Press any key Posted October 27, 2005 Share Posted October 27, 2005 I ran across some spyware and may have panicked. Hey, I'm only human, and Windows is OK when it works, BUT A PRICK when things go wrong!Especially if you have OEM disks; most particularly from a NAME company. In my case, ACER Extensa Series Notebook. It appears to only allow you to delete the first partition and re-install.It is so arranged that you cannot run REPAIR or extract any of the files ..* Alright I deleted NTDETECT.COM. One stinking little 47K DOS file, mind you - AND THE WHOLE BLOODY THING WOULD NOT BOOT.I may also have deleted: [from Root C:]sw.batis.battb.exexe.exelow.exemmxateam.exeIELower.exe* ARE ANY OF THESE IMPORTANT? Everybody in this forum would know a whole lot more than me. Any of them spyware? Only deleted them to the Recycle Bin (named TRASH) just in case.Something has turned off my Windows firewall and all options are grayed out. I have WinsockxpFix-restart xp firewall but that's not working this time. Windows puts up a message also, something along the lines of: 'Firewall has been turned off, because associated services have been turned off, do you want to turn them back on. YES.' This does not work either. Also, my automatic updates have been turned off. Although I can change that back to ON, it keeps switching to OFF.Spybot - Search & Destroy seems to have picked up some Reg keys..** Microsoft AntiSpyware Beta 1 **______________________________Spyware Scan DetailsStart Date: 26/10/2005 10:50:15 PMEnd Date: 26/10/2005 11:05:20 PMTotal Time: 15 mins 5 secs Detected ThreatsIST.ISTbar Browser Modifier more information...Details: ISTbar is an Internet Explorer redirector that modifies your homepage and searches without your consent using an Internet Explorer toolbar.Status: RemovedSevere threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.Infected registry keys/values detectedHKEY_CURRENT_USER\software\ist HKEY_CURRENT_USER\software\ist exe_start 5Detected Spyware CookiesNo spyware cookies were found during this scan. -----------------------** Ad-aware **_______________Name:DyFuCACategory:MalwareObject Type:RegkeySize:4 Byteshttp://liveupdate.openwares.org/index.htmlLocation:S-1-5-21-3469509842-254541981-1596856438-1005\software\ist\Last Activity:26-10-2005Relevance:LowTAC index:3Comment:Description:Also known as InternetOptimizer. Error page hijacker, malware. Installs unsolicited (Bundled with third party applications) runs stealth.------** Spybot s&d **______________________ISearchTech.PowerScan: Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-3469509842-254541981-1596856438-1005\Software\ISTWindows Security Center.SP2Update: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0Windows Security Center.FirewallOverride: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---2005-07-21 unins000.exe (51.41.0.0)2005-05-31 blindman.exe (1.0.0.1)2005-05-31 SpybotSD.exe (1.4.0.3)2005-05-31 TeaTimer.exe (1.4.0.2)2005-05-31 Update.exe (1.4.0.0)2005-05-31 advcheck.dll (1.0.2.0)2005-05-31 aports.dll (2.1.0.0)2005-05-31 borlndmm.dll (7.0.4.453)2005-05-31 delphimm.dll (7.0.4.453)2005-05-31 SDHelper.dll (1.4.0.0)2005-05-31 Tools.dll (2.0.0.2)2005-05-31 UnzDll.dll (1.73.1.1)2005-05-31 ZipDll.dll (1.73.2.0)2005-09-30 Includes\Dialer.sbi (*)2005-09-30 Includes\Hijackers.sbi (*)2005-09-30 Includes\Keyloggers.sbi (*)2005-09-30 Includes\Malware.sbi (*)2005-09-30 Includes\Revision.sbi (*)2005-09-30 Includes\Security.sbi (*)2005-09-30 Includes\Spybots.sbi (*)2005-09-30 Includes\Trojans.sbi (*)2005-02-17 Includes\Tracks.uti2005-09-30 Includes\PUPS.sbi (*)2004-11-29 Includes\LSP.sbi (*)2005-09-30 Includes\Cookies.sbi (*)----------------------------------------------I have my OLD computer, so can use that to search the Net. Except my ISP changed phone numbers recently and the old PC had the wrong dial-up number. Rooter Skunk.Anyway, finally got going and downloaded every piece of junk I could find, including from Microsoft. Who apparently only think NTDETECT.COM is in Windows 2000. Well, why would it be in XP, XP is not NT, is it?THE SIMPLY SOLUTION:::Boot with Acer Disk 1 while holding the Shift Key down. That will get you at a DOS prompt.A:> [ For some reason it says drive a:, even though I don't have a floppy.]CD C:Copy C:\i386\NTDETECT.COM C:\[ 1 file copied .. ]Well, bugger me. Been a long time since I really used DOS. I might add that the [Copy] bit came from a Net site named : computerhope.comSo, there's a copy of this on my Hard Drive. [in the i386 folder - which used to be in Win]Now, you can't re-boot Acer, so push the OFF button and wait a while as not to shock the electrical parts, then turn on again..AND IT BOOTS INTO WINDOWS ......So, a 47K file can stop WinXP from running. That's just perfect, isn't it!Thousands of man (and woman) hours, millions of dollars spent, and one missing little 47K DOS program stops it from working.__________________________________________________________________________________________________________________Do you think it would help if WINDOWS was in a partition by itself, and the REGISTRY, program files, documents, etc, were kept separate?Then, if you had to re-install Windows, it could pick up the previous REG. To save you having to re-install all your programs. Link to comment Share on other sites More sharing options...
