[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

Unremoveable spyware/virus

I am trying everything I can to remove this virus/spyware.  Here is where we are right now (all done in safemode):

Hijack This
*********
Logfile of HijackThis v1.99.1
Scan saved at 11:09:16 AM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HowardFamily\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oelsn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yaswxem.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Its the C:\WINDOWS\system32\oelsn.exe and yaswxem.exe in the hijack this that I can't get rid of

Autoruns
********
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
      pcgpt.exe

Any time it try to delete oelsn.exe, yaswxem.exe, or xuuony.exe reg_run from the registry it cames right back (even in safemode).  I have tried using msconfig, smitRem, and Hijack this.  I have tried manual removal.  I have tried Norton AV (installed on the system) and TrendMicro House call.  I have tried looking in Add/Remove programs and Services looking for anything that doesn't belong.  None of it has helped.  Even doing searched for the 4 exes doesn't get me anywhere so they must be randomly generated.
0
Talenhawk
Asked:
Talenhawk
  • 2
1 Solution
 
r-kCommented:
Try this:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (e.g. xuuony.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for the other files you want to disable.

(6) Close all windows.

(7) Reboot.

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I suggest Ewido, but you can try others that you already have.
0
 
TalenhawkAuthor Commented:
I did this, but there is still obviously something evil running because as soon as I remove any of these they are right back in there.  Also did I mention the two below are hidden.  IE I can't see them in regedit or regedt32.  The only why I can see them are autoruns and msconfig.  How do I unhide them in the registry?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\WINDOWS\system32\xuuony.exe reg_run
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
      pcgpt.exe
0
 
r-kCommented:
Try ewido (http://www.ewido.net/en/) download the free/demo version and scan your system.
I've had luck with that in similar cases.

Also, just to be sure, did you disable these files like I suggested, or did you delete them? Deleting them is not going be as effective as disabling them. Also, you have to disable all that you can identify, then reboot.
0
 
Rich RumbleSecurity SamuraiCommented:
If XP pro, disable system restore, then scan with the tools above as well as Ad-Aware. If you suspect you have a root-kit download and run RootKit revealer from Sysinternals.com
http://www.sysinternals.com/Files/RootkitRevealer.zip Make sure you don't run any apps or access anything while it runs as this will lead to false positives in the scan.
There are certain files and folders that typically say "hidden from MFT but visible in windows API"
Typically the files (not usually the registry keys) that say "Hidden from Windows API" that are likely a rootkit or hiding themselves from scans.
Should you see such files, it's easiest to mount that hardrive in another PC as a secondary drive (slave most likely) and remove them, or if your unsure just zip them up and leave them there so you can restore if you need to. While the HD is mounted as a secondary drive you might as well use that PC to scan it with AV and anti-spyware utilities.

http://www.xinn.org/annoyance_spy-ware.html#Sys-Restore
-rich
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now