dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6550

LMari
join:2002-12-19
Coconut Crk

LMari

Member

lock1.exe

Everytime I start my computer I get a prompt to install lock1.exe. I've run Norton both from the computer and online and nothing is showing up. I've also got webcam showing up in the registry.

Does anyone know how to get rid of this?

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 edit

John2g

Premium Member

»www.sophos.com/virusinfo ··· adq.html

You will ned to check whether you have msdirectx.sys as well, which appears to be a rootkit.

LMari
join:2002-12-19
Coconut Crk

LMari

Member

I did a search and it didn't show up. I searched the hidden files as well.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to LMari

Premium Member

to LMari
This free AV might be worth a try.

»Need good free a/v to run on infected laptop
Bud4wiser
St. Louis, Mo
join:2003-01-25
Saint Louis, MO

Bud4wiser to LMari

Member

to LMari
I just removed this bug from a system several days ago.

In this case, NAV would "quarantine" the file but could not remove it. I believe, you have a variation of what I worked on.

If you know what you're doing, you have do remove file references from the machine's "run key", the run-as-service key, the currrent user's run key....

Veryify the "loaded module" using msinfo32, select the file using explorer and rename it's extension from .exe to .old or whatever.......

When you reboot, you should be able find and delete the file and you should NOT be getting the message.

On the other hand, you might have other problems or damage, I'm not aware of, or it could be some other "look-a-like" virus - so take my advice for what it's worth.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to LMari

MVM

to LMari
just in case use some more tools
»Security »I think my computer is infected or hijacked. What should I do? then post HJT log if still having problems

Cudni

LMari
join:2002-12-19
Coconut Crk

1 edit

LMari to Bud4wiser

Member

to Bud4wiser
HJT Log. I've never used the program so please walk me through this. Thanks -Lisa

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbsmarketwatch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [strtas] lock1.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [strtas] lock1.exe
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121540144140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to LMari

Premium Member

to LMari
You should follow Cudni See Profile's advice.

LMari
join:2002-12-19
Coconut Crk

LMari

Member

Per Cudni's advice I also ran TrojanHunter and Adaware with nothing showing up.
Bud4wiser
St. Louis, Mo
join:2003-01-25
Saint Louis, MO

Bud4wiser

Member

Well, the log file shows the registry settings "trying" to load the "lock1.exe."

I don't use hijack, so I can't help you. Anyone who opens a registry should know how to backup the any registry key they are going to delete.

I can't tell, but perhaps, your machine is "clean" and someother PC utility is telling you to load "lock1" because of the registry entries. I don't think XP would generate such a message....

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to LMari

Premium Member

to LMari
If you don't follow all the steps listed in Cudni See Profile's link, you are likely to have your thread locked. I don't see any evidence in your HJT log that you have tried the suggested online AV scanners, or TrojanHunter.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane to LMari

Premium Member

to LMari
The thing is lock1.exe is a backdoor trojan with a rootkit.

Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.

IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
»www.microsoft.com/techne ··· 504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
»www.microsoft.com/techne ··· 704.mspx
quote:
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. That’s where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
quote:
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)
»Security »When should I re-format? How should I reinstall?

»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?

LMari
join:2002-12-19
Coconut Crk

LMari to John2g

Member

to John2g
TrojanHunter, AdAware and Symantec online and Symantec on my computer found nothing. TrendMicro found DS_DLOADER I virus which I deleated.

Still having the lock1.exe trying to install on startup.

Do I need to to run another HijackThis to show what I've done?

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 edit

John2g to LMari

Premium Member

to LMari
As I suggested in my first post, you probably have a rootkit. They run hidden, which is why you won't see it, nor will HJT.

This is in the Sophos write-up in my first post.

W32/Sdbot-ADQ creates the file msdirectx.sys in the Windows system folder. The msdirectx.sys file is detected by Sophos's Anti-Virus products as Troj/NtRootK-F.

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

1 recommendation

garys_2k to LMari

Premium Member

to LMari
said by LMari:

TrojanHunter, AdAware and Symantec online and Symantec on my computer found nothing.
They rely on Windows to tell them what's in your machine, and your Windows box is lying to them. That's what rootkits do, they make the box lie about the files that they want don't want you to know about.

I doubt there's any way to actually see those files short of installing the drive as a slave on another box and scanning it from there. You could try booting from Knoppix, but even if you saw the bad files and killed them you're not nearly out of the woods.

Once you've been rootkit'd you can't trust any executables on that machine. ANY of them could have been replaced by a version that will reinstall the trojan as soon as they're run. Notepad, solitaire, minesweeper, etc. can all be compromised, not to mention the hundreds of drivers that your system silently runs when accessing system resources.

You have to reformat this drive, it's a goner. Best case for you is to put it on another box as a slave, pull off any data that you want to keep (but not executables) and reformat it.

LMari
join:2002-12-19
Coconut Crk

LMari

Member

Thanks for all your help. I'm in the process of reformating the HD. Thanksfully it's only my son's computer with minimal info on it. Hopefully it was confined to his computer since I have three computers on the network.

I'm also hoping that since I was receiving the prompt to install lock1.exe it the rootkit was never installed. I don't want to take any chances so reformating the HD is obviously the way to go.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane

Premium Member

It had already executed and added itself to the registry, so I think you are right in going ahead with the reformat. And the good news that there wasn't much info on the PC.

As it is a network worm, you should definitely check your other boxes. From the description at Sophos
quote:
W32/Sdbot-ADQ is a network worm with backdoor Trojan functionality for the Windows platform.

When first run, W32/Sdbot-ADQ copies itself to the Windows system folder as lock1.exe and creates the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strtas
"lock1.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strtas
"lock1.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
strtas
"lock1.exe"

The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities.

W32/Sdbot-ADQ connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ADQ can be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

W32/Sdbot-ADQ creates the file msdirectx.sys in the Windows system folder. The msdirectx.sys file is detected by Sophos's Anti-Virus products as Troj/NtRootK-F.
As it spreads via networks shares with weak passwords and other system vulnerabilities, you might want to download and use this tool to make sure all systems are secure. It will check for many system vulnerabilities (include weak passwords and network shares among others)

The Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

shagnasty
join:1999-12-22
Aurora, CO

shagnasty to LMari

Member

to LMari
I just ran across W32/Sdbot-ADQ the other day at work.

W32/Sdbot-ADQ will be removed by Mcafee's Stinger anti-virus.
»vil.nai.com/vil/stinger/

Handy little guy.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 edit

John2g

Premium Member

said by shagnasty:

I just ran across W32/Sdbot-ADQ the other day at work.

W32/Sdbot-ADQ will be removed by Mcafee's Stinger anti-virus.
»vil.nai.com/vil/stinger/

Handy little guy.
It won't have removed the rootkit though.