System files infected

[Devin84]

I need your help. These files got infected:


C:\WINDOWS\sys_ext.dll - Win32/StartPage.BX trojan

C:\WINDOWS\SYSTEM32\__sys.exe - Win32/Apsiv.A worm

C:\WINDOWS\SYSTEM32\xplugin.dll - Win32/TrojanDownloader.Esepor.F trojan

NOD32 can't clean them, what should I do, I can't delete them they are important files. If I delete them my Windows XP stops working. What should I do?

Thanx in advance!

[steve1955]

Have you tried a restore to before infection?

[steve1955]

ps can't find any of the named files on my system

[Devin84]

You mean reinstall WinXP?
There got to be another way.

[izi]

Restart in Safe mode and then run NOD32 scanner. Delete all infected files if NOD can't cure this files!

izi

[steve1955]

No system resore to point before infection

[steve1955]

Failing that launch msconfig and restore files from insallation disc using:-
general tab and expand file button then follow the dialogs

[steve1955]

looks like my "t" key has gone sticky!!

[Paul Wilders]

Devin,

In case the above mentioned won't work, please follow this advice and after that post over on the forum mentioned.

regards.

paul

[dvk01]

Those files are allassociated with a cWS hijack so

CWshredder from http://www.merijn.org/cwschronicles.html
or http://www.wilderssecurity.com/attachments/CWShredder1481.zip
Run CWSHREDDER, check you have the current version, press check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

[Devin84]

Thanx for the advice guys but these files are still infected:

File C:\WINDOWS\sys_ext.dll is infected with trojan Win32/StartPage.BX. NOD32 cannot clean this infiltration.

File C:\WINDOWS\SYSTEM32\__sys.exe is infected with worm Win32/Apsiv.A. NOD32 cannot clean this infiltration.

I strongly believe that sys_ext.dll & __sys.exe are of much importance, other ways?

[dvk01]

Quote:

quoting: Devin84 link=board=39;threadid=21894;start=0#msg131511 date=1076851394]
Thanx for the advice guys but these files are still infected:

File C:\WINDOWS\sys_ext.dll is infected with trojan Win32/StartPage.BX. NOD32 cannot clean this infiltration.

File C:\WINDOWS\SYSTEM32\__sys.exe is infected with worm Win32/Apsiv.A. NOD32 cannot clean this infiltration.

I strongly believe that sys_ext.dll & __sys.exe are of much importance, other ways?

They are not genuine windows fuiles and need to be deleted

they are the actual trojan virus file and NOD cannot clean them, because they aren't a genuine file with an infection. NOD should be able to delete them though

but as well as deleting the files youi need to delete their associated registry entries so do as paul suggested and post a hijackthis log so we can see and advise
go to http://www.merijn.org/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please post its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

if merijn.org is still down due to the ddos attack then a copy of HJT is available from http://www.wilderssecurity.com/attachments/hijackthis1977.zip

[Devin84]

Ok i did what you said: I deleted the two files and finished scanning with HijackThis.exe here's the Log:

Logfile of HijackThis v1.97.7
Scan saved at 14:37:44, on 2004-02-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Messenger Plus! 2\MsgPlus.exe
C:\Program\Interactive Agents\ActivePlus.exe
C:\Program\ATI Technologies\HydraVision\HydraDM.exe
C:\Program\Eset\nod32kui.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\TransText\TransText.exe
C:\Program\DV Series\Console\Watch.exe
C:\Program\Eset\nod32krn.exe
C:\Program\Cleaner\tca.exe
C:\Program\Cleaner\tcm.exe
D:\Program2\MYIE2\MyIE.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Devin\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tradera.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet5_64.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56381348-3352-468b-ad11-1f02943c5ffc} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: hidrdrwcnqn - {fba654e2-c81e-4f50-a699-d208dac3977c} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MOD] C:\Program\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ActivePlus] "C:\Program\Interactive Agents\ActivePlus.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [tcactive] C:\Program\Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program\Cleaner\tcm.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Global Startup: TransText.lnk = C:\Program\TransText\TransText.exe
O4 - Global Startup: Watch.lnk = C:\Program\DV Series\Console\Watch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {607DF741-7D0A-11D4-9EDC-005004189684} - http://www.ucmore.com/download/UCmoreIEx.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://207.142.8.119:1995/talk.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.2790162037
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3048380F-7F70-4A58-9444-5F6A4579870F}: NameServer = 212.185.54.2,212.181.54.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D1D36C-87A3-4E0C-86E8-946B8C917557}: NameServer = 212.181.54.2,212.181.54.3

