|
I need help with this Trojan Horse....please!!
|
|
AfterDawn Addict
|
11. March 2007 @ 15:15 |
Link to this message
|
|
OK guys, here comes the big test...my son has NEVER run an Antivirus check so I'm going to do one now. Will let you know what happens, Cheers.
|
|
Advertisement
|
|
|
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 15:15 |
Link to this message
|
|
I will do that and you can see im no dummy, I can spend 24/365 in the effort. My words might be a bit different like "Trigger" but you know what I mean
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 15:18 |
Link to this message
|
|
Gwen you killing us. No matter what, we fight to win! A motto of a group I still need to join.
My spelling still sucks. Does that count?
Bring it on Grew, We live to WIN
Reason I read every log that was ever posted :-)
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 15:23
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 15:31 |
Link to this message
|
|
I will request a join tomorrow Kota.
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 15:48 |
Link to this message
|
|
I requested join; Why wait till tomorrow. I know things change. So no big deal, We will win. Ken aka bkf
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 15:48
|
AfterDawn Addict
|
11. March 2007 @ 15:57 |
Link to this message
|
|
Well the scan (Spyware ) is only 235,000 files and so far 324 infections found. Cant wait to run the AntiVirus....it's been 2 years since he's done any scans...OUCH!!!
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 16:03 |
Link to this message
|
|
Gwen you worry to much LOL I got 2 million files and the only one it pukes on is the one that sets the tcip stack to 50 rather then 10 on the last drive. Set to ignore.
Gwen I see you have Logitec setpoint, Don't upgrade to 3.30. It plays with office like crazy. Stay with 3.01. They messed up once again. i just backed my system up to a point before the new update. Everything is working well again. 3.30 was their first attempt at vista and even that update requires another update
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 16:28
|
AfterDawn Addict
|
11. March 2007 @ 16:36 |
Link to this message
|
|
Thanks for the info. I wont upgrade.
AntiSpyware scan......350
AntiVirus..after 6000 file 39 Viruses.....how disgusting is that.
|
|
KotaGuy
Member
|
11. March 2007 @ 16:42 |
Link to this message
|
|
Gah!
Two years without any scans???
Surprised the machine is still useable :P
Nice to hear you requested to join up, Ken.
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 16:43
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 16:52 |
Link to this message
|
|
LOL 39???? Thats a bonus. New motto: what ever it takes we will win! Once you join this group there is no turning back.
Thanks Koda: I guess it's up to you now. You seen my faith and my will to spread my wings without hurting anyones systems. Im still on phase one. Reading logs. Time to move to phase 2 I guess with a constent virgil on phase one.
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 16:58
|
AfterDawn Addict
|
11. March 2007 @ 16:58 |
Link to this message
|
|
Yes, I find it hard to believe also, it's now up to 47 Trojan Horses...I dont think the Romans had that many horses!!....only 47000 files scanned so far....get some rest guys I will soon be looking for you Cheers.
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 17:00 |
Link to this message
|
|
Gwen no matter what happens it can be fixed. But two years is a little over the top. I run my stuff several times a single day.
Chill: Everything will be fine :-)
If the system had anything serious it would not be working.
As long as it has connection it can be fixed. We know a few tricks.
This message has been edited since posting. Last time this message was edited on 11. March 2007 @ 17:19
|
AfterDawn Addict
|
11. March 2007 @ 17:24 |
Link to this message
|
|
I absolutely LOVE your Attitude....you'll be hearing from me as soon as scan finishes.
|
AfterDawn Addict
|
11. March 2007 @ 17:47 |
Link to this message
|
OK guys, here goes, couldnt get past the 47 mark,good luck
ogfile of HijackThis v1.99.1
Scan saved at 3:39:23 AM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares Galaxy Classic\Ares.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Aaron.B\Desktop\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
O2 - BHO: (no name) - {04A3DB14-A063-913C-2A0F-EB1F92BFE292} - C:\DOCUME~1\Aaron.B\APPLIC~1\FLAPOK~1\thislite.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - (no file)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {F50E78F8-7983-486F-912D-A927EA0164A1} - C:\WINDOWS\adsldpbc.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [Soap Hole] C:\DOCUME~1\LOCALS~1\APPLIC~1\GLOBAL~1\tonslogbolt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lhbe] "C:\Program Files\uwaw\aoao.exe" -vt mt
O4 - HKCU\..\Run: [Kginnkuu] C:\WINDOWS\system32\w?nword.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Galaxy Classic\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat 3.6\CamfrogNet.exe" 0 C:\Program Files\Camfrog\Camfrog Video Chat 3.6\Camfrog Video Chat.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.teensguru.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/6.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c1.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fun...etup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/c...v45/yacscom.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1128424126250
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/Di...035_pack_XP.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.co...utocomplete.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
|
|
KotaGuy
Member
|
11. March 2007 @ 18:31 |
Link to this message
|
|
Wow... CWS... LOP... PurityScan... VBS Script infection thats a file infecter/appender... SDBot... and who know what else. Wouldn't be surprised to find a RootKit either.
This machine has been totally messed up.
I can try to clean it up... but because of the nature of the infections I cannot guarantee its security afterwards. This one would be a challenge... even for me.
Safest course of action would be to wipe it and reinstall Windows.
But if you want me to try and clean I'll do my best.
Though it will take some work ;)
|
AfterDawn Addict
|
11. March 2007 @ 18:54 |
Link to this message
|
|
Guess who will be keeping an eye on things in future. I will wipe everything and re install, thanks, Cheers.
|
|
KotaGuy
Member
|
11. March 2007 @ 20:41 |
Link to this message
|
|
Would be the best thing to do. Especially after two years without any kind of AV/AS scan being done.
And with that SDBot visible... that gives the attacker full control over the system to do whatever he wanted with it... and who knows how long its been there.
No real way to know the full extent of the damage done.
|
AfterDawn Addict
|
11. March 2007 @ 21:14 |
Link to this message
|
I have now re installed Windows XP Pro, along with AVG (Both)...I will make it my job to ensure scans are done REGULARLY....Thanks for all your help, Cheers.
|
|
KotaGuy
Member
|
11. March 2007 @ 21:46 |
Link to this message
|
|
You're very welcome :)
|
|
Advertisement
|
|
|
|
bkf
Suspended due to non-functional email address
|
11. March 2007 @ 22:13 |
Link to this message
|
|
LOL I just wanted to also say OMG. That is art in motion. Gwen a system just can't go 2 years or 2 weeks without checking. You knew that. Hit him over the head. LOL
Ps Bet we can fix it but after that length of time and what I read a reload after a full format is in order. Will keep us alive LOL
Im even to copy / paste that log and look it over.
Still want to thank you both. Rather then a "you have X problem" It was not spelled out and made me do research. Such a key in this war. I never want it spelled out for me rather Ken do you see an 02 or 023 that looks bad? Make me work for it. Ill be better for it in the end of this ugly war. It was fun and I paied attention the whole time and im just starting to move to phase two. Thanks again!
Ken (better late then never)
This message has been edited since posting. Last time this message was edited on 12. March 2007 @ 10:09
|
