Jump to content
Sign in to follow this  
Cluttermagnet

lexback.exe 'downloader trojan'

Recommended Posts

Cluttermagnet

Exit Poll ResultsOur pollsters now predict with a high level of confidence that "Internet Explorer Uploader" (lexback.exe, etc.) has defeated clutter by a wide margin, with 73 percent of precincts reporting. Voters leaving the polls said they never gave clutter a chance in this race. lexbac is known to be evil, clever, and diabolical, and his opponent "never had a prayer". Film at eleven...Well, I was winning for a while, even got Spybot S&D and Ad Aware to run through to completion. I installed Spy Sweeper and ran it, too. All it found was some smart tags and Alexa. I let it take care of the smart tags. I thought Spybot or Ad Aware had already dealt with Alexa so I treated that one as a false positive and ignored it. Keylogger Hunter did produce the interesting result that it suspected keylogger activity and makes reference to c:\ windows\ system 32\ config\ default.log I was never able to get a look at that log, however, as something seemed to be active and hogging it. Hmmmmm...Oh, and the latest version of CWshredder ran uneventfully and did not find any incidences of the browser hijacks it looks for. Clean bill of health in that one area. The most interesting event of the evening was to burrow down into msconfig and see that one startup process was called "Ü*†" without the quotes, of course, and the asterisk figure was actually a box but I can't get it to encode in this composition window for some reason. So my little umlaut-box-cross beastie was disabled in msconfig and later for some still hazy reason was awkwardly re-enabled by yours truly, and then eventually at some point, any reference to it in the msconfig startup group had disappeared. So clearly this little beastie can morph and hide when warned.Perhaps my greatest weakness is that I didn't even attempt to find/ read/ delete any relevant registry entries, and that alone was probably my undoing. What I saw as the evening progressed was that NAV was never, ever permitted to run through to completion before XP got crashed, and then S&D and I think even Ad Aware once again started crashing prior to completion, representing considerable loss of overall yardage. FWIW removing lexbac.exe from system 32 was easily accomplished and I never saw it return.This definitely looks like a wash. Well-prepared though I was- I was really not lacking for any software I needed on my CDs- I just wasn't up to the task due to my inexperience. I have been very, very good at dodging the bullet myself, having never gone through these horrors personally, but I really don't have enough experience with these things. I figure Rich had it basically right when he pointed out that it is cheapest in the long run to just start from scratch. I do wish he would return and explain his comment about

a complete wipe by using the hard disk manufacturers utility disk.
I think he might have misspoken and might really mean the "computer manufacturer's" utility disk, instead. Say like one from Dell that has XP all set up along with lots of trash and spyware from sweetheart deals, etc. Certainly we do not need to do a low level reformat in a situation like this- or do we? I wish someone would clarify. I would assume one does the XP equivalent of fdisk and format c: and that should do it. So I will have a little heart to heart with my friend and remind him that this is entirely self- inflicted and I did not do it to him- and that starting from scratch would probably be our only safe and sure next move. Death to all trojans! I will offer him the 98SE option but point out its shortcomings. If he wants to stick with XP, he can bring me the CD and I will take it from there. It would be my first ever Xp install. I would also gently remind him of my limitations and point out that he could take his machine to the local discounter, buy the OS, and have them do the install. Might be cheaper than me. :) Bah Humbug!It took me four days to get back over there after giving him some driving lessons, but he had trashed it within an hour and a half after I left. I'm going to ask him straight out what he was doing, that I want the truth. In a polite and subtle way, of course. I strongly suspect he lit out for the porn sites soon after I was out the door. Running IE and AOL. Siiiighhhhh!!!

Share this post


Link to post
Share on other sites
Cluttermagnet

I just want to add my thanks for all the great help with this problem. I found Nathans comments about taming XP to be very helpful, and I applied several of them. My XP must be a little different that his, however, as I never did see any obvious way to make the change to 'Detail View' in Explorer 'stick'. All I could figure out was how to change them more to my liking on a per session basis.Fran had several great posts. The long one I copied to a text file after downloading things she had recommended left and right. There was some great stuff in that list. So I took her post with me on CD as my main battle plan. I found the beastie had not broken any networking, and only dialup is in use anyway with this box, but I had the repair utility with me had I needed it. Yikes! An enlightening experience, overall. It sure is a lot easier to dodge trojans than to remove them!BTW if anyone is even remotely interested, I have a couple of logs I'd be more than happy to share. One is from Hijack this and the other is a copy of the report from one of the sniffer utilities, but I forget which at the moment. It has been a long day.

