Please help me get rid of a sophisticated malware pest

Discussion in 'LnS English Forum' started by want2bemalwarefree, Jan 20, 2005.

Thread Status:
Not open for further replies.
  1. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    I am having horrendous problems with a profoundly sophisticated malware which goes undetected by NOD32, TDS-3, Worm Guard, SpySweeper, Pest Patrol, UnHackMe, Ad Aware SE, Port Explorer, and everything else I have tried. The new beta 2 driver for LooknStop does detect that this thing is trying to get to the internet and allows me to block it - as a result I have purchased LooknStop tonight and am VERY grateful for this wonderful piece of software.

    The symptom is that it picks running programs and tries to use them to get to the Internet. An example would be the following warning from LooknStop:

    Service and Controller app
    C:\WINDOWS\SYSTEM32\SERVICES.EXE
    This software has started the following
    application which connects to the internet.
    Do you authorize it to do that?
    Generic Host Process for Win32 Services
    C:\WINDOWS\SYSTEM32\SVCHOST.EXE

    Sometimes it tries the above repeatedly until LooknStop shuts off all access to the Internet and I have to reboot. Other times it tries once or twice in a row at random intervals and then goes dormant for a while. On one occasion it went through a list of about 10 or 11 of the currently running processes which had access to the internet and tried each of them twice. Tonight it did something new - now that it has been thwarted by LooknStop it tried to send some UDP packets at one point. Fortunately LooknStop blocked this also.

    I have been fighting this thing since last Wednesday and the only thing which even detects its presence is LooknStop with the new Beta 2 driver and the registry settings set. Nothing else can detect it o_O .

    Any suggestions would be greatly appreciated. I intend to try Reg Run Security Suite Gold and Ewido Security Suite tomorrow night, if I get time, to see if either of these can detect it.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Want2bemalwarefree, welcome to Wilders. As your thread is in regards to a Virus, Trojan or Malware I have moved it to this forum.

    Have you tried running your programs in Safe Mode as advised in General Cleaning.

    If these steps do not resolve your situation, you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

    This is what works really well for me, very simple to use and maintain.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
    Last edited: Jan 21, 2005
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Want2bemalwarefree,

    you may want to run Process Explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml) and when you get these alerts from LooknStop take a look at the modules relating to that process. If you could copy all the modules in there to a list and post it here it would allow us to help further.
     
  4. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated
    There is also a svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down
     
  5. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
  6. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Thank you for all your suggestions. I will first try to identify this thing using the tool that Jason recommended. If that is not successful then I will try to eradicate it using the procedure Blackspear provided. Hopefully by Monday I will have something positive to report :doubt: .
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Your report suggests that there is NO virus/trojan or whatever but your firewall is warning you wrongly about a standard M$ file taht is doing it's job

    As this is a LookNStop firewall problem and IS NOT anything to do with any trojan or virus

    I will move this to the LNS forum where you will get the advice on setting the firewall correctly
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I have seen this reported in many places with wrongly configured firewalls, especially with Norton Firewall

    As you say it's a BETA driver that is the only thing finding it and that driver is in error ( well it is telling you about an attempt but that attempt is a required access to the net and is the way that M$ services.exe works)
     
  9. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    1. Still, this may be a trojan.
    2. Check MD5, you will be 100% sure. If your MD5 is OK, you can just allow it when LnS requests.

    X.
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can be 110% sure that services.exe is genuine otherwise the computer won't work

    It is the services and controller application that starts and stops services for M$ and everytime you do anything with the computer it will start or stop a service

    When you ask to go on the net one of the multiple versions of SVCHOST will be activated and attempt to do something to connect, eithe a dns look up or some other vital function

    Yes there are trojans that try to take over but as you have checked with NOD/TDS etc that possibilty is very remote

    LNS has the ability to warn you if any other program tries to piggyback on a running program to access the net

    However this service.exe is designed to do that and stopping it doing it's job will prevent you getting on the net

    Several other firewalls that also have this capability have these processes in an automatic allow list to prevent this problem
     
  11. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Derek - thank you for your responses - I would like to provide more details to confirm that the behavior I am seeing is normal behavior. Services.exe consistently tries to use other programs to access the internet in very odd patterns. Sometimes, out of nowhere, it will try 10 different executables in a row, twice each, all of which are currently running processes, to access the internet. Sometimes it only uses svchost.exe once or twice. Sometimes it tries to use svchost.exe and other executables in alternation 5 or 6 times in a row. Sometimes it continually tries to use svchost.exe 30 or more times in a row. Sometimes immediately after I block it there is one or two UDP warnings from LookNStop. Sometimes there is an ICMP warning right after I block it. As I am typing this there have been 6 popups for WCESCOMM.EXE which should only be used when I connect my PDA to its sync cradle (this is part of ActiveSync) and now it is continuing to popup warnings as I type this.

