Sign in with
Sign up | Sign in
Your question

Trojan Help Follow Up

Last response: in Computer Brands
Share
June 27, 2005 5:07:07 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Thanks to everyone for their suggestions and or comments. The
"Band-Aid" I am using now is Zone Alarm. Norton's AV had been
compromised so I un-installed and then re-installed it. Between ZA,
Nortons, Spy Sweeper, and HiJackthis I have had no more alerts that
files were trying to register themselves on start up and can find no
more spyware or trojans. But what I have found are a couple of files
in my \system32 directory that look suspect. I have "googled" them
and can not find any information about them. I tried deleting them
but can not. Does anyone know if the following files are legit?

C:\WINDOWS\system32\dksshlex.dll

C:\WINDOWS\system32\sumsg.dll

Also, how does one go about deleting files that Windows will not allow
you to delete? And is there a way to force a "process" to stop? I
understand I could force a crash if I stop the wrong process but would
like to be able to stop cetain things from running.

Lastly, does anyone know how to run Norton's AV in safe mode? Though
it says to scan for your system when in safe mode when you suspect
troubles, it won't run. GG Symantec! LOL!

Thanks!

Mike

More about : trojan follow

Anonymous
June 27, 2005 5:07:08 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Mike wrote:
> Thanks to everyone for their suggestions and or comments. The
> "Band-Aid" I am using now is Zone Alarm. Norton's AV had been
> compromised so I un-installed and then re-installed it. Between ZA,
> Nortons, Spy Sweeper, and HiJackthis I have had no more alerts that
> files were trying to register themselves on start up and can find no
> more spyware or trojans. But what I have found are a couple of files
> in my \system32 directory that look suspect. I have "googled" them
> and can not find any information about them. I tried deleting them
> but can not. Does anyone know if the following files are legit?

> C:\WINDOWS\system32\dksshlex.dll

> C:\WINDOWS\system32\sumsg.dll

> Also, how does one go about deleting files that Windows will not allow
> you to delete? And is there a way to force a "process" to stop? I
> understand I could force a crash if I stop the wrong process but would
> like to be able to stop cetain things from running.

> Lastly, does anyone know how to run Norton's AV in safe mode? Though
> it says to scan for your system when in safe mode when you suspect
> troubles, it won't run. GG Symantec! LOL!

When you reboot, tap the F8 key a few times before Windows loads. You'll see
the safe mode prompt there.

This answers your last few questions. In safe mode the bad guys don't start
up. Last week I cleaned an XP system that someone brought home from college.
My approach is to install ad-aware and spybot. I update these programs, and
also update the a/v program that is installed. Even though the system had an
enterprise package installed by the school, it could not stop or remove
several infections. My solution was to install AVG. I rebooted to safe mode
and ran ad-aware, spybot, and avg. It took most of an afternoon to clean
everything out. I installed zone-alarm too, to make sure I found all
processes that are sendoing out requests.

Here is Symantec page to get you to safe mode instructions. A lot more
detail than you need, but nice to know info.

http://tinyurl.com/pfca

Ed
Anonymous
June 27, 2005 6:45:20 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

I'm with Ed regarding the use of Ad-Aware and Spybot to do cleanup of a system.
If neither of them (when updated with latest definitions) removes the cited
files, boot your system in safe mode and remove them manually. It might also be
useful to examine the properties of these DLLs. Legitimate DLLs installed in
the system 32 folder always identify the "owner" who developed them. Some of
them, even tho spyware or adware, still identify the company that developed
them. Others have no identification whatsoever, a tipoff that they are up to no
good.

I am a belt and suspenders type of person. I have Zone Alarm installed on all
computers here in back of a router with NAT. Zone Alarm, unlike Microsoft's
cheap and sleazy SP2 firewall, lets you know when some program unexpectedly
tries to reach out to the internet. Sometimes, as when installing a software
update, the outbound access is expected and there is a cause (install of new
software) and effect (internet access requested) relationship. But if a program
tries to access the internet out of the blue and Zone Alarm catches it, this
could be a warning of something insidious going on in a computer.

The Microsoft apologists need not flame me for noting the inadequacy of
Microsoft's own software firewall. The inadequacy has been cited by most every
industry analyst, computer trade rag writer, and even mainstream computer
writers like John Markoff. Given the inadequacy of Microsoft's own software
security in Windows, IE, Outlook, etc., it is not too hard to imagine the
possibility of some rogue software sneaking in through yet another Microsoft
security hole, then attempting to do its dastardly deed on the internet.
Microsoft's lame firewall simple is not designed to catch this sort of problem.

