Backdoor.Lateda.C



shuckie69
07-09-2005, 11:48 PM
Hello everyone!

I'm really hoping someone can help me out here. A few days ago I tried to
help a friend by repairing WinXP Pro using the CD-ROM because the Operating
System was corrupted. To cut a long story short I couldn't activate the
firewall quick enough after re-installing the Broadband software, and as a
result the PC got infected by the Sasser virus followed by the above Trojan
Horse.

I know it is this particular Trojan because the PC kept trying to connect to
l33t.freeshellz.org as soon as I connected the USB cable from the ADSL modem.
The Symantec website identified the Trojan based upon this information. I
have tried installing Zonealarm and Avast! anti-virus from CD-R and ran both
a boot-up ant-virus scan AND a thorough scan in Safe Mode, but this trojan is
still there? The Symantec website advises me to download up to date
definitions and run a full scan, but the Trojan keeps the modem com port busy
preventing me from connecting to the Net most of the time, and even when I
can connect it stops me from downloading anything. I think the Avast!
definitions are currently dated 17/03/2005, I downloaded it onto CD-R via
www.download.com.

How can I get rid of this Trojan without formatting the hard drive and
re-installing Windows? My friend has some important data on drive c: which he
doesn't want to lose.

I eagerly await a reply from someone to save my skin from my friend!

David H. Lipman
07-09-2005, 11:48 PM
From: "shuckie69" <shuckie69@discussions.microsoft.com>

| Hello everyone!
|
| I'm really hoping someone can help me out here. A few days ago I tried to
| help a friend by repairing WinXP Pro using the CD-ROM because the Operating
| System was corrupted. To cut a long story short I couldn't activate the
| firewall quick enough after re-installing the Broadband software, and as a
| result the PC got infected by the Sasser virus followed by the above Trojan
| Horse.
|
| I know it is this particular Trojan because the PC kept trying to connect to
| l33t.freeshellz.org as soon as I connected the USB cable from the ADSL modem.
| The Symantec website identified the Trojan based upon this information. I
| have tried installing Zonealarm and Avast! anti-virus from CD-R and ran both
| a boot-up ant-virus scan AND a thorough scan in Safe Mode, but this trojan is
| still there? The Symantec website advises me to download up to date
| definitions and run a full scan, but the Trojan keeps the modem com port busy
| preventing me from connecting to the Net most of the time, and even when I
| can connect it stops me from downloading anything. I think the Avast!
| definitions are currently dated 17/03/2005, I downloaded it onto CD-R via
| www.download.com.
|
| How can I get rid of this Trojan without formatting the hard drive and
| re-installing Windows? My friend has some important data on drive c: which he
| doesn't want to lose.
|
| I eagerly await a reply from someone to save my skin from my friend!



Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.05)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

shuckie69
07-09-2005, 11:48 PM
Hi David

Thanks forthe advice, unfortunately I wasn't successful. The TrendMicro
Sysclean Front End complained that it couldn't find the pattern file and
wanted to connect to the Net to download an update, which obviously it cannot
do. Ad-Aware only found a cookie, and Spybot Search & Destroy only found
spyware (not the trojan).

I tried downloading other removal tools from the website which didn't find
anything although AntiVir did find ANOTHER worm! The only thing I can think
to do now is transfer my friend's hard drive into my PC and run scan using
AVG and two or three online anti-virus scans until I kill this trojan.

Any other suggestions please?