    All the applications that services.exe tries to use to access the internet causing warnings are themselves able to access the internet just fine. I can use ActiveSync, IE, Firefox, and Opera with no problem, I can update virus and spyware definitions, etc., and none of these operations generate any warnings from LooknStop. The warnings come out of nowhere, when it seems that none of the legitimate programs are or should be trying to access the internet, like ActiveSync right now.

    Do those behavioral patterns match the normal behavior for services.exe? If so, then you are correct and the firewall messages are a false alarm or configuration error on my part. I followed Blackspear's very detailed instructions for configuring LooknStop so I think it is configured correctly, unless I made a mistake at some point.

    If this is not the normal behavior (even though services.exe normally does use other programs to access the internet) then I think there is something lurking around on my system that LooknStop has correctly identified. Before trying LooknStop I also tried Outpost but it kept popping up a large number of warnings about components of IE that were changed and other warnings I did not understand, all of which resulted in not being able to use the internet at all. At the time I assumed that either Outpost was too complicated for me to understand or that they had significant bugs in their software. Now, in retrospect, Outpost may have been correctly detecting that there was malware on my system, but communicated that information in a way that was less understandable than LooknStop.

    Even if LooknStop has given a false alarm, in the last 24 hours something has succeeded in destoying the databases for both Pest Patrol and SpySweeper, crippling both programs. SpySweeper even popped up a message box saying that I needed to reinstall it to restore it to functionality. None of the software I have installed or run has detected anything (the list now includes: VxFinder, Stinger, Spybot, BugOff, CWShredder, PrevX Pro 2005, AVG Pro, NOD32, TDS-3 Professional, Wormguard, SpySweeper, Pest Patrol, Ad Aware SE Pro, Zone Alarm Pro, UnHackMe, Ewido Security Suite).

    The only unusual thing ever detected is that Spybot claimed that an ActiveX entry was Netster but my reasearch seems to indicate that RdxIE.dll is actually something asssociated with software from Real so I did not let Spybot remove it.

    I plan to follow the general cleaning instructions this weekend after trying two other tools just to complete the list of tools I have tried. If nothing else, I have certainly learned a lot about the available tools for malware detection, removal, and prevention :) .
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I find it very hard to believe that there is any malware on your computer that all your security software hasn't found

    It's not impossible but extremely unlikely

    Active sync is one of these pains that forever pops up regardless of whether a pda is connected or not

    I don't know what has damaged pest patrol & spysweeper

    I would be very interested in seeing a HJT log in your case as it will enable me to determine whether there MIGHT be an unknown baddie

    I know we don't normally ask for HJT logs to be posted but in your case I am willing to look at it and see if anything is out of place


    I still think though that what you have described is perfectly normal behaviour when services.exe is blocked from doing it's job, (except for the Spysweeper and Pest patrol problems and there is possibly a simple answer to that)




    go to here and download 'Hijack This!'. double click on the file and it will self extract to C:\program files\hijackthis.
    Go to that folder then doubleclick the Hijackthis.exe
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  13. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Derek,

    Thank you very much for your willingness to examine a HJT log. I will create one tonight and post it here. I appreciate your willingness to help so others do not have to go through what I have been through, whether from a malware pest or a false alarm.

    Mark
     
  14. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Derek,

    Below find the HJT log I just collected. As an aside, Pest Patrol suddenly came back to life tonight for some reason (it was not working when I came home during lunch). SpySweeper is still dead as a doornail. I performed an update on PestPatrol and then did a full system scan with it and it found something named viewpoint toolbar which had 13 registry entries and 4 files. The location of the files contained "Mozilla plugin" so I am assuming that this was a surf-by install without my permission. I then ran a Spybot scan and it found something named DSO Exploit which has 5 registry entries. I did not allow either program to fix these items yet. Reg Run Security Suite Gold found two unsigned ActiveX applications in MyComputer zone, again I did not allow it to fix these.

    Oddly enough, for the first time in many days, tonight there have been no attempts by SERVICES.EXE to use other programs to access the internet. When I came home at lunchtime there were a flood of them including the ActiveSync one which I had never seen since installing LooknStop on Tuesday night. Very strange.

    ------

    Logfile of HijackThis v1.99.0
    Scan saved at 1:20:34 AM, on 1/22/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Prevx Pro\PXAgent.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Belkin Bulldog Plus\upsd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    C:\Program Files\Prevx Pro\SAGUI.exe
    C:\Program Files\Atomic Clock Sync\Atomic.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Belkin Bulldog Plus\MUPS.exe
    C:\Program Files\PhatWare\PhatNotes Professional\notesnotify.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
    O4 - HKLM\..\Run: [PrevxPro] "C:\Program Files\Prevx Pro\SAGUI.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?322
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Network Configuration Service - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
    O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Prevx Agent - Prevx Ltd. - C:\Program Files\Prevx Pro\PXAgent.exe
    O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Sentry 2020 - Unknown - C:\Program Files\SoftWinter\Sentry2020XP3.0b13\SentryService.exe
    O23 - Service: UPS - UPSentry Service - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

