(S)LimeShop trojan

Discussion in 'malware problems & news' started by brightongull, May 5, 2004.

Thread Status:
Not open for further replies.
  1. brightongull

    brightongull Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Hi,

    I've been infected with a trojan after recently registering with Limewire. I've tried various things to get rid of it but don't seem to be getting anywhere. Can anyone help? Very grateful for any help ...

    Here's my Hijackthis report:

    Logfile of HijackThis v1.97.7
    Scan saved at 00:19:35, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\LTSMMSG.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\windows\redirect7.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\CConnect\CConnect.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\I386\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\mathies.com\PopThis!\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [aconti] C:\WINDOWS\aconti.exe -auto
    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
    O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O8 - Extra context menu item: &RSDN Search - res://c:\windows\toolbar_nieuw14.dll/GoRSDN.dll.htm
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37852.4667361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    brightongull,

    Welcome to Wilders.

    Please do a FULLl system scan at one of these free on-line anti-virus scanners: Free Services.

    If you haven't already, download and install Spybot Search&Destroy

    After installing, press the "OnLine" button, then the "Search for Updates" button (do not miss this step).

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.
    (Spybot-S&D will make a backup of everything deleted, so if there is reason that you have to undo anything, you have the backup to restore from).

    or, downlaod and install
    Ad-Aware (having both Ad-Aware and Spybot S&D would be even better as one may detect what the other one doesn't as they update at different times).

    After installing Ad-Aware you MUST install the latest Reference File to bring Ad-Aware's detection up-to-date. Follow these instructions.

    Then follow these instructions for setting up Adaware's scan:
    1. Click on the Settings (Gear at the top) --> Tweak button
    Under Scanning Engine: check: "Unload recognized processes during scanning."
    Under Cleaning Engine: check: "Let Windows remove files in use after reboot."
    Click "Proceed"

    2. Press the "Scan Now" button
    Put a dot in the circle for "Use Custom scanning options"
    Check option for "Activate In-Depth Scan (Recommended)"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Click "Proceed"

    3. Press "Next" to begin the scan.
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    4. Press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Once Ad-Aware has removed the items, close it and restart your computer.
    (Ad-Aware will make a backup of everything deleted, so if there is reason that you have to undo anything, you have the backup to restore from).

    After you have done the above, reboot your computer and do another scan with HijackThis and post it here in this thread so it can be checked.

    Regards,
     
  3. brightongull

    brightongull Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Hi snapdragin

    Thanks for taking the time to reply.

    I've followed your advice to the letter, and it seems to have gone well. Anyway, as requested here is my latest HijackThis report ... let me know what you think ...

    Logfile of HijackThis v1.97.7
    Scan saved at 17:07:41, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\LTSMMSG.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CConnect\CConnect.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\I386\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
    O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\mathies.com\PopThis!\PopThis.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37852.4667361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. brightongull

    brightongull Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    * UPDATE *

    Further to my last post, there still seems to be problem: the avast! antivirus tool has just detected the following:

    Virus name: Win32:Trojan-gen. {VB}
    Location: C:\System Volume Information\_restore{11268BC3-89B0-4F3C-9
    Other info: 0419-1, 06/05/2004

    Any further help greatly appreciated!

    Best regards
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi brightongull,

    Just this one left to fix. Place a check beside it in Hijackthis, make sure ALL windows/browsers are closed, then click *Fixed checked:

    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe

    Then boot your computer, perferably into safe mode by tapping the F8 key just as windows begins to load.

    Find and delete the easywww2.exe file in the C:\Windows folder.

    The above file may be hidden, so make sure you have all hidden files and folders viewable. Click Here, for instructions on how to do that.

    Reboot your computer normally.

    The virus that avast! is alerting to is in your System Restore. The only way to clean out any malware files that have been backed up in System Restore, is to purge the existing restore points. Follow the steps below:

    Turn OFF System Restore:
    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check the box beside "Turn off System Restore".
    5. Click Apply, and then click OK.
    6. Restart the computer. (You must restart your computer to clear the old Restore Points)

    Turn System Restore ON:
    1. Follow the above Steps 1 to 3
    2. UNcheck the box beside "Turn off System Restore".
    3. Click Apply, and then click OK.
    4. Restart your computer.
    5. And set a new Restore Point.

    Delete the contents from your Temp folders and the Temporary Internet Files folder (do not delete the Temp folders themselves though).

    Also, please read this post to help prevent future infection:
    https://www.wilderssecurity.com/showthread.php?t=27971

    You can do another scan with avast! and all should come up clear. :)

    Let us know if everything is working ok now.

    Regards,

    snap
     
  6. brightongull

    brightongull Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Hi snap

    Thanks for the further guidance. I did exactly as you outlined and ran avast! which found no infected files. Everything seems OK, except ... my whole system is running slower than before I carried out all the above.

    Individual windows take noticeably longer to load, and do so in a piecemeal way - not instantaneous like you'd expect. I have broadband, but outlook and IE now take a while to load and often do not connect straight away - with Outlook I'm now often prompted to enter my password to access my email server (before this always happened automatically), and webpages either fail to load or take a while to load.

    Is there a virus still lurking? Have I messed with some setting that I shouldn't have? Or is it simply that my ISP is having an off couple of days?

    Grateful for your thoughts.

    Best regards - brightongull
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi brightongull,

    There isn't anything in your last log that I am seeing as something bad running. Usually after removing spyware or viruses a system runs faster. Why your's is now running slower, I don't know.

    Have you removed anything on your own after fixing the above? You could do a defrag and see if that helps speed up your system, but other than that your log looks clean.

    Your ISP may have been having a bad day, or something on the route may have been a bit congested, but unless you called your ISP, it would be only guessing at that.

    I can ask one of the Experts to take a look at your thread and see if they can see something I'm maybe missing.

    snap
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Two things you can try:

    Copy the part in bold below into notepad and save it as aconti.reg

    REGEDIT4

    [-HKEY_CLASSES_ROOT\clsid\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]


    Then doubleclick that file and confirm you want to merge it with the registry,
    and check in IE > Tools > Internet-options > Connections tab and remove any connections that should not be there.

    HTH,

    Pieter
     
  9. brightongull

    brightongull Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Thanks guys - everything seems to be working well now: luckily I think the ISP just had a couple of off days.

    Thanks for all your help and advice, much appreciated.

    Best regards - brightongull.
     
Loading...
Thread Status:
Not open for further replies.