"David H. Lipman" wrote:

> From: "shuckie69" <shuckie69@discussions.microsoft.com>
>
> | Hello everyone!
> |
> | I'm really hoping someone can help me out here. A few days ago I tried to
> | help a friend by repairing WinXP Pro using the CD-ROM because the Operating
> | System was corrupted. To cut a long story short I couldn't activate the
> | firewall quick enough after re-installing the Broadband software, and as a
> | result the PC got infected by the Sasser virus followed by the above Trojan
> | Horse.
> |
> | I know it is this particular Trojan because the PC kept trying to connect to
> | l33t.freeshellz.org as soon as I connected the USB cable from the ADSL modem.
> | The Symantec website identified the Trojan based upon this information. I
> | have tried installing Zonealarm and Avast! anti-virus from CD-R and ran both
> | a boot-up ant-virus scan AND a thorough scan in Safe Mode, but this trojan is
> | still there? The Symantec website advises me to download up to date
> | definitions and run a full scan, but the Trojan keeps the modem com port busy
> | preventing me from connecting to the Net most of the time, and even when I
> | can connect it stops me from downloading anything. I think the Avast!
> | definitions are currently dated 17/03/2005, I downloaded it onto CD-R via
> | www.download.com.
> |
> | How can I get rid of this Trojan without formatting the hard drive and
> | re-installing Windows? My friend has some important data on drive c: which he
> | doesn't want to lose.
> |
> | I eagerly await a reply from someone to save my skin from my friend!
>
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> http://www.ik-cs.com/got-a-virus.htm
> SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> Direct URL --
> http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.05)
> http://www.lavasoftusa.com/
> Update Ad-aware with the latest definitions and then exit the software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu dhoose [1] so you can boot into Safe Mode.
>
> 4) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>
> 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>
> 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC and delete
> all objects found.
>
> 7) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a final scan of your PC and delete
> all objects found.
>
>
> 8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
>
> 9) Reboot your PC.
>
> 10) If you are using WinME or WinXP, create a new Restore point
>
>
> * * * Please report back your results * * *
>
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:48 PM
From: "shuckie69" <shuckie69@discussions.microsoft.com>

| Hi David
|
| Thanks forthe advice, unfortunately I wasn't successful. The TrendMicro
| Sysclean Front End complained that it couldn't find the pattern file and
| wanted to connect to the Net to download an update, which obviously it cannot
| do. Ad-Aware only found a cookie, and Spybot Search & Destroy only found
| spyware (not the trojan).
|
| I tried downloading other removal tools from the website which didn't find
| anything although AntiVir did find ANOTHER worm! The only thing I can think
| to do now is transfer my friend's hard drive into my PC and run scan using
| AVG and two or three online anti-virus scans until I kill this trojan.
|
| Any other suggestions please?
|

Why can't you connect to the Internet ? Explian "...which obviously it cannot do."
If you disconnect the Internet cable, reconnect it and then allow the process to get the
files it needs to clean the system.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

shuckie69
07-09-2005, 11:48 PM
Hi David

As per my initial message; "...but the Trojan keeps the modem com port busy
preventing me from connecting to the Net most of the time, and even when I
can connect it stops me from downloading anything...". With this being an
XP machine, a message keep appearing approx every 10 seconds saying the a
program is trying to connect to the l33t.freeshellz.org domain. As a result
when I try to connect I get a message saying the modem COM port is busy. I
haven't been able to connect to the Net since I posted this message,
therefore I can't update Sysclean, Ad-Aware, AntiVir or anything else! If I
detach and reconnect the ADSL modem's USB cable, the trojan instantly tries
to connect.

Any ideas???

"David H. Lipman" wrote:

> From: "shuckie69" <shuckie69@discussions.microsoft.com>
>
> | Hi David
> |
> | Thanks forthe advice, unfortunately I wasn't successful. The TrendMicro
> | Sysclean Front End complained that it couldn't find the pattern file and
> | wanted to connect to the Net to download an update, which obviously it cannot
> | do. Ad-Aware only found a cookie, and Spybot Search & Destroy only found
> | spyware (not the trojan).
> |
> | I tried downloading other removal tools from the website which didn't find
> | anything although AntiVir did find ANOTHER worm! The only thing I can think
> | to do now is transfer my friend's hard drive into my PC and run scan using
> | AVG and two or three online anti-virus scans until I kill this trojan.
> |
> | Any other suggestions please?
> |
>
> Why can't you connect to the Internet ? Explian "...which obviously it cannot do."
> If you disconnect the Internet cable, reconnect it and then allow the process to get the
> files it needs to clean the system.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:48 PM
From: "shuckie69" <shuckie69@discussions.microsoft.com>

