|
Possible Trojan?
|
|
|
FartDude
Suspended permanently
|
30. August 2006 @ 19:55 |
Link to this message
|
Hi there everyone, yesterday webroot spysweeper detected a high risk trojan, but all my other scanners found nothing.. i thinking its more of a false positive. Just to be sure here is my HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 11:54:50 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AntiSpy Pro\AntiSpyPro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Outpost firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.cloverchurch.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted IP range: http://192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
|
|
Advertisement
|
|
|
|
Senior Member
|
30. August 2006 @ 20:49 |
Link to this message
|
|
It's not showing in your log, but it could be hiding.
What is the name it gives for the trojan?
|
|
FartDude
Suspended permanently
|
30. August 2006 @ 21:23 |
Link to this message
|
|
the trojan is called maccess, spysweeper said one of the dlls in my firewalls program directory was infected.
|
Senior Member
|
30. August 2006 @ 21:42 |
Link to this message
|
Well, it's not a false positive, look here.
http://www.sophos.com/security/analyses/trojmaccessa.html
As for removing it, I can't find alot of help. On that site they give removal instuctions for trojans, but usually they want you to buy their products. And after looking over the removal instructions, they do not give much help.
Ewido may pick it up and rid. Get it here http://free.grisoft.com/doc/1
Install and update.
Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu).
Run a full scan.
If it finds it or anything else be sure to set all items to delete and then click "Apply All Actions".
Then click "Save Report".
Post back with results or the Ewido log.
|
|
FartDude
Suspended permanently
|
30. August 2006 @ 22:27 |
Link to this message
|
well.. the problem is, i believe if i remove it then it could screw up my firewall..
here is a screenshot of what spysweeper detects
http://img90.imageshack.us/img90/9696/trojanld6.jpg
I havent noticed anything unusual, ive tried ewido and housecall, and they dont detect anything , heck even unhackme and trojan remover dont pick up anything. when i run active ports.. there is nothing out of the ordinary.
This message has been edited since posting. Last time this message was edited on 30. August 2006 @ 22:31
|
Senior Member
|
30. August 2006 @ 22:54 |
Link to this message
|
Quarantine it with SpySweeper. If your firewall doesn't work after that, you can restore the files. If it works fine, delete them.
|
|
FartDude
Suspended permanently
|
30. August 2006 @ 23:22 |
Link to this message
|
|
ok, ive Quarantined the infected files and outpost still runs, hmmm.. oh well i have no idea were this thing came from.. everything still seems normal, thanks for help :)
|
Senior Member
|
30. August 2006 @ 23:32 |
Link to this message
|
|
No problem...just remember to delete them. ;)
|
|
FartDude
Suspended permanently
|
30. August 2006 @ 23:36 |
Link to this message
|
i just did, i posted this over the outpost forums maybe they could give me an answer as to what this was, i mean.. i could have been a trojan.. or it could have been an innocent feature included with the firewall. there have been several times in the past were spysweeper detects a innocent program .. and says its something dangerous, examples would be peerguardian2 and AnyDVD.
|
Senior Member
|
30. August 2006 @ 23:41 |
Link to this message
|
One way you could find out if it came with the firewall is to reinstall it. Since you have now deleted them they will come back after the reinstallation.
|
|
aabbccdd
Suspended permanently
|
31. August 2006 @ 00:31 |
Link to this message
|
|
you might want to run "SmithfraudFix" also and post a logfile
This message has been edited since posting. Last time this message was edited on 31. August 2006 @ 00:33
|
Senior Member
|
31. August 2006 @ 00:51 |
Link to this message
|
|
Umm, that wouldn't help anything. He has a trojan, not desktop malware.
|
|
FartDude
Suspended permanently
|
31. August 2006 @ 08:33 |
Link to this message
|
well, i got a reply from the outpost forums, and it indeed is a false positive. Here is what one of the agnitum developers have to say
Quote:
wl_hook.dll hooks winlogon for several reason.
1. It tracks shutdown event and allow exit of outpost service.
2. It loads Outpost GUI when user logon (In some cases)
3. It implements some functionality of minidump analisys for Agnitum Feedack Service.
We will change method of dll injection in Outpost 4.0.
|
Senior Member
|
1. September 2006 @ 08:17 |
Link to this message
|
Originally posted by Niobis:
Well, it's not a false positive, look here.
http://www.sophos.com/security/analyses/trojmaccessa.html
Yeh, it was a false possitive, you can tell from its location, it happends.
Nothing to worry about.