Share this post


Link to post
Share on other sites
LilBambi

Cluttermagnet,So glad the items came in handy! :)So, as far as you know, you were able to get it all? Everything back to normal? XP running fast again?I would love to see the HiJackThis! and other logs. Can you PM them to me?

Share this post


Link to post
Share on other sites
Cluttermagnet
Cluttermagnet,So glad the items came in handy! :)So, as far as you know, you were able to get it all? Everything back to normal? XP running fast again?I would love to see the HiJackThis! and other logs. Can you PM them to me?
Sadly, no, Fran-In fact, my confidence level is probably lower than ever now. I have essentially come to accept Rich's suggestion to wipe the HD and start off fresh. I will PM those logs to you later this evening after I return. No firm decision yet as to which way we go. I should know that by some time tomorrow. I did see a few unwanted but mainly not too toxic parasites, such as the hitbox spy, some goodle toolbar thing, and so on. A touch of Alexa, etc. But nothing as stubborn and elusive as what killed him on Feb 7th.I think this beastie is intelligent enough to detect near-misses that fail to kill off certain of its components. It probably then adaptively renames and moves things around. I'm not up to what it would take to completely purge this crap, but as I say, death to all trojans! So suicide also kills the trojan, a Pyrrhic (sp?) victory of sorts ("everybody got killed but we won"). BTW I did get a sort of nebulous positive from the Keylogger utility- it thinks it sniffs a keylogger. I have therefore told my friend to consider all to be compromised, to check soon and often with his credit card company for any sudden bursts of activity, and to not connect to the net under any circumstances until further notice.I will discuss his needs r.e. file saving, though it is a stinking situation. I think the virus killed his a: drive. I saw it work on 7 Feb, never has worked ever since. Windows thinks it is working. But it always protests that there is no disk in the drive. Wrong. I have never seen a drive activity light since 7 Feb. Think about it- a: drive, rescue disks, etc. He has no CD burner. Hopefully not a whole lot on there anyway. So far as I know, only a few resume copies, and the originals are sourced separately from another machine, anyway. What a steenkin mess! FWIW this looks to be a ~98 AMD machine, about 550MHz, and his son ran it hard for years with online gaming, ICQ, and such. Don't know about XP getting on there, how and when. Let's just say it is probably going to be easier and cheaper to let it rewrite itself a brand new registry. If I were to save drivers, I have no idea at this point how I would move them off of his drive. Need to think about all that, run Belarc and Aida again. I could suggest he buy, say, a 128M 'thumbdrive' type usb module and get some stuff out that way. Scanning all files wherever I move them, of course.I will lay out all the options for him and get his decision. I think it is probably just a waste of my time as an inexperienced virus killer to try to beat this thing at its own game, although I suspect that it's removal is probably not too far above my present 'pay grade'. But who could ever trust that machine again, knowing what we now know? Not without a controlled burn- of the whole darned forest (scrub the HD). <_<BTW, Windows never seemed to be running particularly slow, considering there is only 256M RAM on the mobo. You heard a bit more head thrash because of real bad fragmentation, but after defrag, still about the same speed. Remember, this beastie is intentionally not taking much of a chomp out of resources. It is trying to burrow deep and hide. The only giveaway is the vector for the virus- a very obvious new icon sitting on his desktop on Feb 11th. That was really stupid, in my estimation, but that is what the original dialer parasite does. I think I might otherwise never have been tipped off unless I had decided to make some additional dialup icons to dial some other local numbers. I would then have noticed the third dialup setup which was clearly neither AOL or 'mine' (the second ISP) The dialup it links to is obviously 'semi- stealthy' in nature, as it had the box unchecked that would pop up the connection dialog window and tip off any user present at the time. OTOH there might still have been the sound of the dialout and handshake. It was set up with a 3-digit number, BTW, rather than the usual 10-digit 'number plus area code'. Obviously the trojan would supply the 'real' number to dial, as "049" does not connect me anywhere on my local phone network, so far as I know.Fran, you must have only read the last of my previous posts, the one with thanks to various folks. Scroll one up and read the longer one for an indication of where I was left Sunday night. Come on, you know how long- winded I am. Do you really think I could limit myself to a single post and not much more than a couple hundred words? ;)