Rhelic Posted October 27, 2005 Share Posted October 27, 2005 (edited) These are not important, they are definitely spyware or some random app you don't need:sw.bat, is.bat, tb.exe, xe.exe, low.exe, mmxateam.exe, IELower.exeDeleting NTDETECT.COM was a bad move, it's a critical fileAs far as getting spyware, you need to run either MS AniSpyware or Panda AV, iirc no other apps out there will give you full spyware protection.Of course the best thing is to not run Windows as an administrator, run as a user and use RunAs to run installs as an admin. If you don't want to be hassled not being an admin, then use this guide I wrote to run as admin but to protect IE or any other internet app (FireFox, IM, etc) from installing spyware/viruses.Do you think it would help if WINDOWS was in a partition by itself, and the REGISTRY, program files, documents, etc, were kept separate?Then, if you had to re-install Windows, it could pick up the previous REG. To save you having to re-install all your programs.No, this won't help you at all, no matter where you put the registry, if it gets corrupt/infected, it's infected no matter where it is. And honestly, you don't want to restore a registry from a seperate install because it will only cause problems.Putting your Program Files in an alternate location won't help you either.Just run a good anti virus and anti spyware app, I've looked at all of them and imho Panda Titanium AV is the best on the market, although it's the most expensive and uses a whopping ~50megs of ram, but you get what you pay for (in $ and in hardware requirements). Edited October 27, 2005 by Rhelic Link to comment Share on other sites More sharing options...
Takeshi Posted October 28, 2005 Share Posted October 28, 2005 (edited) NTDETECT.COM is not a DOS file strictly speaking. Win2K (and perhaps NT) uses it too (but older versions).There're excellent chapters in MS Windows XP Resource Kit which tells you in detail about the XP boot process and what files it uses. Then you'll know how XP boots.Also this KB:http://support.microsoft.com/default.aspx?...kb;en-us;314079The i386 folder is not part of the working Win XP any more; it was used in the factory for unattended installation (but often left behind afterwards). Edited October 28, 2005 by Takeshi Link to comment Share on other sites More sharing options...
shix Posted October 28, 2005 Share Posted October 28, 2005 if you have a windows xp cd. boot into the recovery console. copy ntdetect.com from the cd.if you can't boot into the recovery console or copy the file, ask a friend if their willing to help you out by setting up your harddisk in their pc. from their windows, copy the file to your drive. Link to comment Share on other sites More sharing options...
Press any key Posted October 30, 2005 Author Share Posted October 30, 2005 I got the firewall, auto updates and virus protection turned back on by using >> Control Panel >> Performance and Maintenance >> Administrative Tools >> Computer Management >> Services ....and finding Windows Firewall/Internet Connection << and double clicking on it - this provides options to apply.*Must have hit a bad web page or something that infected me. Seems to be blocking my downloads >web pages< while uploading data from my computer. Maybe I've been turned into a zombie spam computer. Don't have any Torrent, etc, software presently installed.Deleted::sw.batis.battb.exexe.exelow.exemmxateam.exeIELower.exexe.exe looks like an unloader and then sw.bat starts everything else..I also deleted lsass.exe from Windows as MS Anti-sypware reports it may be bad. Doesn't say what it is .. but the one in System32 says it's Microsoft and is different size and date.I have a lot of protection --- but only Spyware S&D picks up the Reg Keys. However it does not remove them on 'fix problems.'Microsoft Anti-spyware (Beta) +on guardAd-aware SESpybot - Search & Destroy +on guardSpywareBlaster +on guard WinPatrol +on guard--------- Ooops, now that I have rebooted and dialed-up the firewall and auto-updates are off again. But at least I am surfing OK, lost my zombie uploading status.So, I'm going OK now, except can't turn the firewall on.. WinXP Home dial-up 56K. Link to comment Share on other sites More sharing options...
