Trojans Ewido Spyware ... Removal =)
Sunday, July 03, 2005
This is a log of my efforts to clean up my compy after some trojans have set in
I actually named this piece of text "enemy.txt" lol
Most of this happened in 050702 hence thats where the log shall begin.
[log 050702]
a brief description of the problem:
current build:
winxp pro
msq is up
mssql is up
mysql is up
apache is up
zone alarm is up
Problem:
svchost.exe would request for 216.152.240.11:HTTP
IE will keep popping up (with no toolbar)
From past experience, before zone alarm was installed this was
popups advertising anything from casinos to fixing, would you believe it?
pop ups.
I had installed zone alarm to stop out going packets, so that the problem does'nt grow.
and believe me it does grow.
The life cycle is rather malicious, once it hooks on, it will call back to the main server
and get more ads in.
Use of Zone Alarm has managed to stymie the growth of the pop ups.
No longer does the pop ups actually have any ads
However I know it is still running as svchost still initialises at start up to request for 216.152.240.11:HTTP
and IE keeps popping up. However this time saying that no server can be found.
So security wise I have clamped it down, or so I think (I might be wrong of course and in truth i am not sure)
Each time i type my passoword and IR pops up, my browser loses focus and I do not know if some keylogger is capturing data.
So it is both an irritant as well as a security concern.
Hence it had always been on my agenda to clean up the windows registry.
So the clues so far are, svchost seems to have a big part in this whole farce.
Killing svchost slows down the pop ups some what.
Lasass.exe was one of the first processes to be scrutinised, along cidaemon.exe
Some links:
http://www.liutilities.com/news/articles/article9/
http://www.liutilities.com/news/articles/article10/
in essence most of the processes were clean, however the articles also hinted that code injection was possible.
In mine case it looks like svchost is the vector.
Also some interesting articles came up:
http://reviews.cnet.com/5208-3513-0-10.html?forumID=104&threadID=38140&messageID=1097302&start=-87
http://www.windowsitpro.com/Article/ArticleID/25490/25490.html?Ad=1
How to remove IE (apparently the reinstall bit is not a trojan or virus but courtesy of MS)
as well as the System Congiguration Utility (type "MSCONFIG" in "run" under the start button)
You can boot in safe mode from here, just click on the boot.ini tab
Note that svchost.exe is used by many programs not just viruses.
Ad aware tutorial:
http://www.softwaretipsandtricks.com/windowsxp/articles/619/1/Ad-Aware-Tutorial
I did not use Ad aware, but it seems popular.
http://forum.iamnotageek.com/history/forum.php/130-3.html
list of problems, I might have used this
http://forum.iamnotageek.com/t-1819059447.html
This was the main one I used
Basically it is the Hijackthis manual.
Hijackthis is a godsend, it essentially lets you see windows registry values that arer likely to be due to hijackers.
If you have seen the win regis it is quite complicated... :)
Using this I think I got rid of a few ad wares, e mony and stuff... so its not too bad.
CWS was also handled
http://www.spywareinfo.com/articles/cws/
But the svchost is still asking for the 216 blah blah site...
msn messages can be disabled
http://www.neuber.com/taskmanager/process/msmsgs.exe.html
apparently comes with messenger 6.2
To disable
http://www.pchell.com/support/ipmessaging.shtml
On on-line.exe (this was found by hijackthis)
http://forums.techguy.org/history/t-370591.html
se.dll is also deleted
http://www.iamnotageek.com/a/se.dll.php
what is prefetch?
http://www.majorgeeks.com/download2495.html
one of the article recommended clearing prefetch
essentially prefetch solves the mystery of how windows seemingly loads fast :)
at this point svchost still grumbles and IE still pops
its about 4 am in the morn, I decide to crash
At this point I have cleared many adwares, I suspect svchost is regenerating everything
each time I delete. Its a memory load thing.
the solution seems to be to go into safe mode and delete the relevant files.
[log 050703]
at present svchost.exe
or at least the version where the process keeps looking for:
216.152.240.11
which is actually coolwebsearch tojan or CWS
seems to be dead
though IE popups still occur
[log 050703 1145]
running spybot
at present trying to remove the elite bar
currently it points to C:\windows\system32\elitefmv32.exe
Elitum.EliteBar is still present unfortunately on running spybot
but only one key is left previously 3
key removed now is:
HKEY_USERS\S-1-5-21-1343024091-790525478-682003330-1003\Software\LQ
[log 050703 1202]
unfortunately IE still pops up, but it is slower now... and svchost.exe no longer asks for
216.152.240.11
that much is confirm
IE has popped up three times though
running spybot again...
killed as many application processes as I can recognise
Elitum.EliteBar still exists however
the key is still present! though i have deleted it manually
ran an update for spybot
an IE immunisation package was found!
ran spybot again, and again the key is still there
delete/fix
run again
again Elitum.EliteBar is present
and as if to mock IE just popped up
Doing a google on Elitum.EliteBar now
[log 050703 1416]
searched the internet and found a site that deals with Elitum.EliteBar that had similar problems.
Downloaded Cleanup and ewido security suite.
Rebooted
On start up Ewido detected it and removed it.
On running Spybot, Elitum.EliteBar was still detected, but this time on removal, it was not detected on a subsequent run.
Looks like a wrap :)
Ewido cleaned the EliteBar very cleanly
Amen.
