how can i remove st.exe??

Discussion in 'malware problems & news' started by tr4, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. tr4

    tr4 Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    hy folks
    i've a problem, somehow the file "st.exe" has installed itself on my computer. how can i get rid of that thing again?

    i've allready tried the following programms:
    - spybot s&D
    - e-scan
    - ad-aware
    - hijack this
    - spyware blaster
    - cwshredder
    - norton antivirus

    e-scan is the only program that is able to dedect the virus - it also says action taken = deleted, but as soon as i start the computer again st.exe is still there at c:\windows!!!!!!


    i post the actual hijack this log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:00:01, on 19.07.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\Programme\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Programme\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Dokumente und Einstellungen\BRG32\Desktop\NetBus Detective\Detect50.exe
    C:\Programme\Nikon\NkView4\NkVwMon.exe
    C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\Dokumente und Einstellungen\BRG32\Desktop\Sicherheit\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Programme\Outlook Express\msimn.exe"
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Programme\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [NetBus Detective] C:\Dokumente und Einstellungen\BRG32\Desktop\NetBus Detective\Detect50.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkVwMon.exe.lnk = C:\Programme\Nikon\NkView4\NkVwMon.exe
    O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2BEE7B-D6ED-4E4C-B60D-3021946FAF7D}: NameServer = 157.161.169.150,157.161.169.130

    thanks a lot for your help.

    i also post a line from the log from e-scan:

    Thu Jul 15 10:59:07 2004 => File C:\WINDOWS\st.exe infected by "TrojanDownloader.Win32.Small.oc" Virus. Action Taken: File Deleted.
     
    Last edited: Jul 19, 2004
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    welcome to the forum dear tr4, i'm not sure but this netdc.exe in your system32 folder looks fishy. don't think its normal. please submit that file for analysis.
     
  3. tr4

    tr4 Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    hi amrx
    thanks a lot for your reply - i looked in my c:\windows\system32 directory for the netdc.exe file but suprise suprise this file does no longer exist there.
    the newest e-scan therefore came up with the following message:

    File C:\WINDOWS\Reboot.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
    File C:\WINDOWS\st.exe infected by "TrojanDownloader.Win32.Small.oc" Virus. Action Taken: File Deleted.

    the log of todays hijack this looks as followed:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:53:08, on 20.07.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Programme\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Dokumente und Einstellungen\BRG32\Desktop\NetBus Detective\Detect50.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Nikon\NkView4\NkVwMon.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\Dokumente und Einstellungen\BRG32\Desktop\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Programme\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Programme\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [NetBus Detective] C:\Dokumente und Einstellungen\BRG32\Desktop\NetBus Detective\Detect50.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkVwMon.exe.lnk = C:\Programme\Nikon\NkView4\NkVwMon.exe
    O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2BEE7B-D6ED-4E4C-B60D-3021946FAF7D}: NameServer = 157.161.169.150,157.161.169.130


    sorry to trouble you, but i honestly do not know what to do to get rid of these buggars.

    many thanks

    tr4
     
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear tr4, looks like the downloader part is deleted. your log looks clean and though not necessary you should delete the file REBOOT.EXE manually. now do another eScan scan and tell us if you still find ST.EXE or any other buggers. please try this tool http://www.diamondcs.com.au/index.php?page=asviewer to check which programs are starting automatically.
     
  5. tr4

    tr4 Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    dear amrx thank you so much for your reply.

    i'll post you a copy of the actuall e-scan log and the asviewer.

    File C:\WINDOWS\Reboot.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
    File C:\WINDOWS\st.exe infected by "TrojanDownloader.Win32.Small.oc" Virus. Action Taken: File Deleted.


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for BRG32@RGXP, 07-23-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    REM Die EMM-Größe wird in der PIF-Datei (entweder die Datei _DEFAULT.PIF
    C:\WINDOWS\system32\himem.sys
    C:\PVSW\BIN\BTRDRVR.SYS
    c:\windows\wininit.ini [rename]
    NUL=C:\PROGRA~2\INTERN~1\sim\bdl14122.exe
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    explorer.exe C:\WINDOWS\System32\netdc.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    explorer.exe C:\WINDOWS\System32\netdc.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DrvLsnr
    C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
    C:\Cpqs\Scom\srmclean.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SetRefresh
    C:\Programme\Compaq\SetRefresh\SetRefresh.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CPQEASYACC
    C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vptray
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetBus Detective
    C:\Dokumente und Einstellungen\BRG32\Desktop\NetBus Detective\Detect50.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad-aware
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Programme\Messenger\msmsgs.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
    C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
    C:\Programme\Microsoft Office\Office\OSA9.EXE
    C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\NkVwMon.exe.lnk
    C:\Programme\Nikon\NkView4\NkVwMon.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll

    as you can see the st.exe is still there. e-scan does delete this file everytime i scan, but as soon as i reboot the machine, it appears again.

    thanks again for your help.
     