| Hi David
|
| As per my initial message; "...but the Trojan keeps the modem com port busy
| preventing me from connecting to the Net most of the time, and even when I
| can connect it stops me from downloading anything...". With this being an
| XP machine, a message keep appearing approx every 10 seconds saying the a
| program is trying to connect to the l33t.freeshellz.org domain. As a result
| when I try to connect I get a message saying the modem COM port is busy. I
| haven't been able to connect to the Net since I posted this message,
| therefore I can't update Sysclean, Ad-Aware, AntiVir or anything else! If I
| detach and reconnect the ADSL modem's USB cable, the trojan instantly tries
| to connect.
|
| Any ideas???

Shutdown as many applications as possible
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Copy and Paste the following command line on the; Start --> Run location

%comspec% /c del %windir%\system32\drivers\etc\hosts

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

shuckie69
07-09-2005, 11:48 PM
Hi David

Just wanted to let you know that I think I have resolved the problem. I
managed to connect the PC to the internet via my router using a USB wireless
adapter and ran a variety of anti-virus scans. AntiVir detected and deleted
a couple of worms, and ZoneAlarm was stopping c:\windows\system32\winsci.exe
from connecting to the internet. According to the log it tried to connect
almost 1000 times in just a few minutes! I ran online scans at
www.antivirus.com, www.symantec.com and www.mcafee.com. The last one
detected a worm which was actually this winsci.exe file. I deleted the file
and I'm no longer getting the connection message re. l33t.freeshellz.org.
Apart from some minor spyware repeated scans haven't revealed any further
worms/viruses/trojans (touchwood!).

Many thanks for your help and advice, I will let you know if the problem
re-occurs when I return the PC to my friends this evening.

"David H. Lipman" wrote:

> From: "shuckie69" <shuckie69@discussions.microsoft.com>
>
> | Hi David
> |
> | As per my initial message; "...but the Trojan keeps the modem com port busy
> | preventing me from connecting to the Net most of the time, and even when I
> | can connect it stops me from downloading anything...". With this being an
> | XP machine, a message keep appearing approx every 10 seconds saying the a
> | program is trying to connect to the l33t.freeshellz.org domain. As a result
> | when I try to connect I get a message saying the modem COM port is busy. I
> | haven't been able to connect to the Net since I posted this message,
> | therefore I can't update Sysclean, Ad-Aware, AntiVir or anything else! If I
> | detach and reconnect the ADSL modem's USB cable, the trojan instantly tries
> | to connect.
> |
> | Any ideas???
>
> Shutdown as many applications as possible
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Copy and Paste the following command line on the; Start --> Run location
>
> %comspec% /c del %windir%\system32\drivers\etc\hosts
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
> { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
> (.lnk) files and a PDF instruction file.
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
> Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
> to allow the FTP utility to download the needed files
>
> CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
> to scan again at a future date, run this batch file. It will automatically check the date
> of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
> signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
> you have booted from an Emergency Boot Disk or DOS disk and have already executed;
> c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
> http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
> It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
> report for each session.
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:48 PM
From: "shuckie69" <shuckie69@discussions.microsoft.com>

| Hi David
|
| Just wanted to let you know that I think I have resolved the problem. I
| managed to connect the PC to the internet via my router using a USB wireless
| adapter and ran a variety of anti-virus scans. AntiVir detected and deleted
| a couple of worms, and ZoneAlarm was stopping c:\windows\system32\winsci.exe
| from connecting to the internet. According to the log it tried to connect
| almost 1000 times in just a few minutes! I ran online scans at
| www.antivirus.com, www.symantec.com and www.mcafee.com. The last one
| detected a worm which was actually this winsci.exe file. I deleted the file
| and I'm no longer getting the connection message re. l33t.freeshellz.org.
| Apart from some minor spyware repeated scans haven't revealed any further
| worms/viruses/trojans (touchwood!).
|
| Many thanks for your help and advice, I will let you know if the problem
| re-occurs when I return the PC to my friends this evening.
|