11:47 AM - add eprops - add comments - email it
This is a log of my efforts to clean up my compy after some trojans have set in
I actually named this piece of text "enemy.txt" lol
Most of this happened in 050702 hence thats where the log shall begin.
[log 050702]
a brief description of the problem:
current build:
winxp pro
msq is up
mssql is up
mysql is up
apache is up
zone alarm is up
Problem:
svchost.exe would request for 216.152.240.11:HTTP
IE will keep popping up (with no toolbar)
From past experience, before zone alarm was installed this was
popups advertising anything from casinos to fixing, would you believe it?
pop ups.
I had installed zone alarm to stop out going packets, so that the problem does'nt grow.
and believe me it does grow.
The life cycle is rather malicious, once it hooks on, it will call back to the main server
and get more ads in.
Use of Zone Alarm has managed to stymie the growth of the pop ups.
No longer does the pop ups actually have any ads
However I know it is still running as svchost still initialises at start up to request for 216.152.240.11:HTTP
and IE keeps popping up. However this time saying that no server can be found.
So security wise I have clamped it down, or so I think (I might be wrong of course and in truth i am not sure)
Each time i type my passoword and IR pops up, my browser loses focus and I do not know if some keylogger is capturing data.
So it is both an irritant as well as a security concern.
Hence it had always been on my agenda to clean up the windows registry.
So the clues so far are, svchost seems to have a big part in this whole farce.
Killing svchost slows down the pop ups some what.
Lasass.exe was one of the first processes to be scrutinised, along cidaemon.exe
Some links:
http://www.liutilities.com/news/articles/article9/
http://www.liutilities.com/news/articles/article10/
in essence most of the processes were clean, however the articles also hinted that code injection was possible.
In mine case it looks like svchost is the vector.
Also some interesting articles came up:
http://reviews.cnet.com/5208-3513-0-10.html?forumID=104&threadID=38140&messageID=1097302&start=-87
http://www.windowsitpro.com/Article/ArticleID/25490/25490.html?Ad=1
How to remove IE (apparently the reinstall bit is not a trojan or virus but courtesy of MS)
as well as the System Congiguration Utility (type "MSCONFIG" in "run" under the start button)
You can boot in safe mode from here, just click on the boot.ini tab
Note that svchost.exe is used by many programs not just viruses.
Ad aware tutorial:
http://www.softwaretipsandtricks.com/windowsxp/articles/619/1/Ad-Aware-Tutorial
I did not use Ad aware, but it seems popular.
http://forum.iamnotageek.com/history/forum.php/130-3.html
list of problems, I might have used this
http://forum.iamnotageek.com/t-1819059447.html
This was the main one I used
Basically it is the Hijackthis manual.
Hijackthis is a godsend, it essentially lets you see windows registry values that arer likely to be due to hijackers.
If you have seen the win regis it is quite complicated... :)
Using this I think I got rid of a few ad wares, e mony and stuff... so its not too bad.
CWS was also handled
http://www.spywareinfo.com/articles/cws/
But the svchost is still asking for the 216 blah blah site...
msn messages can be disabled
http://www.neuber.com/taskmanager/process/msmsgs.exe.html
apparently comes with messenger 6.2
To disable
http://www.pchell.com/support/ipmessaging.shtml
On on-line.exe (this was found by hijackthis)
http://forums.techguy.org/history/t-370591.html
se.dll is also deleted
http://www.iamnotageek.com/a/se.dll.php
what is prefetch?
http://www.majorgeeks.com/download2495.html
one of the article recommended clearing prefetch
essentially prefetch solves the mystery of how windows seemingly loads fast :)
at this point svchost still grumbles and IE still pops
its about 4 am in the morn, I decide to crash
At this point I have cleared many adwares, I suspect svchost is regenerating everything
each time I delete. Its a memory load thing.
the solution seems to be to go into safe mode and delete the relevant files.
[log 050703]
at present svchost.exe
or at least the version where the process keeps looking for:
216.152.240.11
which is actually coolwebsearch tojan or CWS
seems to be dead
though IE popups still occur
[log 050703 1145]
running spybot
at present trying to remove the elite bar
currently it points to C:\windows\system32\elitefmv32.exe
Elitum.EliteBar is still present unfortunately on running spybot
but only one key is left previously 3
key removed now is:
HKEY_USERS\S-1-5-21-1343024091-790525478-682003330-1003\Software\LQ
[log 050703 1202]
unfortunately IE still pops up, but it is slower now... and svchost.exe no longer asks for
216.152.240.11
that much is confirm
IE has popped up three times though
running spybot again...
killed as many application processes as I can recognise
Elitum.EliteBar still exists however
the key is still present! though i have deleted it manually
ran an update for spybot
an IE immunisation package was found!
ran spybot again, and again the key is still there
delete/fix
run again
again Elitum.EliteBar is present
and as if to mock IE just popped up
Doing a google on Elitum.EliteBar now
[log 050703 1416]
searched the internet and found a site that deals with Elitum.EliteBar that had similar problems.
Downloaded Cleanup and ewido security suite.
Rebooted
On start up Ewido detected it and removed it.
On running Spybot, Elitum.EliteBar was still detected, but this time on removal, it was not detected on a subsequent run.
Looks like a wrap :)
Ewido cleaned the EliteBar very cleanly
Amen.
11:47 AM - add eprops - add comments - email it
posted by god_is_good478 at 11:00 PM
| 
0 Comments:
Post a Comment
<< Home