Share this post


Link to post
Share on other sites
nlinecomputers
I just want to add my thanks for all the great help with this problem. I found Nathans comments about taming XP to be very helpful, and I applied several of them. My XP must be a little different that his, however, as I never did see any obvious way to make the change to 'Detail View' in Explorer 'stick'. All I could figure out was how to change them more to my liking on a per session basis.
Open explorer and get the window view setup like you like with a detail list. Then hit Tools then Folder Options and then hit the view tab. There is a big button near the top in the "Folder Views" Section that says "Apply to all Folders". Click that and ALL FOLDERS wil be set for the same view as your current folder is set at.reg_Figure1.gif

Share this post


Link to post
Share on other sites
LilBambi

You are right! Sorry, I did only notice the last posting you had ... I did think it was a bit short for you. B) Sorry to hear the results, but they were not unexpected really.If what Nathan said about the folder view doesn't help in this case ...I would use Belarc and Aida to determine what drivers you need. Go get them on your computer and burn them to CD to use as needed.Don't forget there are some things that many have fought and lost. It is not just inexperience in fighting these things. Sometimes knowing when to quit is the better part of valor. ;) And don't forget, regardless, your friend will be much better off starting fresh anyway.BTW: If the printer driver still works, you could always try to print any resumes etc., before nuking the drive so he at least has a printout of them. But I wouldn't try to get anything off that drive. You never know what else you might get along with it at this point.IMHO, from the things you are saying, NOTHING on that drive should be trusted.You might want to try to boot to Knoppix and nuke the drive from within Linux and remove the partition(s). Then see if the floppy will light on boot (if not, try another floppy drive ... maybe Murphy's Law was just in full swing LOL!) and if you can get it to boot from floppy, then boot with a DOS startup disk (made on another computer) to repartition and format c: /u ... just to be safe (unless they have used something to mess with the bios).If that succeeds, then use the WinXP install CD to install XP and let it repartition and reformat it NTFS. (If it is an upgrade disk, they will need their qualifying product disk, or you may have to put a small nominal installation on the drive for it to find.)Good luck!

Share this post


Link to post
Share on other sites
nlinecomputers

Hey some battles are lost in the fight. I've got a ME box on my bench that I'm about to do the flush'n'install because viruses, spyware, and STUPID advise from AOL(Hey your machine is running to many applications on startup. Delete everything in your start menu and it will run much faster. Maybe they meant startup menu?) killed it. Sometimes the damage is too great.

Share this post


Link to post
Share on other sites
Rons

CMGood point - how could you trust the system again?NathanAgree - some time the damage is so bad there is only one option left... ;)

Share this post


Link to post
Share on other sites
Cluttermagnet
BTW so far Trend Micro has stiffed me on any evaluation copy of PC-cillin. I fill out the simple form and submit, they serve a window promising to email me 'soon' with the secret code (url for evaluation download) and the email never arrives. Despite repeated attempts.
Is it possible that their reply is being filtered as spam before it gets to your inbox? I'm finding this to be a problem from time to time with both of my email accounts since ISP's and email services are trying new ways to combat spam. Has only begun happening to me in the last 6 months or so.
Oh, I had it pretty much figured out within a few minutes. My hunch was confirmed on Sunday when I revisited the trojaned computer. As I see it, it is a problem with poor website design in this regard: I needed the the software download 'now', not tomorrow or Sunday or Monday- right now. Well, Trend Micro never bothered to warn me that they were going to email a page with a 'secret url'. Being the semi-idiot that I am, I assumed they were going to try to actually be helpful . Bzzzzt! Sorry. Wrong. You see, I used the email address of my friend with the computer problems. And it turns out that is exactly where they sent the 'secret url' email, probably 'soon' as they promised. Well, that did me no good because I was at home and wanted to download things and burn them to CD there. I repeatedly re-applied for the thing using my own email, and they repeatedly ignored me. Of course, a computer with a given ID had just given them two different email addresses and two different user names. I guess it is similar to the MS evil eye as reflected in (forced) 'product registration'. So they assumed the worst about me I guess and therefore they did not really honor my request as I see it . I'm going to remember that. Guess whose software will always automatically be eliminated from any initial lists of possibilities. I don't appreciate being treated like that.For reference, Grisoft AVG distributes a free version 6 of their AV software, and their website is abundantly clear as to what you should expect. Use a 'good' email, of course, because those guys are going to email you a serial number needed to unlock your copy of AVG. The actual download is on-demand and at your convenience, however- you only need the s/n at the time you actually install the software.