* I strongly urge you to still perform the following based upon the information you
provided. *

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose

to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

shuckie69
07-09-2005, 11:48 PM
Hi David

Why do I need to do this? The machine seems OK now, no indication of
virus/worm/tojan activity. Firewall logs are now clear of any blocked
suspicious outbound detections and several anti-virus scans have been run
(inc. high sensitivity/heuristic analysis-enabled). What will these steps do?


"David H. Lipman" wrote:

> From: "shuckie69" <shuckie69@discussions.microsoft.com>
>
> | Hi David
> |
> | Just wanted to let you know that I think I have resolved the problem. I
> | managed to connect the PC to the internet via my router using a USB wireless
> | adapter and ran a variety of anti-virus scans. AntiVir detected and deleted
> | a couple of worms, and ZoneAlarm was stopping c:\windows\system32\winsci.exe
> | from connecting to the internet. According to the log it tried to connect
> | almost 1000 times in just a few minutes! I ran online scans at
> | www.antivirus.com, www.symantec.com and www.mcafee.com. The last one
> | detected a worm which was actually this winsci.exe file. I deleted the file
> | and I'm no longer getting the connection message re. l33t.freeshellz.org.
> | Apart from some minor spyware repeated scans haven't revealed any further
> | worms/viruses/trojans (touchwood!).
> |
> | Many thanks for your help and advice, I will let you know if the problem
> | re-occurs when I return the PC to my friends this evening.
> |
>
>
> * I strongly urge you to still perform the following based upon the information you
> provided. *
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download CLEAN.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/clean.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
> { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
> (.lnk) files and a PDF instruction file.
>
> GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
> Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
> to allow the FTP utility to download the needed files
>
> CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
>
> to scan again at a future date, run this batch file. It will automatically check the date
> of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
> signature files and install them before performing the scan.
>
> DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
> you have booted from an Emergency Boot Disk or DOS disk and have already executed;
> c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
> http://www.bootdisk.com/bootdisk.htm
>
> I need you to perform the following...
>
> Execute; CLEAN.EXE
> Choose; Unzip
> Choose; Close
>
> Execute; c:\mcafee\GetFiles.BAT
> { or Double-click on 'GetFiles Link' in c:\mcafee }
>
> Reboot the PC into Safe Mode [F8 key during boot]
>
> Shutdown as many applications as possible !
> It would also help for you to read - "How to perform a clean boot in Windows XP"
> http://support.microsoft.com/kb/310353
>
> Execute; c:\mcafee\CLEAN.BAT
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
> It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
> report for each session.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 11:48 PM
From: "shuckie69" <shuckie69@discussions.microsoft.com>

| Hi David
|
| Why do I need to do this? The machine seems OK now, no indication of
| virus/worm/tojan activity. Firewall logs are now clear of any blocked
| suspicious outbound detections and several anti-virus scans have been run
| (inc. high sensitivity/heuristic analysis-enabled). What will these steps do?
|

For one you stated --
"...www.mcafee.com. The last one detected a worm which was actually this winsci.exe file.
I deleted the file..."

The web site detects, but does not remove. Often just deleting a file is not enough. The
unidentified worm may have made Registry alterations or other OS alterations and just
deleting a file does not correct the problem.

The McAfee Command Line Scanner I proposed is is more effective than the web site and cleans
infectors, not just finds them. It is very aggressive and will find viruses and non-viral
malware. It's aggressive mode is due to it running in Safe Mode, scanninf NT Streams,
Archive files, MIME files as well as perform heuristic scanning.

It will make sure the PC is actually clean even though you don't see symptoms.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Backdoor.Lateda.C