Press any key Posted October 31, 2005 Author Share Posted October 31, 2005 Important Information ..I found this at LOCKERGNOME-----------------------------------------------------http://help.lockergnome.com/lofiversion/in...php/t40349.htmlsalarymanjamOct 23 2005, 02:15 AMI have been attacked by this Trojan which AVG is calling Mytob.ABR and i cannot seem to find any programs that remove it, it is that new! Can someone please help me out here. It seems to dump 5 files on to C:/ -is.exelow.exemmxateam.exesw.batxe.exezxvcc73x.exeand they also crop up in the temporary internet file folders. It is blocking me from using the internet and my home network.Can anyone help me?O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)Locate and delete the following:C:\WINDOWS\lsass.exe----------------------------------------------I had all of these, except zxvcc73x.exe, mine was named IELower.exe. And AVG7 Free with current definitions did not detect anything. Nor did all the active AntiSpyware scanners.So, it may have been updated to be a better scumware...Turn off auto backups, until problem fixed.Delete all offline content (temp Internet files) from all your installed browsers.Delete all temp files. ( Windows will want to keep 3 or 4 and this is OK.)[if you have CCleaner, set the delete temp files on Re-boot, and not after 48 hours, which is the default.]Delete all files mentioned above.*This seems to disable it, but may not be all the files. Internet connection speed returns to normal.I still have the Win Firewall turned off, and grayed out, plus auto-updates off. Any attempt to turn them back on is ineffective. Does not work! This is suppose to be the path to the Firewall:: C:\WINDOWS\system32\svchost.exe -k netsvcsPlus, The Reg entries that only Spybot S&D picked up, but cannot clean. They get replaced.I also get some USB 16 bit error notice popping up and I suspect this file in C:\ usbupdatesx.exe as it has the same date as the other Malware. Hiding Windows protected files, I am left with the following in my Root folder::usbupdatesx.exefirst.savAVG7QT.DATacecpl.savPDOXUSRS.NETascserv.logdata (6K)ISACER.IDI have an Acer notebook and AVG7 Antivirus.------------------Thanks for your reply Rhelic (That's the biggest Margarita I have ever seen [my preferred drink] and I'm a recovering alcoholic. [Ten years without a drink, ****. Luckily the cigarettes will kill me.]) Thanks for your reply Takeshi (The i386 folder saved my life, as I have Acer recover disk and can't extract anything, just reinstall as purchased.) And I've lost count of the Windows updates applied that would be lost.. And I've only had the Notebook a year with XP SP2 Home.)I'm still in shock that ONE small file can stop WindowsXP from booting.Thanks for your reply shix (copy ntdetect.com from the CD not available to me because of BRAND NAME computer recovery disk only. won't be buying another brand name.)*You know, Microsoft keep sending me newsletters that say:_ "START SOMETHING.."I don't have time to start anything except try to keep the operating system going .. Link to comment Share on other sites More sharing options...
jftuga Posted October 31, 2005 Share Posted October 31, 2005 If you have access to another PC (like a friends), you can create an Ultimate Boot CD for Windows. With this, you boot a full version of Windows XP from CD-Rom. You could then copy over the ntdetect.com file from CD or floppy. UBCD4Win also has antivirus programs and spyware removal tools.Good luck,-John Link to comment Share on other sites More sharing options...
Rhelic Posted November 1, 2005 Share Posted November 1, 2005 I should have also added the best way to run a SpyBot span is while you are in Safe Mode (no network support).In fact if you know a machine is infected with something nasty, I insist on Safe Mode.It's often faster and since less things are loaded, it can remove more things. Although I've noticed with SpyBot 1.4 they do a much better job of unloading & unlocking files, so maybe this doesn't matter as much anymore. Link to comment Share on other sites More sharing options...
mcl768 Posted November 1, 2005 Share Posted November 1, 2005 Im pretty sure this is a pretty recent thing, there isnt much information about it, im just trying to help out as much as i can since i got it too, Virus scans and spyware scans come up clean (except for lsass.exe running from C:\Windows AND C:\windows\system 32 where it is suposed to run from).Nothing in the registry telling it to run, I emptied out the prefetch folder, if im not connected to the internet, I can delete the files I mention later and it works fine, untill about a minute after i plug in the cat5 cable, a dos window pops up and those files come back. Even after a ful format and reinstal of XP on my C:\ drivei dont know how i got this or where it came frombut its pretty bad, ive had viruses before and ive managed to fix them pretty easialy...this is differant, ive been working on it for about 4 days now, and i see that others have teh same problems and no one seems to know a solution...hopefully we wil be able to solve this soon.Logfile of HijackThis v1.97.7Scan saved at 12:35:48 PM, on 11/1/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\lsass.exe---------------------Not Suposed to be here!!!!C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\SOUNDMAN.EXEC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exeC:\Program Files\ATI Technologies\ATI.ACE\CLI.exeC:\Program Files\WinBar\WinBar.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeG:\Mikes stuff\HijackThis.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtimeO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exeO4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exeO9 - Extra button: Yahoo! Messenger (HKLM)O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)I also haveIELower.exe (2kb)is.exe (34kb)low.exe (2kb) mc-110-12-000169.exe(165kb)mmxateam.exe (18kb)sw.bat (1kb)tb.exe (204kb)usbupdatesx.exe (461kb)xe.exe (24kb)in my root directory C:\I hope this will help figure out something. Link to comment Share on other sites More sharing options...