.... Ben Myers

On Mon, 27 Jun 2005 13:07:07 GMT, Mike <Mike@home.com> wrote:

>Thanks to everyone for their suggestions and or comments. The
>"Band-Aid" I am using now is Zone Alarm. Norton's AV had been
>compromised so I un-installed and then re-installed it. Between ZA,
>Nortons, Spy Sweeper, and HiJackthis I have had no more alerts that
>files were trying to register themselves on start up and can find no
>more spyware or trojans. But what I have found are a couple of files
>in my \system32 directory that look suspect. I have "googled" them
>and can not find any information about them. I tried deleting them
>but can not. Does anyone know if the following files are legit?
>
>C:\WINDOWS\system32\dksshlex.dll
>
>C:\WINDOWS\system32\sumsg.dll
>
>Also, how does one go about deleting files that Windows will not allow
>you to delete? And is there a way to force a "process" to stop? I
>understand I could force a crash if I stop the wrong process but would
>like to be able to stop cetain things from running.
>
>Lastly, does anyone know how to run Norton's AV in safe mode? Though
>it says to scan for your system when in safe mode when you suspect
>troubles, it won't run. GG Symantec! LOL!
>
>Thanks!
>
>Mike
Related resources
June 27, 2005 9:13:04 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

On Mon, 27 Jun 2005 09:48:41 -0400, "Ed Wurster" <glass_net@gmail.com>
wrote:


>When you reboot, tap the F8 key a few times before Windows loads. You'll see
>the safe mode prompt there.

Ed, I can get into to Safe Mode, but when I run Norton's AV when in
Safe Mode, I get this message ... "Symantec Integrator has
encountered a problem and needs to close now". So much for a scan in
Safe Mode!

Even though all scans from all my spybot/adware/anitvirus software
come report that I clean I am still finding mystery .DLL's in my
windows\system32 directory. What I have noticed is that each new file
is the exact same size 408KB though each one will have a different
name, and new such files will appear is this directly after each
reboot. I can not delete 2 of these files. I have tried Killbox,
deleting from the command prompt in Safe Mode, shift-del, etc. I did
use the Clean Me! and got rid of 3.0 Gigs of trash in my temp dir's!
LOL!

So my question is this ... how do I find what is creating these
mystery .DLL's and how do I delete them? So far I have used and am
booting with the following turned on ...

Spy Sweeper
Norton's IS
Zone Alarm

.... and I am showing as being clean by all the above plus ...

Lavasoft Ad-aware
Spybot Search and Destroy

Thanks again for the input.

Mike
Anonymous
June 27, 2005 10:44:06 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Mike,

No matter how up to date Spybot, Ad-Aware, NAV, Microsoft anti-spyware, etc.
are, there will almost always be the "mystery" DLLs, because the purveyors of
all this rotware move a little faster than the good software packages that
combat them. My advice is to boot in safe mode, rename the "mystery" DLLs with
another extension (e.g. DXX), reboot, and look for potential side effects. If
the system behaves curiously or emits error messages due to "missing" DLLs, you
can always rename them back again.

I have had to do some really aggressive cleaning out of the system32 folder for
clients when the packages don't do a complete job. Your best bet is to sort the
folder by newest date first. Then look for clusters of files all installed at
the same time, possibly the same time when the system began showing ill effects.

Also, whether is a Windows update, NAV update, or update of some other software
that gets into the knickers of the operating system, any and all updates should
be done with the assurance that the system is 99.999% free of trojans, worms,
and the like. If there are still worms and trojans lurking, an update can go
awry, or, worse yet, really hose up a system... Ben Myers

On Mon, 27 Jun 2005 17:13:04 GMT, Mike <Mike@home.com> wrote:

>On Mon, 27 Jun 2005 09:48:41 -0400, "Ed Wurster" <glass_net@gmail.com>
>wrote:
>
>
>>When you reboot, tap the F8 key a few times before Windows loads. You'll see
>>the safe mode prompt there.
>
>Ed, I can get into to Safe Mode, but when I run Norton's AV when in
>Safe Mode, I get this message ... "Symantec Integrator has
>encountered a problem and needs to close now". So much for a scan in
>Safe Mode!
>
>Even though all scans from all my spybot/adware/anitvirus software
>come report that I clean I am still finding mystery .DLL's in my
>windows\system32 directory. What I have noticed is that each new file
>is the exact same size 408KB though each one will have a different
>name, and new such files will appear is this directly after each
>reboot. I can not delete 2 of these files. I have tried Killbox,
>deleting from the command prompt in Safe Mode, shift-del, etc. I did
>use the Clean Me! and got rid of 3.0 Gigs of trash in my temp dir's!
>LOL!
>
>So my question is this ... how do I find what is creating these
>mystery .DLL's and how do I delete them? So far I have used and am
>booting with the following turned on ...
>
>Spy Sweeper
>Norton's IS
>Zone Alarm
>
>... and I am showing as being clean by all the above plus ...
>
>Lavasoft Ad-aware
>Spybot Search and Destroy
>
>Thanks again for the input.
>
>Mike
Anonymous
June 28, 2005 1:01:57 AM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Mike <Mike@home.com> wrote:
>is the exact same size 408KB though each one will have a different
>name, and new such files will appear is this directly after each
>reboot. I can not delete 2 of these files.

