Da Geek Kid
join:2003-10-11
Mclean, VA
|  help...
Has anyone seen these files?
sw.bat
is.exe
mmxateam.exe
low.exe
xe.exe
tb.exe
zxvcc73x.exe <-- This file keeps changing look like a
random compressed file w/ all others in it...
I keep removing these and keeps popping up... I donno how I got it and it's funny that neither Tiny soft, AVAST, ad-aware, nor Spybot can clean this funky trojan
I have used the FixVundo and some others that did not help...?
What I know so far it uses the "micorsoft-ds" and "netbios-ssn" to create connections to some locations one of which looked like an smtp server... I did not capture that but one thing is for sure, this is first time since I actually got such a trojan from the net since 1991... well I guess every DO get one... ;)
TIA |
|
Riss_Centaur
Mod'taur - - - - 4 On The Floor.
Premium,MVM,Ex-Mod 2005-07
join:2004-01-20
other
clubs: | Start here: »Security »I think my computer is infected or hijacked. What should I do?
-Riss |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| reply to Da Geek Kid
Try Trend micro's Sysclean its acually very affective i once had it remove over 30000 trojans from one pc that would not amy other cleaner to fiish running.
just follow this website
»www.trendmicro.com/download/dcs.asp
Hope this helps.
Thanks Again
--
† Koma †If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay!!Ya Don't Know The signal Till Ya Ride It!!Voice Break's There's Trouble!! |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Da Geek Kid
I ran the Trend Micro and It found nothing...
the tb.exe file is a "SiteBar!" |
|
guest_speaker
| reply to Da Geek Kid
Ewido seem to be pretty decent at finding and removing trojans. You could give it a try. They have a free version here. »www.ewido.net/en/
Also A� is not too bad either. Free version. »www.emsisoft.com/en/software/free/
Best of luck. |
|
dangme
join:2001-09-15
San Francisco, CA
| reply to Da Geek Kid
I ran into a similar situation this morning as I was disinfecting a badly infected machine (running Windows 2000). There were a bunch of suspicious *.bat files and registry settings that trend micro, norton and CA all had trouble detecting.
Similarly, Spybot s&d, Adaware, Spysweeper and Microsoft Antispyware all had trouble detecting them too.
Are we entering a phase where there's more and more unrecognizable spyware and viruses? |
|
Da Geek Kid
join:2003-10-11
Mclean, VA
| reply to Da Geek Kid
update on the Trend Micro...
I ran the Trend Micro in the Safe mode and Zilch! however, after booting to normal, the sysclean would not run as the trojan would chg the name to sysclean.exezz! AVAST would catch that and say it was some VBS trojan...
I searched the symantec for the virus and followed all the registry locations and non was effected...
I believe the lsass.exe has been compromised... how do I clean it! |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by Da Geek Kid  :update on the Trend Micro... I ran the Trend Micro in the Safe mode and Zilch! however, after booting to normal, the sysclean would not run as the trojan would chg the name to sysclean.exezz! AVAST would catch that and say it was some VBS trojan...
Can you locate the actual bad file? Find out what bad sh!t you're dealing with.
•Run the bad file thru the multi-scanners provided by Jotti and VirusTotal.
•Identify any scanning engines, used by Jotti or VirusTotal, that detected a problem in the bad file.
•See if any engines, from the second step, have online whole computer scanners. Scan the whole system with any available.
»nitecruzr.blogspot.com/2005/10/o···les.html
Use available tools, and check the entire computer. Don't just guess at the problem. What you find may help others, so post your findings.
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
Da Geek Kid
join:2003-10-11
Mclean, VA
| reply to Da Geek Kid
here's another update..
found out that Trend Micro was interfering with the AVAST! This is only when I was attempting to run sysclean during the noraml mode. I closed AVAST and still no virii found! Oh fyi the VBS trojan was Redloft... but I believe that was because the Trendmicro loades the sigs to look for them 
I just plugged the PC to the netwrok and saw this using the netstat -a
mail2.gigasystems.com:8163
I have no mailserver and no apps are running only thing that is running is Tiny
please help.. |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by Da Geek Kid :here's another update.. found out that Trend Micro was interfering with the AVAST! This is only when I was attempting to run sysclean during the noraml mode. I closed AVAST and still no virii found! please help..
You have several possible procedures to follow:
•The (suggested) standard BBR malware procedure, including HJT which is the essential ingredient.
•Run the source of zxvcc73x.exe (or whatever it is now) thru Jotti and VirusTotal, and let's see what their scanning engines reveal.
