Registry Keys Infected

I've did the CC Cleaner scan and it found huge number of problems I ran the fix. But HJT found the same files were still their.

Running VundoFix did not find any problems.

Attached are the logs requested.

To remove VundoFix do I have to run a scan again? Or can I just deleate it the normal way from add/remove programs.

Also just a quick question, if i have avast and online armour installed. Do I still need to have spybot on my system?

Avast keeps showing that I am being attacked by 'DCOM exploit' is this linked to that fact that some of the files have not been removed?

Once again thanks for your assistance.

No wonder this worm keeps coming back. What's the IP address of the DCOM attacks? Most likely it will resolve to your ISP because another user is infected and that user is attacking other accessible nodes, they probably don't even know they are infected.



I don't know how much you know about Microsoft history but this vulnerability has been included with Windows since 98 - Just a little history lesson here so you can understand what is happening.

Many years ago, Microsoft began modularizing Windows and their Windows applications by breaking them into functional components with well-defined, "version safe" interfaces. <- It's a great idea because it could allow pieces of Windows and applications to inter-operate.

First it was known as OLE, then COM, the ActiveX, then became distributed with windows as DCOM (the D is for Distributed) - they did this just to be able to say windows has a distributed component system built in. <- This may appeal to you if you developed software - probably not - but maybe some developers

The problem is that it attracts Internet worms and permits your system to be remotely compromised by malicious hackers. It's pointless, your system has already been compromised and though we have removed these files and registry entries they will continue to return -

Avast has a NetworkShield that detects the worm attacks like Sasser, Blaster, ect. and that is what you are seeing.

Solutions:
1) you could reinstall windows and apply all updates
2) you could try getting updates from Microsoft to patch the issue
3) you could try getting a router if you are already up to date

We can remove this but until the security vulnerability is resolved you will continue to be reinfected.

Thanks for your insightful response and your help blind dragon.

Next time the attack appears I'll note the IP address, but having read what you've said i'm not sure that will make much difference.

In terms of the solutions: in terms of gettings updates from Microsoft do you mean searching their website for a patch? Normally i've had automatic updates on for windows.

Is getting a router big step?

1) I would try manually getting updates from www.update.microsoft.com

2) I would install a router <- yes it's a big step

3) After you have done that we should try removing those entries again to see if they re-appear

4) If that doesn't work I would then consider backing up and reinstalling Windows.

if i could add some info i think might help.... DCOM exploits take advantage of TCP port 135

Is your computer on your own Local Area Network? Does it require Remote Procedure Calls (RPC) to any other computer or device you have on your LAN?

1) I believe one solution is setting your firewall to block all incoming TCP/135 traffic

2) If that's not practical, a good firewall should at least allow you to restrict incoming traffic by IP address. Thus you can try restricting incoming TCP/135 traffic on every computer on your LAN to only accept TCP/135 traffic from local computers with trusted IP addresses on your own LAN

Blind Dragon
I've had a look on the Micosoft site, this update seems to match what I have. Should I go ahead and download it?

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

Or is that too simple, will their be a series of patches required?

LookinAround:
Erm my computer is not on my own LAN.

Thanks for your help everybody.

Actually this seems to be the one:
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

*Whilst on my laptop eariler today it crashed and I got blue screen with a page of writing telling me to restart the computer and pyschial memory dump was/had occured.
This bit of technical information I noted: tcpip.sys_Address F429D949 base at F428F000 Datestamp 485699ad
Is this linked to the DCOM exploit problem? Because today I've noticed I have had no attacks according to Avast. Thou the problem files are back according to HJT.
At the time of this crash I was moving some files to an external Hard Drive.

sorry for the delay

We haven't removed the registry entries and files since you patched it.

Before doing this - Try to update MBAM and run a scan with that let it remove anything it finds.

Then post the log here along with the following

RSIT
Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

The suggestion of a ROUTER is very good. In the normal state from the manufacturer, no ports are forwarded, so attackes on the DCOM port 135 from the Internet become impossible.

Inside your LAN (ie devices connected to a router; and yes, even if you only have one system, you should {imo} get a router),
File/Print sharing use ports 138-139,445 and the firewall(s) need these to be ALLOWed. Port 135 can be allowed too.

Under no circumstance should you ever port forward from the router ports 135-139,445.

Sorry it's taken a while to reply.

Attached our the logs requested.

Once again thanks for the assitance.

Ok,

First go to Start -> run -> type cmd -> press enter
At the prompt -> type ipconfig /all -> click the icon at the top left -> edit -> select all
Click the icon again -> edit -> copy

paste the log here

=======================================

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O20 - Winlogon Notify: fin42u - C:\WINDOWS\
  O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

=================================================

Go to start -> control panel -> add/remove programs -> uninstall:
Hijackthis

=================================================

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes
  explorer.exe
  
  :Reg
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]
  
  :Files
  C:\Program Files\Trend Micro
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Paste the log from ipconfig and attach here the OTMoveit log

Then I want you to redownload a fresh copy of hijackthis now that we deleted the backups and run a fresh scan - attach this new log here as well

Here are the logs requested.

Here is a fresh HJT log, it appears that the bad files have been removed. Thou I am still getting the DCOM Exploit message from time to time.

there's a good read for the DCOM Exploit here

be sure to at least scroll thru the article to see the various subheadings

The article also makes an excellent point: the network firewall (i.e. router) may not be enough. ALL host computers should be firewalled to protect you from this exploit (which means configuring all computer software firewalls). One example: "email borne" viruses which can get past your router firewall and then infect your LAN. Let us know if you might need any help in configuring your computer's firewall from this exploit.

I'd also recommend a look here for a tool to also test your current vulnerability

@ LookinAround

I've used the tool that you recommended, and it stated that port 135 was open. I'm not really sure as to what my next step is? My firewall keeps blocking DCOM Exploit attacks.

Hi Manjit

So much in this thread could you recap what issues are remaining. What do we need work on?

Mike

Hi Mike,

Essentially I keep getting the DCOM Expolit message which my firewall is blocking. So I am assuming we need to work on either obtaining a patch for this problem or somehow fixing this problem? From the reading the Microsoft document 'jobeard' i'm a little confused.

Manjit

Suggest the very first thing you do is:

purchase a basic router (which you then put between your computer and the connection to your Internet Service Provider)

=> Check at whatever local store you go to but any of the basic Broadband/LAN/Ethernet routers should also provide your first line-of-defense network firewall as well.
=> IN ADDITION to that suggest check Microsoft updates as well
=> AND, (IMO and advised by the MS article) configure each personal firewall on each computer on your LAN to filter tcp/135 traffic as well.

But you should buy the router (which is also your hardware network firewall) asap and add it to your configuration!

Well if your FW is doing its job byblocking it then you are safe till you do get a Router at least.

My concern is if you have gotten reinfected.

Since you can't do anything else till you get the router do the below to be sure.

Open then Update SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Then do a Quick scan with SAS!

Update and do a Quick scan in MBAM.

Post logs!

Mike