This definately smells of malware. I dunno if it's easy for you, but
removing the disk, putting it in another computer, and removing the
offending files works for me in those kinds of situations.

Also, you don't seem to have tried MicroSoft's AntiSpyware, which
(despite being from the Evil Empire) does a pretty good job. I'd also
try McAfee, maybe even FreeScan, but maybe that's just me...
Anonymous
June 28, 2005 1:07:35 AM

Archived from groups: alt.sys.pc-clone.dell (More info?)

"Mike" <Mike@home.com> wrote in message
news:uduvb1ppr6akq4vte21k3tsecf646lpqqs@4ax.com...

> C:\WINDOWS\system32\dksshlex.dll
This does not show up in any search engine, but neither is it listed by
Symantic as being a virus. Do a properties check on it to see who the author
is.

> C:\WINDOWS\system32\sumsg.dll
This is used by SUperior SU. This is a: "utility for Windows NT (versions
3.51 and 4), Windows 2000, Windows XP and Windows 2003 Server, that is not
only a traditional SU utility but also a powerful desktop switcher utility
that allows for running multiple shells on different desktops on behalf of
different users. Smell the Unix-like power of a quasi-multisession
environment on a Windows NT-based Workstation or Server and download and
install SUperior SU! "
Anonymous
June 28, 2005 2:02:29 AM

Archived from groups: alt.sys.pc-clone.dell (More info?)

> The Microsoft apologists need not flame me for noting the inadequacy of
> Microsoft's own software firewall.

If they knew how to write an OS, they wouldn`t need to buy anti-virus and
anti-spyware companies.

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---
Anonymous
June 28, 2005 2:26:20 AM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Yes! Can you dig it! ... Ben Myers

On Mon, 27 Jun 2005 22:02:29 +0100, Colin Wilson <void@btinternet.com> wrote:

>> The Microsoft apologists need not flame me for noting the inadequacy of
>> Microsoft's own software firewall.
>
>If they knew how to write an OS, they wouldn`t need to buy anti-virus and
>anti-spyware companies.
>
>--
>Please add "[newsgroup]" in the subject of any personal replies via email
>--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---
June 28, 2005 12:11:04 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

On Mon, 27 Jun 2005 21:01:57 -0400, William P. N. Smith wrote:

>Mike <Mike@home.com> wrote:
>>is the exact same size 408KB though each one will have a different
>>name, and new such files will appear is this directly after each
>>reboot. I can not delete 2 of these files.
>
>This definately smells of malware. I dunno if it's easy for you, but
>removing the disk, putting it in another computer, and removing the
>offending files works for me in those kinds of situations.
>
>Also, you don't seem to have tried MicroSoft's AntiSpyware, which
>(despite being from the Evil Empire) does a pretty good job. I'd also
>try McAfee, maybe even FreeScan, but maybe that's just me...

I figured I would give MS Antispyware a shot. But for some reason it
says I do not have an authorized version of Windows so won't download.
That is odd seeing how this is the OS Dell installed on my computer
and I have the Windows CD in hand. Strange.

Mike
Anonymous
June 28, 2005 12:18:35 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

Mike <Mike@home.com> wrote:
>I figured I would give MS Antispyware a shot. But for some reason it
>says I do not have an authorized version of Windows so won't download.
>That is odd seeing how this is the OS Dell installed on my computer
>and I have the Windows CD in hand. Strange.

When you do the Windows Validation thing, does it ask you for the
license key on the machine? There's a way to straighten this out, and
you probably want to _before_ they start requiring it for WIndows
Updates and such...
Anonymous
June 28, 2005 12:18:36 PM

Archived from groups: alt.sys.pc-clone.dell (More info?)

<William P. N. Smith> wrote in message
news:1nf2c1hpo2bj847um4preefvllb33ubccl@4ax.com...
> Mike <Mike@home.com> wrote:
>>I figured I would give MS Antispyware a shot. But for some reason it
>>says I do not have an authorized version of Windows so won't download.
>>That is odd seeing how this is the OS Dell installed on my computer
>>and I have the Windows CD in hand. Strange.
>
> When you do the Windows Validation thing, does it ask you for the
> license key on the machine? There's a way to straighten this out, and
> you probably want to _before_ they start requiring it for WIndows
> Updates and such...
>

You either have to validate using the product key on the system case -OR-
use the 'alternative validation method' which requires one to install an
active-X utility for the site, you can then proceed to the next page and
enter the brand of the computer and from whom it was purchased in the
fields. Once done, a 5-digit key is produced on the next page to be
manually entered. THEN, it can be downloaded and installed.

The one kicker in this (which may be the poster's problem) is that SP2
blocks the pop-up/install of the active-X control, and you have to manually
allow it from the SP2/IE6 information bar at the time - at the top of the
browser window.


Stew
!