•Every other ad-hoc suggestion for each individual virus scan on the web.
Remember, this may not be a viral infection. Not all malware is viral, and not all malware can be detected by purely virus scanners. Which is the reason for Jotti and VirusTotal (the latter a misleading name).
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Da Geek Kid
here's an update...
using the diamond CS I have found that lsass.exe uses port 8163 to connect to hub.de IRC network which uses the Unreal 3.2.1 server? I than wants to join the #x2#
anyone seen this? how do I clean lsass.exe |
|
mike_p
@optonline.net
| reply to Da Geek Kid
I've got the same problem... I didn't quite find out all that information as I just woke up and after installing something I recieved from a torrent file (whilst having the latest updated virus pattern files).
SITEBAR! "Internet Explorer Add-In"
the 2 variants i've seen so far are:
tb.exe
low.exe
still trying to see if I can learn more about it... Adware detected DyFuCa, but that was probably already on there as DyFuCa goes into a dead end, no leads. |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Da Geek Kid
spybot detects the Sitebar and removes but it keeps coming back...
... also all the windows warnings get turned off, such as live update, firewall warning, AV warning, etc... |
|
Rusty Dusty
join:2002-11-23
Littleton, NH
| Before you get to the point where you might not
even be able to boot your computer...
Post number two of your topic gives you the best
starting point for repair. Suggest that you print out the
instructions and do them step by step....
»Security »I think my computer is infected or hijacked. What should I do? |
|
mike_p
@optonline.net
| reply to Da Geek Kid
Ok so... hmmm... Trend Micro does nothing at all, going to try Hijackthis in a sec... all those stupid files are in the root C:\ folder ...
I got this by installing Alcohol 120%. Something along the lines of Star Wind iSCSI or something like that asked me if I wanted to install the option. I unchecked that box and proceeded with the install. Alcohol was installed, I went to sleep... next morning my internet barely works (it really killed my internet, literally) and now i'm sitting here using this laptop.
I tried manually deleting them from within the root folder (C:) and removed any references to unknown processes (to me) using regedit and autoruns... nothing too unfamiliar or peculiar... after a short while I get the files reappearing back in their spots and a popup for whiplashmusic.com ...
Boy i'd like to wring their necks right now... |
|
mike_p
@optonline.net
| reply to Da Geek Kid
after searching the URL (whiplashmusic.com/blank.html) ... the only thing i'm really getting that's consistent is the compromising of lsass.exe ... it's been used by other viruses before.
Question from me, how do we replace it? clean it? repair it? |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by mike_p :
after searching the URL (whiplashmusic.com/blank.html) ... the only thing i'm really getting that's consistent is the compromising of lsass.exe ... it's been used by other viruses before.
Question from me, how do we replace it? clean it? repair it?
The definitive tool is HijackThis, possibly followed by Jotti / VirusTotal scans. You have to know what you're dealing with.
»Security »I think my computer is infected or hijacked. What should I do?
»nitecruzr.blogspot.com/2005/05/d···are.html
»nitecruzr.blogspot.com/2005/10/o···les.html
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Da Geek Kid
it gets interesting....
After the conection to the hub.de the trojan downloads the Site bar i.e. zxvcc73x.exe and it extracts it and runs the sw.bat....
I will send the exe to Jotti and virustotal |
|
michaeldp0
join:2002-11-23
| reply to Da Geek Kid
btw, this is mike_p
yeah... i've turned off my system restore to ensure it doesn't keep coming back through that way... the C:\WINDOWS\lsass.exe is the invalid file where the C:\WINDOWS\SYSTEM32\lsass.exe IS the legitimate file...
HiJackThis detects it and I see it everytime I do a scan...
I wonder if this has anything to do with the HOSTS files i've heard about... i'm trying to identify wtf this thing is and how I can stop it from reoccuring |
|
michaeldp0
join:2002-11-23
2 edits |  reply to Da Geek Kid
Ok so I ended all the tasks (it came back even with system restore turned off) and deleted those files in the root folder of C. Then I rebooted and went into Safe Mode (Command Prompt). Went into the C:\Windows directory... naturally it says lsass.exe isn't found...
typed all this:
IN the WINDOWS directory, NOT SYSTEM32 (C:\Windows)
cd \
cd windows
dir /a
attrib -a -r -s -h lsass.exe
del lsass.exe
I restarted and my internet isn't getting jacked anymore. Seems like the problem is gone for me now atleast. Not convinced it won't come back. |
|
