg entry could be pointing to a web dowload site....not a good idea..

    anyway that is two in as many days..

    I would have liked to given a better description.. unfortubnatly.. I had some phone calls and it isa now past midnight.. and I work again tomorrow (sat)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Keep posting these!

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi undies,

    I personally find these posts very interesting as you only mention unusual cases and I never know when I may come across something similar myself.

    It is also nice to know that I don't have a World monopoly on id10ts, and that joe public over there is the same as over here

    With the Toy in question I would sell them some more RAM, 256Mb is a bit lightweight for XP IMHO. Of course that does depend on what they do with the machine of course.

    Cheers

  8. #8
    Junior Member
    Join Date
    Apr 2004
    Posts
    15
    jinxy is correct...

    E_SIcN03.exe is a printer status monitor used for checking ink levels.

    http://www.sysinfo.org/startuplist.php?filter=E_SIcN03

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    In closing on this one..

    After getting the full set of Windows updates, and updateing the AV defs..

    A final run of both Spybot s&d and Adaware
    then

    Clean The following
    1/ Tempory Internet File
    2/ Windows Temp
    3/ Windows PRefetch..

    Then Run:
    1/ A full Virus scann (we can now trust the machines own AV prog)
    2/ a chkdsk and a defrag

    On returning to customer

    a pamphlet on the use and importance of Windows update and Anti Virus Updates, as well a quick guide to email safety..
    a recommendation of a good firewall prog or external firewall hardware.
    And a quick warning about 15yr old male childeren and their curiosity and attraction to certain websites

    Cheers

    off to the salt mine..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    http://www.winguides.com/

    I have been using the Registry Mechanic, found it very good an easy.
    Found it to be very scary at what it finds..........

    Just another Windoze tool.........
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •