LMari join:2002-12-19 Coconut Crk |
LMari
Member
2005-Oct-3 10:10 am
lock1.exeEverytime I start my computer I get a prompt to install lock1.exe. I've run Norton both from the computer and online and nothing is showing up. I've also got webcam showing up in the registry.
Does anyone know how to get rid of this? |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England 1 edit |
John2g
Premium Member
2005-Oct-3 10:15 am
» www.sophos.com/virusinfo ··· adq.htmlYou will ned to check whether you have msdirectx.sys as well, which appears to be a rootkit. |
|
LMari join:2002-12-19 Coconut Crk |
LMari
Member
2005-Oct-3 10:25 am
I did a search and it didn't show up. I searched the hidden files as well. |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England |
to LMari
|
|
Bud4wiserSt. Louis, Mo join:2003-01-25 Saint Louis, MO |
to LMari
I just removed this bug from a system several days ago.
In this case, NAV would "quarantine" the file but could not remove it. I believe, you have a variation of what I worked on.
If you know what you're doing, you have do remove file references from the machine's "run key", the run-as-service key, the currrent user's run key....
Veryify the "loaded module" using msinfo32, select the file using explorer and rename it's extension from .exe to .old or whatever.......
When you reboot, you should be able find and delete the file and you should NOT be getting the message.
On the other hand, you might have other problems or damage, I'm not aware of, or it could be some other "look-a-like" virus - so take my advice for what it's worth. |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
to LMari
just in case use some more tools » Security » I think my computer is infected or hijacked. What should I do? then post HJT log if still having problems Cudni |
|
LMari join:2002-12-19 Coconut Crk 1 edit |
to Bud4wiser
HJT Log. I've never used the program so please walk me through this. Thanks -Lisa
Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wscntfy.exe C:\WINNT\system32\igfxtray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbsmarketwatch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [strtas] lock1.exe O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunServices: [strtas] lock1.exe O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121540144140 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England |
to LMari
You should follow Cudni 's advice. |
|
LMari join:2002-12-19 Coconut Crk |
LMari
Member
2005-Oct-3 2:15 pm
Per Cudni's advice I also ran TrojanHunter and Adaware with nothing showing up. |
|
Bud4wiserSt. Louis, Mo join:2003-01-25 Saint Louis, MO |
Well, the log file shows the registry settings "trying" to load the "lock1.exe."
I don't use hijack, so I can't help you. Anyone who opens a registry should know how to backup the any registry key they are going to delete.
I can't tell, but perhaps, your machine is "clean" and someother PC utility is telling you to load "lock1" because of the registry entries. I don't think XP would generate such a message.... |
|
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England |
to LMari
If you don't follow all the steps listed in Cudni 's link, you are likely to have your thread locked. I don't see any evidence in your HJT log that you have tried the suggested online AV scanners, or TrojanHunter. |
|
1 recommendation |
to LMari
The thing is lock1.exe is a backdoor trojan with a rootkit. Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy. IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed. Security Management - May 2004 Help: I Got Hacked. Now What Do I Do? » www.microsoft.com/techne ··· 504.mspxSecurity Management - July 2004 Help: I Got Hacked. Now What Do I Do? Part II » www.microsoft.com/techne ··· 704.mspxquote: with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. Thats where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
quote: The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)
» Security » When should I re-format? How should I reinstall?» Security » How to report ID theft, fraud, drive-by installs, hijacking and malware? |
|
LMari join:2002-12-19 Coconut Crk |
to John2g
TrojanHunter, AdAware and Symantec online and Symantec on my computer found nothing. TrendMicro found DS_DLOADER I virus which I deleated.
Still having the lock1.exe trying to install on startup.
Do I need to to run another HijackThis to show what I've done? |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England 1 edit |
to LMari
As I suggested in my first post, you probably have a rootkit. They run hidden, which is why you won't see it, nor will HJT.
This is in the Sophos write-up in my first post.
W32/Sdbot-ADQ creates the file msdirectx.sys in the Windows system folder. The msdirectx.sys file is detected by Sophos's Anti-Virus products as Troj/NtRootK-F. |
|
garys_2k Premium Member join:2004-05-07 Farmington, MI
1 recommendation |
to LMari
said by LMari:TrojanHunter, AdAware and Symantec online and Symantec on my computer found nothing. They rely on Windows to tell them what's in your machine, and your Windows box is lying to them. That's what rootkits do, they make the box lie about the files that they want don't want you to know about. I doubt there's any way to actually see those files short of installing the drive as a slave on another box and scanning it from there. You could try booting from Knoppix, but even if you saw the bad files and killed them you're not nearly out of the woods. Once you've been rootkit'd you can't trust any executables on that machine. ANY of them could have been replaced by a version that will reinstall the trojan as soon as they're run. Notepad, solitaire, minesweeper, etc. can all be compromised, not to mention the hundreds of drivers that your system silently runs when accessing system resources. You have to reformat this drive, it's a goner. Best case for you is to put it on another box as a slave, pull off any data that you want to keep (but not executables) and reformat it. |
|
LMari join:2002-12-19 Coconut Crk |
LMari
Member
2005-Oct-3 4:09 pm
Thanks for all your help. I'm in the process of reformating the HD. Thanksfully it's only my son's computer with minimal info on it. Hopefully it was confined to his computer since I have three computers on the network.
I'm also hoping that since I was receiving the prompt to install lock1.exe it the rootkit was never installed. I don't want to take any chances so reformating the HD is obviously the way to go. |
|
1 recommendation |
It had already executed and added itself to the registry, so I think you are right in going ahead with the reformat. And the good news that there wasn't much info on the PC. As it is a network worm, you should definitely check your other boxes. From the description at Sophos quote: W32/Sdbot-ADQ is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-ADQ copies itself to the Windows system folder as lock1.exe and creates the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run strtas "lock1.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices strtas "lock1.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run strtas "lock1.exe"
The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities.
W32/Sdbot-ADQ connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ADQ can be instructed to perform the following functions:
scan networks for vulnerabilities download/execute arbitrary files start an ftp server
W32/Sdbot-ADQ creates the file msdirectx.sys in the Windows system folder. The msdirectx.sys file is detected by Sophos's Anti-Virus products as Troj/NtRootK-F.
As it spreads via networks shares with weak passwords and other system vulnerabilities, you might want to download and use this tool to make sure all systems are secure. It will check for many system vulnerabilities (include weak passwords and network shares among others) The Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes. MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here: Microsoft Baseline Security Analyzer http://www.microsoft.com/technet/security/tools/mbsahome.mspx Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you. |
|
|
to LMari
I just ran across W32/Sdbot-ADQ the other day at work. W32/Sdbot-ADQ will be removed by Mcafee's Stinger anti-virus. » vil.nai.com/vil/stinger/Handy little guy. |
|
John2gQui Tacet Consentit Premium Member join:2001-08-10 England 1 edit |
John2g
Premium Member
2005-Oct-11 3:07 pm
said by shagnasty:I just ran across W32/Sdbot-ADQ the other day at work. W32/Sdbot-ADQ will be removed by Mcafee's Stinger anti-virus. » vil.nai.com/vil/stinger/Handy little guy. It won't have removed the rootkit though. |
|