  6. dougdoug

    dougdoug Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    3
    Location:
    Studio City, CA
    Hi...

    Pardon me for intruding, but I have been trying to remove ST.EXE from a friend's system for days now. Initially the system was infested with > 100 different viruses, trojans, and assorted pests, but using Pest Patrol, Spybot, Ad-aware, HJT, Norton Anti-Virus, and some other tools I was able to remove all but this bugger.

    The symptoms are exactly as described above. I can kill the st.exe process and delete the file, but at next reboot, it's right back. It disables Norton personal firewall, and I believe it is related to Netdc.exe, because the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell is being changed to attempt to run C:\windows\system32\netdc.exe with every reboot as well. I found and deleted the file once, but I don't see the file there any more.

    Yesterday I purchased and downloaded TDS-3 from DiamondCS, got the newest definitions file, and ran a total system scan. TDS found three encrypted copies in various files, which I deleted. It identified the trojan as "TrojanDownloader.Win32.Small.oc", so all this tallies with tr4's experience.

    Any further thoughts?
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,773
    Location:
    Texas
    If the operating system is XP, you may have to turn off system restore to kill that trojan.

    Pest Patrol has a write up here.
     
    Last edited: Aug 1, 2004
  8. dougdoug

    dougdoug Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    3
    Location:
    Studio City, CA
    Hi Ronjor,

    Thank you for replying. I saw that writeup and did turn system restore off... ran most recent update on Pest Patrol and it STILL keeps coming back. Arrrgh.
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,773
    Location:
    Texas
    Computer Associates has a writeup on Lovegate that says st.exe is a part of and they have some cleaning tools.

    Unless someone knows a better way------------

    Computer Associates

    Edit: You could also use one of these sites and post a hijack log.

    Hijack sites
     
    Last edited: Aug 2, 2004
  10. JCJ

    JCJ Guest

    I've had a simular problem with a file called sysupd.exe. Though it was detected (and removed!) by my virusscanner it did show up again after about 10 seconds. I've tried many other scanners as well. Without effect. Finally, I've replaced sysupd.exe by a dummy sysupd.exe (doing absolutely nothing) that I've written. It works well. I know, it's not elegant. It's like an aspirin: it doesn't cure but it reliefs.
     
  11. Theo

    Theo Guest

    I got the same problem with st.exe: tried every trick I could find on the internet, used all kinds of anti-virus software, anti-Trojan software, firewalls, even replaced the file with an empty st.exe-dummy etc. and nothing helps. st.exe keeps coming back after reboot. Disabling system restore does not work, going into safe mode does not help. Norton keeps finding the virus and is not able to get rid of it.
    I am in desperate need of a real cure!!!
     
  12. Theo

    Theo Guest

    I finally found the solution!
    St.exe is not recreated by MS system restore nor downloaded from the internet at every reboot.
    The file is recreated every time you reboot by one or two running hidden processes.
    Download Security Task Manager here:
    http://www.neuber.com/taskmanager/index.html
    He will find one or two (hidden) processes running (100% certainty to be mal-ware), both netd*.exe
    In my case it was netdb.exe and netdc.exe
    Quarantaine or delete both processes.
    Then remove st.exe in safe mode from C:WINDOWS or have Norton Anti-virus quarantaine and delete it.
    Et voila! Send me a smile if it works for you too!!!

    Theo
     
  13. oodham

    oodham Guest

    I had the same Backdoor Keylogger Trojan; the dropped executables were netda.exe, netdb.exe, netdc.exe, and st.exe. The WindowsNT\Winlogon adds to Explorer.exe, and the Current Version\Run adds in the HKLM registry key, and st.exe, will keep coming back until you find and delete the worm, which , in my case, renamed itself to Wmplayer.exe & Notepad.exe. Delete these and reinstall them. Look for Notepad.com, and delete it. That done, reboot, and look in the Windows\System32\Drivers\Etc\ Hosts file for an inserted list of null IP addresses that block access to antivirus sites. The netdb.exe in the Windows Task Manager will showup for about 1/2 second, and then appear to shut down; Security Task Manager will show it is still running.
    I understand this worm will look for windows with certain keywords in the title bar, then log all keystrokes in that window to a file in the Windows folder, then email them to a remote location, and can simulate an Internet Explorer environment and run that way. Look for an unexplained iexplore process running. To detect this happening, have Pop-up Stopper running on boot. Then try to run IE.
    Refs: Dumarov-B, and Backdoor.Nibu.E
    Joe Myers
     
  14. ricardo56

    ricardo56 Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    13
    Hi oodham,
    I am having the same problem with this trojan st.exe/netdc.exe, I try to follow what you post it, but I did not understand very well, because I am new at this. I have post in this forum as ricardo56 with trojan st.exe, if you could take a look and have some suggestion. I am really at lost in this, I just cant get rid of it, and no antivirus/spyware, etc, have any tool to fix it.