[dvk01]

You have a couple of other problems as well to fix, first uninstall new.net by following instructions on this page http://www.newdotnet.com#remove
then reboot
then
Run hijackthis, tick these entries listed below and ONLY these entries, if they still remain, double check to make sure, then make sure all browser & email windows are closed and press fix checked


O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program\NewDotNet\newdotnet5_64.dll
O2 - BHO: (no name) - {56381348-3352-468b-ad11-1f02943c5ffc} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: hidrdrwcnqn - {fba654e2-c81e-4f50-a699-d208dac3977c} - C:\DOCUME~1\Devin\APPLIC~1\rukgrglqo.dll (file missing)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

O10 - Hijacked Internet access by New.Net

O16 - DPF: {607DF741-7D0A-11D4-9EDC-005004189684} - http://www.ucmore.com/download/UCmoreIEx.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://207.142.8.119:1995/talk.cab

O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab


Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files
NONE

and Delete these folders
C:\Program\NewDotNet\

then
Reboot normally and post a new log

I expect that this thread will be moved as it isn't a NOD problem

[Devin84]

Quote:

Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK"

Should I check it now, isn't it more secure?
However I did the things you wrote down and I'm thanfull for your help. I 99% sure that NewDotNet is gone now btw is it a spyware?

Here is my second Log:

Logfile of HijackThis v1.97.7
Scan saved at 16:31:20, on 2004-02-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Messenger Plus! 2\MsgPlus.exe
C:\Program\Interactive Agents\ActivePlus.exe
C:\Program\ATI Technologies\HydraVision\HydraDM.exe
C:\Program\Eset\nod32kui.exe
C:\Program\TransText\TransText.exe
C:\Program\DV Series\Console\Watch.exe
C:\Program\Eset\nod32krn.exe
D:\Program2\MYIE2\MyIE.exe
C:\Documents and Settings\Devin\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tradera.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MOD] C:\Program\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ActivePlus] "C:\Program\Interactive Agents\ActivePlus.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Global Startup: TransText.lnk = C:\Program\TransText\TransText.exe
O4 - Global Startup: Watch.lnk = C:\Program\DV Series\Console\Watch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37903.2790162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3048380F-7F70-4A58-9444-5F6A4579870F}: NameServer = 212.185.54.2,212.181.54.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D1D36C-87A3-4E0C-86E8-946B8C917557}: NameServer = 212.181.54.2,212.181.54.3


Oh yeah should I delete the backup files that Hijacker saved?

[Pieter_Arntz]

Hi Devin84,

Your log is clean now.
Hold on to the backups, until you are sure everything is working as it should.

Regards,

Pieter

[dvk01]

read these pages about newdotnet
http://www.doxdesk.com/parasite/NewDotNet.html

http://cexx.org/newnet.htm

it is one of the most problematical spywares around

If you want to revert your settings back to hide protected operating system files and hide hidden files and folders go ahead

but remember if you get problems how to expose them again to fix any problems

You do need to update your version of windows XP plain has many serious security and other faults and you really need to download and install SP1 from the windows update site, many of the latest security patches insist on SP1 being installed


Now you are clear this will help to keep it that way

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 for Xp
or here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 for ME

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.net-integration.net/index.php?showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks.
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

And links to a browser & security test site to test for exploits that might let these baddies in to your computer

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.

[Devin84]

Thank you all, and most of all for the valuable information dvk01, you have saved me a lot of work!