PDA

View Full Version : I would like to know about these threats



JOEJG
28-12-2008, 09:43 AM
I've wasted over 7 hours trying to figure out why my computer was having problems. It seems after using Hijackthis, 3 files stood out as Unknown owners. After deleting in safe mode, they appeared back after a reboot. Then after I manually deleted them, they could not be found in the windows search, just for me to find them in the admin tools menu, so I disabled them. Yet even after a Ad-Aware scan and my Norton virus checker, the files or programs would still bypass and would not be found.

The trojans are called CbEvtSvc, bEvtService and bEvtSvcE.

Any possible way of deleting them, and where they could've came from? Otherwise I'll have to fresh install XP as they've gone and created and modified spam topics.

Thanks.

Speedy Gonzales
28-12-2008, 09:48 AM
Disable system restore, if its XP.

Get trojan remover and malwarebytes in my sig below

Update both then scan

Then select all options under utilities in Trojan remover

JOEJG
28-12-2008, 09:54 AM
Thanks, Speedy Gonzales, you are fast lol. I would've posted my Hijackthis but I couldn't get online at the time since at the time I was in safe mode and my connection wasn't active. Plus the CPU was acting very slow.

Perhaps tommorow if I have trouble I'll save to a disc and then use my laptop, and post here.

Speedy Gonzales
28-12-2008, 09:58 AM
Theyre probably running in the background. Disable system restore

If you have XP, boot into safe mode / networking

Then get the 2 programs I posted before. Come back here. And click on the links belw

JOEJG
28-12-2008, 10:02 AM
I will do, thank you. I wondered why they weren't going even after manually looking for them and deleting. They even created topics like finance with a bit of spam text, as I looked through my comp via last modified and observed as such. Just a real pain to be honest.

Edit: I didn't know that Trojan Remover and the other costed money. I don't think I can afford right now...

Speedy Gonzales
28-12-2008, 10:07 AM
Looks like this is what it belongs to (http://vil.nai.com/vil/content/v_144165.htm)

I would get off the net right now. Because its a backdoor trojan

Trojan remover is a trial for 30 days. Malwarebytes is free

JOEJG
28-12-2008, 10:20 AM
The most serious of all? I've noticed it was modifying and creating those topics like I said, but I deleted what I could see was from them and created today.

Do they go as far as taking money or playing with card details? My dad orders rarely, but this is scary! Should I just fresh install XP and be done with it? Or will it not go? I've little on it worth worrying about.

By the way I'm using another computer now. This is not the one. So I will download them to a disc here without needing the Internet on the trojan comp.

Speedy Gonzales
28-12-2008, 10:44 AM
A backdoor trojan can do whatever it wants to.

It'll probably steal cc info as well. So, DONT do online banking on it, till its fixed

JOEJG
28-12-2008, 12:46 PM
Not a human hack? Those folders it created where all just common reference text, looked a bit like a bot to me.

I've fresh installed reformated my C drive after running Trojan Remover, it picked up 4 of them. I will post Hijackthis when more gets sorted.

Speedy Gonzales
28-12-2008, 12:54 PM
If you did a clean install, (it wipes everything) it wouldnt be there.

It sounds like you reinstalled windows over windows.

That wont get rid of it. It just overwrites whats on the hdd, then reinstalls windows.

Did you tell Trojan remover to remove them?? Then reboot?

JOEJG
28-12-2008, 01:03 PM
My dad uses Outlook for his email, I read that it could've been the cause passed through email. I better get him to change to Live or something.

The only things we buy are clothes from his walking shop and Norton subscription.

Yes I did a fresh XP install and I formatted the C drive instead of the D. Trojan Remover picks up nothing now, and this is my Hijackthis:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\drst.exe
D:\Program Files\Dragdiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Downloads\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TrojanScanner] D:\My Downloads\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\My Downloads\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [STManager] "D:\Program Files\drst.exe" -b
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2A203C8-D996-4B36-94C8-03E32F3BD676}: NameServer = 193.36.79.100 193.36.79.101

--
End of file - 1723 bytes

Speedy Gonzales
28-12-2008, 01:05 PM
I need all of the log. Post everything from the beginning of the log

So windows was on D before?? If it is and you didnt format D, its still there. No point reinstalling on C, if the trojan is still on D

JOEJG
28-12-2008, 01:19 PM
It was on C. And that is the full HJT log. It's no bigger.

Speedy Gonzales
28-12-2008, 01:22 PM
Tick this then tick fix checked. Or uninstall it

Close browsers

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

JOEJG
28-12-2008, 01:34 PM
Okay. I'm really hoping its not on D, I'm doing another seperate Trojan Remover on it at the moment. That's where my walking movies and pictures are, but if it comes down to it, I'll have to. I'm pretty sure those that got picked as trojans were on the C: though. And earlier when I checked to see what was modified, D hadn't been modded for many months.

All clear? I'll get onto changing account details, or at least check up on it.

Speedy Gonzales
28-12-2008, 02:09 PM
Install Avast Home and update it. Then scan both of them

JOEJG
28-12-2008, 02:20 PM
Okay, but I will need sleep, then I'll use it. Been on this case for way too long now. My connection will be offline when the comp's off.

Will see you tommorow? Thanks for your help!

JOEJG
29-12-2008, 02:47 AM
I haven't done it yet since I'm at the other location. But I've read this:
http://aumha.net/viewtopic.php?f=26&t=28580

Completely compromised? So when this happens you should really buy a new PC?! Otherwise it says to reformat the drive. Which is what I've done by reinstalling Windows on it. So what's the difference between this and as quoted
''You canít clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.''

Except that I've used the programs to remove?

wainuitech
29-12-2008, 09:21 AM
''You can’t clean a compromised system by reinstalling the operating system over the existing installation That part is correct. To be certain - you would save all the data on both drives to another source, external drive etc.

Boot from windows XP CD, go through the procedure of reinstalling windows, when it gets to selecting the drive - tell it to delete the partitions, ( BOTH C & D) that will completely wipe the drive - just formatting it wont guarantee to remove the bug if its still there.

Reinstall Windows from fresh, make up the second partition again if you want, then make sure you have a GOOD AV installed ( NOT Norton - its crap). Before you replace the data back on the drive, scan it from a clean system, as long as its clean there shouldn't be a problem.

What sometimes happens is these bugs put in whats called a Rootkit (http://en.wikipedia.org/wiki/Rootkit) which could be in drive C or D- IF you had one of these, depending on which one it is, they can be impossible to remove, or even detect, without wiping the drive. There are programs that will "try" to remove them, and some work some dont.

I have a PC in the workshop currently, had several rootkits - just when you think its clean - guess what reappears ;)