    ---------

    One last thing I thought I might mention. When I run TDS-3 it detects two NTFS Alternate Data Streams in c:\windows\system32\winlogon.exe. Until now I have ignored this but I thought I would include the information here in case it is relevant:

    PARENT
    Path: c:\windows\system32\winlogon.exe
    Size: 483328 bytes
    MZ Exe: EXE

    STREAM
    Name: :[]summaryinformation (where [] is actually a box character)
    Size: 88 bytes
    MZ Exe: Unknown

    STREAM
    Name: :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    Size: 0 bytes
    MZ Exe: Unknown

    Thanks again for your willingness to investigate this,
    Mark
     
  15. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Jason,

    I tried running Process Explorer last night and I left it up for a while waiting for an alert to occur. When one did occur I checked Process Explorer and could not find any process associated with the alert. Perhaps this is due to unfamiliarity with the program but it did not give any indication as to which process(es) were running at the time. Periodically it would change the color of some of the processes as they were running but nothing happened during the alert. I watched for processes which were using CPU time and again, nothing correlated with the alert. After blocking it that alert, several more happened in rapid succession but nothing in the Process Explorer window indicated what was running at the time.

    Thanks anyway,
    Mark
     
  16. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    CORRECTION TO AN EARLIER POST:

    When I was home during lunch yesterday I inadvertently permanently blocked SERVICES.EXE from connecting to the internet and from using other programs to connect to the internet which is why I did not see any alerts at all last evening. Now that I have removed the permanent block the attempts have started again, as before.

    Mark
     
  17. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Xyzzy,

    I would be happy to try your suggestion but I do not know how I would find someone with the exact same level of Windows. I have SP1 plus all critical updates. There have been a few updates which I have not allowed on my system, like the Microsoft malware detection tool - due to the fact that once you put that thing on you will no longer be able to turn off automatic updates for it unless you turn them off for everything - I find that totally unreasonable and ridiculous. There may have been others which were not critical and which, like the malware tool, had side effects which I found to be unacceptable. I have no way of knowing if any of these updates would change services.exe so that the MD5 would be different - or is it the case that MD5 is not a checksum and would not be affected by this? Sorry for my ignorance on this subject. If it is the case that all I have to do is find someone with Windows XP Pro SP1 then it should be no problem.

    Thanks,
    Mark
     
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Those streams in winlogon looks like you have had KAV installed at some time and that's a common left over


    I am convinced that it is a false alarm and you shpould allow services.exe to connect & ignore the messages
     
  19. want2bemalwarefree

    want2bemalwarefree Registered Member

    Joined:
    Jan 20, 2005
    Posts:
    19
    Location:
    Texas
    Derek,

    Thank you again for your advice and assistance. I have done what you recommended and this has eliminated the alerts about svchost.exe. Unfortunately there still appears to be something on my system related to svchost.exe because Sunday night PrevX Pro 2005 alerted me to an attempt by svchost.exe to perpetrate a buffer overflow.

    That, in combination with SpySweeper and PestPatrol being disabled, convinces me that there is either some undetected malware still lurking around, or someone has managed to get access to my system, or the operating system is damaged in some way from the virus and malware which were removed.

    Either way, the best solution is to just reinstall it from scratch and put all the updates and protective software in place before the system is ever connected to the internet. At that point I should have a clean system once again and be relatively safe from reinfestation.

    Thanks again for your advice and assistance. Now that I know about your website I will add it to the list of security websites I periodically read.

    Mark
     
  20. Xyzzy

    Xyzzy Registered Member

    Joined:
    Jan 11, 2005
    Posts:
    67
    Location:
    Poland
    If you have not reinstalled yet:
    Find your services.exe and display properties from right mouse button menu. In Version tab there is version number. It gets updated when the file is changed by a patch or fix from Microsoft. Get md5sum.exe from internet. Post your file version along with md5 and some info to some forum (like this one) or appropriate Usenet group. Wait for an answer :)
    X.
     
  21. mitchell

    mitchell Guest

    i installed sp2 and now my internet doesnt work. it just keeps on coming dsn error when i try to go on a page. I have svchost but i dont know wat to do. Im using a laptop right now as my other com wont show websites. Every1 talks about how they got the problem and then it worked again but mine just doesnt go on.


    PLEASE HELP
    Mitchell
     
  22. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi mitchell,

    I am not sure if you are aware, but you have posted in a thread that is in the "Official LooknStop Firewall Forum". If you are not using LooknStop Firewall, then I will move your post over to a more suitable forum here.

    Regards,

    snap
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Mitchel

    If you are using another firewall, then Turn OFF the SP2 firewall that is ususlly the problem
     
  24. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Mitchell,

    Another tip: if you are using ICS server on Windows XP-SP2 with Look 'n' Stop, you need to import the following rules (on the server) to allow the client PCs to connect to internet:
    http://looknstop.soft4ever.com/Rules/XPSP2-ICS.rie

    Regards,

    Frederic
     
Thread Status:
Not open for further replies.