Share this post


Link to post
Share on other sites
Cluttermagnet

Thanks, guys-Everybody continues to be real helpful with their suggestions and I am learning a lot in a hurry. I'm grateful to all! I have an old copy of Knoppix 3.2. Good enough to play around with but I have not gotten around to trying it so far, and 3.3 has since been released. I'm pretty sure I could fumble my way through looking at Windows files that way, but it seems impractical to try to use that disk to do anything meaningful such as file moves and deletions and messing with partitions.

IMHO, from the things you are saying, NOTHING on that drive should be trusted.
Yep. With IE running, it was "Unsafe At Any Speed", and is now "Untrustworthy For Any Purpose"
You might want to try to boot to Knoppix and nuke the drive from within Linux and remove the partition(s). Then see if the floppy will light on boot (if not, try another floppy drive ... maybe Murphy's Law was just in full swing LOL!) and if you can get it to boot from floppy, then boot with a DOS startup disk (made on another computer) to repartition and format c: /u ... just to be safe (unless they have used something to mess with the bios).If that succeeds, then use the WinXP install CD to install XP and let it repartition and reformat it NTFS. (If it is an upgrade disk, they will need their qualifying product disk, or you may have to put a small nominal installation on the drive for it to find.)
I would need coaching to do anything with the Knoppix CD. This is probably impractical right now. BTW what does the /u command do to the basic format?For me, some written notes after running Aida and Belarc might be best. I agree it makes little sense to try to extract and recover actual drivers from the infected machine. Perhaps a few hashes of the various files for possible future reference, but that doesn't really make a lot of sense. I agree the best way is to have a drivers list and go get them from home and burn to CD.Printing anything is unrealistic. I don't know which if any printers are installed, but I do know his HP printer has not been installed on that machine, or at least so I am told. I never got as far as printers.

Share this post


Link to post
Share on other sites
LilBambi

The /u when you format means 'unconditional' ... no backup of existing FAT, (unformat information). Just means to format it unconditionally.Using fdisk from a DOS bootable floppy with fdisk and format on it, will allow you to remove any existing partitions on the hard drive first, and then rebuild them and then format.Microsoft info on FDISK and FORMAT:How to Use the Fdisk Tool and the Format Tool to Partition or Repartition a Hard DiskIf you need a bootdisk image:http://www.bootdisk.com/Hopefully when you cold boot, with the BIOS set to bootup from floppy first, it will see it. If not, might want to try another floppy drive (Murphy's Law).

Share this post


Link to post
Share on other sites
Cluttermagnet
The /u when you format means 'unconditional' ... no backup of existing FAT, (unformat information). Just means to format it unconditionally.Using fdisk from a DOS bootable floppy with fdisk and format on it, will allow you to remove any existing partitions on the hard drive first, and then rebuild them and then format.Microsoft info on FDISK and FORMAT:How to Use the Fdisk Tool and the Format Tool to Partition or Repartition a Hard DiskIf you need a bootdisk image:http://www.bootdisk.com/Hopefully when you cold boot, with the BIOS set to bootup from floppy first, it will see it. If not, might want to try another floppy drive (Murphy's Law).
Thanks, Fran-This leads to one last question. You can make a boot CD using Nero and the simple instructions on the bootdisk.com site. I did that for 98SE. I do know how to set the BIOS to look first in the CD drive. Here's the question- assuming I successfully boot that way and am ready to to fdisk and format, does the RAMdisk program have to make repeated reference to some of the other files on the boot disk? What I'm getting at is that at some point after fdisking and formatting, I am going to want to pull the boot CD and put in the Win98SE install CD. Or perhaps an XP install CD. Having booted from the CD drive to begin with, can my little RAMdisk OS handle the transition and allow e:\setup.exe to proceed? Or is it instead going to go look for other files from the boot CD and then freak out when it can't find them?BTW I am assuming the worst and planning contingencies in case I cant get his floppy to run again. Yeah, could certainly be a worst case coincidence, but how much you want to bet it is the trojan screwing around? If it's smart enough to shut down XP when you run antispy software and AV software, it certainly must be smart enough to try like heck to prevent you from loading any sort of rescue disk or startup disk in a:

Share this post


Link to post
Share on other sites
LilBambi

That shouldn't be a problem Cluttermagnet at all since the Win98SE and WinXP CDs are also bootable. :rolleyes:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...