mcl768 Posted November 1, 2005 Share Posted November 1, 2005 Ok..im back on my computer for now...i think i have a solutionThis is what I didDisconnect from the InternetDownload Process Explorer here http://www.sysinternals.com/Utilities/ProcessExplorer.html From another computer and save it to a disk (if you can get it with the infected computer it will still work), Disconnect after youget it thuogh)Run that and look for lsass.exe (if you have the same thing i did it will be running twice)Click View>Select Columns, Check "Command Line"One of the lsass.exe will be running from C:\WINDOWS..this is the bad one, the other will be wunning in C:\WINDOWS\System32Miniamize Process Explorer, and browse to C:\WINDOWS Use the folder options to show hidden and system filesFind lsass.exe, be sure you are not in the System32 folderIt wont let you delete the file because it is in use by windows so you have to select it in process explorer and push delete, it will ask you if you want to kill the process, say yes.You have to work quickly because lsass.exe will start itself after a few seconds, so what you do is have both windows open, Process explorer and C:\windows, have lsass.exe selectedGo to the Process Explorer and kill lsass.exe that is running from C:\WINDOWS, then move over to the C:\WINDOWS folder and delete lsass.exe before it has a chance to start again.Then delete sw.batis.battb.exexe.exelow.exemmxateam.exeIELower.exeuspupdatesx.exemc-110-12-000169.exefrom C:\Ive seen differant sets of files so there may be files here you dont have, and you may have others.After I did that I restarted and the files didnt come back, I connected to the internet gain and waited.....No files its been about an huor and ho problems yet, i hope that is all it was, but there may be more of this...ill post if i find out anymore Link to comment Share on other sites More sharing options...
dementia13 Posted November 9, 2005 Share Posted November 9, 2005 Please help, this has been driving me mad! I have a lot of work to do but have spent the past two hours messing with this and still no progress.I tried what mcl768 suggested above, and it seemed to work, however I ran into a problem. I cannot, for the life of me, find lsass.exe in my C:\WINDOWS folder.Yes, I made sure to select the Folder Options thing to view all hidden files, I can see ALL other hidden and weird looking files, but I cannot find lsass.exe.Furthermore, when I look in process explorer I see the **** file and it says that it IS in C:\WINDOWS however when I search for it and look for it manually I don't see it. So what's going on here, all signs point to it being there, yet I cannot find it to delete it.Any help would be GREATLY appreciated. Thanks! Link to comment Share on other sites More sharing options...
Press any key Posted November 9, 2005 Author Share Posted November 9, 2005 Have you also unticked 'Hide protected operating System Files?'The Virus/Malware, whatever it is classified as, probably comes from a ųTORRENT download. Link to comment Share on other sites More sharing options...
Zxian Posted November 9, 2005 Share Posted November 9, 2005 The Virus/Malware, whatever it is classified as, probably comes from a ųTORRENT download.Viruses and Malware come from Kazaa and LimeWire. Torrents rarely contain viruses.And if you're going to use alternate characters, it's μ, not ų. Link to comment Share on other sites More sharing options...
Press any key Posted November 10, 2005 Author Share Posted November 10, 2005 And if you're going to use alternate characters, it's µ, not u.I couldn't find µ, but have u, which it is not, so used Character Map Arial ų. But now I have yours, I'll copy it. µ AVG7 has just updated itself to 7.1.362, and finally picked up Trojan horse Dropper.Agent.VC. So, I know this came in on a µTORRENT download. I have never used these type of programs before, and as this is a very small one, decided I'd give it a go. The TORRENT is rouge ofcourse, not the programs fault. No, I'm not going to say. These type of programs seem to be for copyrighted material.*But I would check your Outlook Express Address Book for entries that look a little strange, and you have never seen before! Just a thought. . Link to comment Share on other sites More sharing options...
swann Posted November 17, 2005 Share Posted November 17, 2005 Hi Peeps ive been trying to sort out a booting up issue on my girlfrinds laptop and while doing the head scratching, chin stroking research came through here. With concern to your lsass.exe being in two places they are actually two different file names one is LSASS.exe this is the one you need and the other is isass.exe the clever thing is that a capital (i) lokks alot like a lower case (L). hope this helps Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now