@Fartdude, you have both SpywareGaurd & SPyware Blaster installed and running at the same time, its highly recomended you uninstall one.
|
|
FartDude
Suspended permanently
|
1. September 2006 @ 08:39 |
Link to this message
|
Quote:
@Fartdude, you have both SpywareGaurd & SPyware Blaster installed and running at the same time, its highly recomended you uninstall one.
Thats the first ive heard of that, from what ive read both of them are highly recommended. and spyware blaster dosent run at all times, it just creates restricted internet zones and blacklists certain activeX controls. as were spywareguard protects against bad downloads, and uses heuristics to help detect newer threats, (thats one reason the defintions havent been updated since 04)
This message has been edited since posting. Last time this message was edited on 1. September 2006 @ 08:40
|
AfterDawn Addict
|
1. September 2006 @ 09:23 |
Link to this message
|
|
last night spysweeper blocked trojan maccess from coming in the back door..
i was on a new's site when it happened.
Trojan Horse
Trojan Maccess is a remote access Trojan that that may allow a hacker to gain unrestricted access to your computer when you are online
Trojan Maccess may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence
Trojan Maccess is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent
This Trojan may open a port on your computer that may enable a hacker to gain remote control of your computer. Additional Comments: It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity
This message has been edited since posting. Last time this message was edited on 1. September 2006 @ 09:30
|
Senior Member
|
1. September 2006 @ 13:18 |
Link to this message
|
@FartDude,
Originally posted by Fartdude:
Thats the first ive heard of that, from what ive read both of them are highly recommended. and spyware blaster dosent run at all times, it just creates restricted internet zones and blacklists certain activeX controls. as were spywareguard protects against bad downloads, and uses heuristics to help detect newer threats, (thats one reason the defintions havent been updated since 04)
---------------------------------------
SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
SpywareGuard now also features Download Protection and Browser Hijacking Protection!
Features Listing:
* Fast Real-Time Scanning engine - catch and block spyware before it is executed (EXE and CAB files supported) with signature-based scanning for known spyware and heuristic/generic detection capabilities to catch new/mutated spyware
* Download Protection - prevent spyware from being download in Internet Explorer
* Browser Hijacking Protection - stop browser hijacking activity in real-time
* SG LiveUpdate - provides an easy updating solution
* Small size - with a small size and small definition sizes, download and updates are quick
* Report Capabilities - keep a detailed log of all spyware detected
* Spyware files are blocked before being opened or run - they are not simply shut down after they are loaded in memory (and after they have performed their tasks)
* It's a free download
--From:
http://www.javacoolsoftware.com/spywareguard.html
---------------------------------------
It runs in real time, you should only have one Anti spyware program running in real time...
Having more than one running can consume massive amounts of resources and create system instability :-)
This message has been edited since posting. Last time this message was edited on 1. September 2006 @ 13:19
|
|
FartDude
Suspended permanently
|
1. September 2006 @ 19:20 |
Link to this message
|
|
An little update here, i just restored my hdd (not formatted .. i love acronis true image :P) and updated spysweeper and ran the scan once more and it detected nada.. so this was nothing after all.
|
|
Advertisement
|
|
|
|
olddawn
Newbie
|
15. September 2006 @ 12:57 |
Link to this message
|
|
My spysweerper found the same thing, but I want to say that the other computer on my network started giving me many problems. I found that it also had the same maccess trojan horse, after installing trial Webroot on it (couldn't access Outlook to activate it to remove however)but I did not have Spysweeper on it, and it did a great deal of damage to that computer. Norton kept being disabled, my upgrades to windows were deleted or did not show up anylonger on Add and Remove, Outlook could not be accessed. What has happened to it? It is unplugged and useless for now. Seems many people do not know about removing this trojan horse from what I am reading. I think that Webroot saved this new computer. About the same time I received a warning that HKCU was attempting to insert itself in my startup. I see that you have that. I denied it access, since I had not given it permission. In addition, I received warning that someone was trying to change my homepage. So I do not think this is a false positive. It may have begun with HP. As originally, I kept getting a popup that I could not get rid of. When I downloaded the update for HP with a patch, the popup ceased.From reading the Forums, I learned that this was part of a virus and could be removed with the patch.
Webroot advised that I run it three consecutive times and to download latest definitiions. It took several days, but I am no longer receiving these warning messages. None of my other virus or spyware programs detected any of these problems. My old computer's (on the network) condition is proof of the pudding.
In the advanced secion of Sophos under Maccess-A he says registry entries may be created under the following
HKLM\SOFTWARE|Microsoft|Windows\Appinit_DLLs
|
