Topic: Sasser? help please

[Jaminxz]

Hey i promised one of my friends i'd help them sort out their pc. I got him to download hijack this and then send me the results.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wnetmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Kevin Beresford\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37991.5385416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2683358-6CBB-4DE3-9936-AE25A42BEC94}: NameServer = 213.40.2.19 213.40.2.20


from me it looks like he has sasser, but i need varification, also could someone suggest suitable action to take?

cheers,

Jaminxz

[lobo]

What makes you think it is infected by a worm?, if your anti virus software is updated it will detect the sasser worm.

If it is infected go to http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html and download the removal tool

Brian

[Simon]

I can't see anything in that list to indicate the Sasser worm - what are the symptoms of the problem, Jam?

[Jaminxz]

i thought the Svchost.exe was suspicious.


as it's my friends pc not mine that's inquestion details are a little hazy,although i can obtain any if necessary.

My mate tried to scan his pc with nort anit virus scan and the application closed almost imediately, as did hijack this, when i had the sasser this happend to me also.

I think i'm right in guessing it's some kind of virus?

[lobo]

Svchost.exe  is part of windows

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Start in safe mode (F8 at boot) and run the anti-virus iprogram in safe mode

Brian

[Simon]

If it was the Sasser worm, there would probably be instances of these in the HJ list, like there was on yours:

C:\WINDOWS\avserve.exe
C:\WINDOWS\avserve2.exe
C:\WINDOWS\skynetave.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe

As those don't appear in your friends HJ list, it's unlikely he has the Sasser worm.

As Brian said, tell him to temporarily disable System Restore (if XP or ME) and do a virus scan in Safe Mode.  Also in Safe Mode, run Ad Aware and / or Spybot.

Let us know if he's still having problems after doing that.  

[Dack]

Rerun HJT and have it fix the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet Internet Explorer
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
 Time computer then is it

O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe Trojan - kills AV software
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe Ditto
O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe Deja Vu

The trojan you have got is http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=59079&VName=WORM_SDBOT.KW&VSect=T

You may also want to delete
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
As it's a bit of a resource hog and you still have Start office installed

Also notice that he hasn't got a firewall installed.

[lobo]

@Dack
You are right my friend, it is a worm thats infecting the PC

C:\WINDOWS\System32\wnetmgr.exe
HKLM\..\Run: [NT Logging Service] syslog32.exe

But if his anti virus software is up to date it should have found and quarantined it

Brian
 

[Dack]

Assuming he didn't get it before the Anti virus companies updated (mind you that was only one day or so after discovery)

@Jaminxz

You will also need to modify the HOSTS file on the affected computer as it adds a few sites to it meaning you cannot get updates for your virus scanner among other things.

Navigate to C:\WINNT\System32\drivers\etc and open up the HOSTS file and remove all entries that have an entry matching a name in this list:

www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com

The format will be something like
www.trendmicro.com 127.0.0.1

[Jaminxz]

right ok thanks very much dude,I'm gonna get look at his pc soon so i'll be able to do it, i may need some more help though!!

cheers guys,i'll let you know how i get on!

[Jaminxz]

right thanks guys, i fixed the problem using HT and all is fine now.

thanks again

Jmainxz