Trojan Help Follow Up

Discussion in 'Dell' started by Mike, Jun 27, 2005.

  1. Mike

    Mike Guest

    Thanks to everyone for their suggestions and or comments. The
    "Band-Aid" I am using now is Zone Alarm. Norton's AV had been
    compromised so I un-installed and then re-installed it. Between ZA,
    Nortons, Spy Sweeper, and HiJackthis I have had no more alerts that
    files were trying to register themselves on start up and can find no
    more spyware or trojans. But what I have found are a couple of files
    in my \system32 directory that look suspect. I have "googled" them
    and can not find any information about them. I tried deleting them
    but can not. Does anyone know if the following files are legit?

    C:\WINDOWS\system32\dksshlex.dll

    C:\WINDOWS\system32\sumsg.dll

    Also, how does one go about deleting files that Windows will not allow
    you to delete? And is there a way to force a "process" to stop? I
    understand I could force a crash if I stop the wrong process but would
    like to be able to stop cetain things from running.

    Lastly, does anyone know how to run Norton's AV in safe mode? Though
    it says to scan for your system when in safe mode when you suspect
    troubles, it won't run. GG Symantec! LOL!

    Thanks!

    Mike
     
    Mike, Jun 27, 2005
    #1
    1. Advertisements

  2. Mike

    Ed Wurster Guest

    When you reboot, tap the F8 key a few times before Windows loads. You'll see
    the safe mode prompt there.

    This answers your last few questions. In safe mode the bad guys don't start
    up. Last week I cleaned an XP system that someone brought home from college.
    My approach is to install ad-aware and spybot. I update these programs, and
    also update the a/v program that is installed. Even though the system had an
    enterprise package installed by the school, it could not stop or remove
    several infections. My solution was to install AVG. I rebooted to safe mode
    and ran ad-aware, spybot, and avg. It took most of an afternoon to clean
    everything out. I installed zone-alarm too, to make sure I found all
    processes that are sendoing out requests.

    Here is Symantec page to get you to safe mode instructions. A lot more
    detail than you need, but nice to know info.

    http://tinyurl.com/pfca

    Ed
     
    Ed Wurster, Jun 27, 2005
    #2
    1. Advertisements

  3. Mike

    Ben Myers Guest

    I'm with Ed regarding the use of Ad-Aware and Spybot to do cleanup of a system.
    If neither of them (when updated with latest definitions) removes the cited
    files, boot your system in safe mode and remove them manually. It might also be
    useful to examine the properties of these DLLs. Legitimate DLLs installed in
    the system 32 folder always identify the "owner" who developed them. Some of
    them, even tho spyware or adware, still identify the company that developed
    them. Others have no identification whatsoever, a tipoff that they are up to no
    good.

    I am a belt and suspenders type of person. I have Zone Alarm installed on all
    computers here in back of a router with NAT. Zone Alarm, unlike Microsoft's
    cheap and sleazy SP2 firewall, lets you know when some program unexpectedly
    tries to reach out to the internet. Sometimes, as when installing a software
    update, the outbound access is expected and there is a cause (install of new
    software) and effect (internet access requested) relationship. But if a program
    tries to access the internet out of the blue and Zone Alarm catches it, this
    could be a warning of something insidious going on in a computer.

    The Microsoft apologists need not flame me for noting the inadequacy of
    Microsoft's own software firewall. The inadequacy has been cited by most every
    industry analyst, computer trade rag writer, and even mainstream computer
    writers like John Markoff. Given the inadequacy of Microsoft's own software
    security in Windows, IE, Outlook, etc., it is not too hard to imagine the
    possibility of some rogue software sneaking in through yet another Microsoft
    security hole, then attempting to do its dastardly deed on the internet.
    Microsoft's lame firewall simple is not designed to catch this sort of problem.

    .... Ben Myers
     
    Ben Myers, Jun 27, 2005
    #3
  4. Mike

    Mike Guest

    Ed, I can get into to Safe Mode, but when I run Norton's AV when in
    Safe Mode, I get this message ... "Symantec Integrator has
    encountered a problem and needs to close now". So much for a scan in
    Safe Mode!

    Even though all scans from all my spybot/adware/anitvirus software
    come report that I clean I am still finding mystery .DLL's in my
    windows\system32 directory. What I have noticed is that each new file
    is the exact same size 408KB though each one will have a different
    name, and new such files will appear is this directly after each
    reboot. I can not delete 2 of these files. I have tried Killbox,
    deleting from the command prompt in Safe Mode, shift-del, etc. I did
    use the Clean Me! and got rid of 3.0 Gigs of trash in my temp dir's!
    LOL!

    So my question is this ... how do I find what is creating these
    mystery .DLL's and how do I delete them? So far I have used and am
    booting with the following turned on ...

    Spy Sweeper
    Norton's IS
    Zone Alarm

    .... and I am showing as being clean by all the above plus ...

    Lavasoft Ad-aware
    Spybot Search and Destroy

    Thanks again for the input.