    Thanks
    Ricardo
     
  15. Joe Myers

    Joe Myers Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    1
    This worm seems to be one of a group of worms, all slightly different, see, http://www.sophos.com/virusinfo/analyses/trojdumarub.htm and http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.e.html .
    I am not a hacker, just did this in self-defense. But, I suspect the following: It will rewrite NAV2004 to not detect it; it would not detect Notepad.com as a virus; the worm, with the Host file adds, would not allow a virus def update, although it appeared to install, the date was wrong. Turned off System Restore to make sure the worm was not in a Restore Point. Downloaded NAV updates in Safe Mode, and was able to delete the worm, although it came back in a modified form 2 days later, and reinstalled. The worm process, netdb.exe, was then running in hidden mode, visible to Security Task Manager; the extra iexplore was visible in Windows Task Manager. I found the worm by looking at creation dates on System files; did a lot of guessing and searching. The Notepad.com is a bogus System file, but I think Wmplayer.exe and Notepad.exe were also involved. I deleted the two, kept Notepad.com separate, reinstalled, THEN, I deleted the registry entries, the storage file, and the Hosts file inserts. Just as a test, I ran Notepad.com after reboot, and immediately had the worm back. Cleaned it all out again. Logically speaking, you can not prove a negative; it SEEMS to be gone, but I am monitoring the registry locations and processes for a while. This information may already be obsolete!
    It has gotten worse over the last several years; a War Party of Apaches pounding at the gates.
    Athlon XP, XP home sp1, GA-7VRXP, IE 6 xpsp2, NAV2004, + free defense progs.
    Joe
     
  16. willjohnston

    willjohnston Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    2
    I have the same problem with trying to delete netda.exe etc. and the register entries. They just keeping coming back after re-boot, even with auto-restore switched off.

    After reading here, it seems that the trojan is re-creating these files and register entries through some kind of start-up program which is not detected by any anti-trojan or scanner available today. I've tried even TDS-3 and it didn't found anything, but nevertheless after running "Security Task Manager" at www.neuber.com/taskmanager/index.html, I have finally found confirmation that they do exist as processes in the system. Up until now, I can only found traces in register entries, and can find the actual netda.exe etc. files in system32 directories in safe mode (only), but never saw them in actually running.

    But what should be done now? They are definitely running and can be kill from Security Task Manager. Has anyone managed to finally trace down and identify the name of the startup program which is responsible. Some here mentioned that they are hidden as Notepad or other programs, but how come a powerful program like TDS-3 doesn't detect this anyway?

    Thank you ALL!!
     
  17. willjohnston

    willjohnston Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    2
    Just a follow up email. Did anyone who has ran the Security Task Manager and successfully identified netda.exe etc.? If so, if they managed to check with PID process number they are using and identify their fake name under the normal window's Task Manager. Or do they simply don't show up in windors' Task Manager at all??
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You may want to ask this question in the TDS forum...

    Cheers :D
     
  19. DP30

    DP30 Guest

    Has onyone found how to get rid of this in "ME"
    I have had it since early August, and have tried the same list of programs other have also tried.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  21. aerotug

    aerotug Guest

    I just kicked this trojan horse's butt after a day of pulling hair trying to get rid of it and having it reappear time and again. Here's the procedures I used.

    OS: Windows ME

    Do a file search for st.exe; chances are you won't find it.

    Disable System Restore, accessible from My Computer Properties, troubleshooting tab.

    Run an uptodate PestPatrol and delete the pests it finds.

    Search next for netd*.* and look for netda.exe, netdb.exe, or netdc.exe to surface. Note its date!!!

    Delete above files. The one which won't delete is the active one. Write down its full path.

    Now do a search by date, entering the above filedate in both 'from' and 'to' windows.

    Delete all unfamiliar files which show up, writing down the path for any which refuse to delete. BTW, Notepad.com is a bogus file and must be deleted.

    Run msconfig, select the system.ini tab, expand the boot folder and examine the shell command.

    Edit it to read: shell=explorer.exe Delete anything else in that line!!!

    Shell out of Windows, rebooting to your startup floppy and select minimal boot when asked.

    When the A:\> appears, change to C drive and go to the path or paths of the undeletable files and delete them. Hope you know DOS commands.

    Now remove the floppy and reboot the system. All should be clear now. If you need more help, you can e-mail me at <aerotug@shaw.ca>
     
  22. DP30

    DP30 Guest

    Thanks to both of you. Sorry for the slow reply.
    I did find that the Trojan showed up in late June and didn't make itself known with the "st.exe" until mid August. I think part of it may have been the notepad.com file but I also found the file that changed my setting was listed as wmplayer.exe.bak I did a search on the netdc.exe to find all the files. The wmplayer file included a copyright and a name!
    I also find that the "netdc.exe is in my "used.dat" file. Will this just go away?
    Is it best to remove all the restore files that have the saved the trojan?
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would follow the advice of Jooske found here

    And to be !00% sure your system is clean you may want to look here and follow the steps in post number 4.

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.