    Mike
     
    Mike, Jun 27, 2005
    #4
  5. Mike

    Ben Myers Guest

    Mike,

    No matter how up to date Spybot, Ad-Aware, NAV, Microsoft anti-spyware, etc.
    are, there will almost always be the "mystery" DLLs, because the purveyors of
    all this rotware move a little faster than the good software packages that
    combat them. My advice is to boot in safe mode, rename the "mystery" DLLs with
    another extension (e.g. DXX), reboot, and look for potential side effects. If
    the system behaves curiously or emits error messages due to "missing" DLLs, you
    can always rename them back again.

    I have had to do some really aggressive cleaning out of the system32 folder for
    clients when the packages don't do a complete job. Your best bet is to sort the
    folder by newest date first. Then look for clusters of files all installed at
    the same time, possibly the same time when the system began showing ill effects.

    Also, whether is a Windows update, NAV update, or update of some other software
    that gets into the knickers of the operating system, any and all updates should
    be done with the assurance that the system is 99.999% free of trojans, worms,
    and the like. If there are still worms and trojans lurking, an update can go
    awry, or, worse yet, really hose up a system... Ben Myers
     
    Ben Myers, Jun 27, 2005
    #5
  6. Mike

    Colin Wilson Guest

    The Microsoft apologists need not flame me for noting the inadequacy of
    If they knew how to write an OS, they wouldn`t need to buy anti-virus and
    anti-spyware companies.
     
    Colin Wilson, Jun 27, 2005
    #6
  7. Mike

    SDG Guest

    This does not show up in any search engine, but neither is it listed by
    Symantic as being a virus. Do a properties check on it to see who the author
    is.
    This is used by SUperior SU. This is a: "utility for Windows NT (versions
    3.51 and 4), Windows 2000, Windows XP and Windows 2003 Server, that is not
    only a traditional SU utility but also a powerful desktop switcher utility
    that allows for running multiple shells on different desktops on behalf of
    different users. Smell the Unix-like power of a quasi-multisession
    environment on a Windows NT-based Workstation or Server and download and
    install SUperior SU! "
     
    SDG, Jun 27, 2005
    #7
  8. Mike

    Mike Guest

    Ben, I booted into Safe Mode and tried changing the extensions of the
    files, and then renaming them, but was told it was being used by
    another process so the changes could not be made.

    Rooting around the Net I did find reference to a file (one of those
    mystery DLL's) I found in my \system32 directory that lead me to some
    other pages. I downloaded a VX2.BetterInternet finder utility. What
    is interesting is that I indeed had something in my registry and it's
    in WindowsNT\Winlogon\Notify\App Paths and the DLL it's calling for is
    no other than that dksshlex.dll file I mentioned earlier. I tired
    deleting it from my registry but it always comes back.

    Another interesting note is that each file this "trojan" creates is
    the same size, 408 KB, the same size as the vbscript.dll. Maybe
    nothing who knows. All I know is that I want this sucker off my
    computer! Whatever it is!

    At the moment I have it set such that IE will not be allowed past
    either of my firewall's :) What a PITA!

    Mike
     
    Mike, Jun 27, 2005
    #8
  9. Mike

    Ben Myers Guest

    Yes! Can you dig it! ... Ben Myers

     
    Ben Myers, Jun 27, 2005
    #9
  10. This definately smells of malware. I dunno if it's easy for you, but
    removing the disk, putting it in another computer, and removing the
    offending files works for me in those kinds of situations.

    Also, you don't seem to have tried MicroSoft's AntiSpyware, which
    (despite being from the Evil Empire) does a pretty good job. I'd also
    try McAfee, maybe even FreeScan, but maybe that's just me...
     
    William P. N. Smith, Jun 28, 2005
    #10
  11. Mike

    Mike Guest

    I figured I would give MS Antispyware a shot. But for some reason it
    says I do not have an authorized version of Windows so won't download.
    That is odd seeing how this is the OS Dell installed on my computer
    and I have the Windows CD in hand. Strange.

    Mike
     
    Mike, Jun 28, 2005
    #11
  12. Mike

    Hank Arnold Guest

    Hank Arnold, Jun 28, 2005
    #12
  13. When you do the Windows Validation thing, does it ask you for the
    license key on the machine? There's a way to straighten this out, and
    you probably want to _before_ they start requiring it for WIndows
    Updates and such...
     
    William P. N. Smith, Jun 28, 2005
    #13
  14. Mike

    S.Lewis Guest

    You either have to validate using the product key on the system case -OR-
    use the 'alternative validation method' which requires one to install an
    active-X utility for the site, you can then proceed to the next page and
    enter the brand of the computer and from whom it was purchased in the
    fields. Once done, a 5-digit key is produced on the next page to be
    manually entered. THEN, it can be downloaded and installed.

    The one kicker in this (which may be the poster's problem) is that SP2
    blocks the pop-up/install of the active-X control, and you have to manually
    allow it from the SP2/IE6 information bar at the time - at the top of the
    browser window.


    Stew
     
    S.Lewis, Jun 28, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.