should i be worried?? - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Jan 8^th, 2009, 12:46pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   should i be worried??

« Previous topic | Next topic »

Pages: 1 2 3

Notify of replies

Send Topic

Author

Topic: should i be worried?? (Read 4011 times)

cmessman
Newbie

Posts: 23

should i be worried??
« on: Oct 3^rd, 2006, 12:12pm »

Quote

Modify

TH has picked up on a trojan (Click.103) and successfully removed all registry keys associated with this bug except for one:

Unable to open key HKEY_CLASSES_ROOT\CLSID\{746455FE-D059-47e7-AF0E-140E03F5A447}
Trojan cleaning finished

is this something i should be worried about Huh

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #1 on: Oct 3^rd, 2006, 12:24pm »

Quote

Modify

Welcome to the forum cmessman Cheesy

Quote:

is this something i should be worried about??

Yes, very definitely.

Please go to the link below and download HiJackThis 1.99.1. Install it in a folder of its own on your hard drive....not on the desktop or in a Temp folder.

http://www.majorgeeks.com/download3155.html

After you get HiJackThis installed, please locate HijackThis.exe and rename it to some other name such as AnalyzeMe.exe. The reason for the rename is that some of the latest critters prevent Hijackthis.exe from displaying properly. So we fool them by renaming HiJackThis.exe

Then run a HiJackThis scan and post the log back here for us to take a look at. I suspect you have something malicious still left on your system. Sad

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #2 on: Oct 3^rd, 2006, 6:22pm »

Quote

Modify

mkay... downloaded the software and ran it... this is what i got:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:24 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\{20FD7D88-0891-1033-0731-030512200001}\Update.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Temporary Directory 2 for bigkilla.zip\HijackThis.exe
C:\BigKilla\BigKillBugs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.purdue.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jgjla.exe
F2 - REG:system.ini: UserInit=userinit.exe,tcppkkp.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: LotusMenu - http://discoverypark.e-enterprise.purdue.edu/wps/menu/menudisp.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #3 on: Oct 4^th, 2006, 2:38am »

Quote

Modify

Okay, there are some problems showing up in the HJT log.

1. Go to the link below and change the default settings for Windows Explorer so that you can view all files and folders.

http://www.misec.net/forum/board/FAQ/1139610900

2. Please locate the following files and submit them to Mischel Internet Security for analysis. They both look very suspicious. The link below describes how to submit files for analysis.

jgjla.exe
tcppkkp.exe

http://www.misec.net/forum/board/FAQ/1139308293

3. Run another HJT scan. When the scan is completed, place a checkmark in the box next to each of the items shown below. Be Sure ONLY these items are checked.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

- Click on Fix Checked located at the lower left of the HJT window. Confirm that you want these items Fixed and let HJT fix them.

4. Close HJT and Reboot immediately

5. Following the reboot, check these two entries in your Trusted Zone of IE. If you did not add them, they should be removed from your trusted zone.

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.mmohsix.com

- START>Settings>Control Panel>Internet Options>Security tab

- Click on the Trusted Zone icon and select Sites

- Locate the above URLs and delete them.

- Click on OK and Apply and exit out of the cpl window for Internet options.

6. Perform a remote scan of your system using Bit Defender. The link below provides the link to the Bit Defender site. You will need to let it download an ActiveX module, so use IE instead of FireFox or any other browser.

http://www.misec.net/forum/board/FAQ/1141894786

7. Following Bit Defender's scan, reboot immediately. Post the results log of Bit Defender's scan back here on this forum thread.

8. Download and install the 15-day trial version of Spy Sweeper from the link below. The download link is at the bottom of the webpage.

http://www.webroot.com/consumer/products/spysweeper/latestv.html

a.) Once installed, navigate to the:
- Shields page and UNCHECK all Shields.
- Scan setup page. Checkmark all the scan options on the right side and select your disks to be scanned.
b.) Run a full system scan using Spy Sweeper and let it fix what it finds.

c.) Post the results of the Spy Sweeper scan back here, please.

9. Download the latest RuleSets for TrojanHunter.

a.) Reboot into SAFE MODE.
b.) Run a FULL scan with TrojanHunter and let it fix what it finds.
c.) Reboot into Normal Mode.
d.) Post the results of TrojanHunter's scan back here, please.

10.) Run another HJT scan and post the log back here and let's see where we stand.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #4 on: Oct 4^th, 2006, 11:43am »

Quote

Modify

heres the log from bit torrent...

BitDefender Online Scanner

Scan report generated at: Wed, Oct 04, 2006 - 12:39:49

Scan path: A:\;C:\ Grin

:\;E:\;

Statistics

Time
01:50:05

Files
566424

Folders
11605

Boot Sectors
3

Archives
3631

Packed Files
23333

Results

Identified Viruses
13

Infected Files
22

Suspect Files
2

Warnings
0

Disinfected
0

Deleted Files
24

Engines Info

Virus Definitions
473881

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:3 Cool

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Chris\Local Settings\Temp\b103.exe
Infected with: Trojan.Downloader.TSUpdate.D

C:\Documents and Settings\Chris\Local Settings\Temp\b103.exe
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temp\b103.exe
Deleted

C:\Documents and Settings\Chris\Local Settings\Temp\b111.exe=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Trojan.Dialer.PL

C:\Documents and Settings\Chris\Local Settings\Temp\b111.exe=>(NSIS o)=>lzma_solid_nsis0002
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temp\b111.exe=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\Documents and Settings\Chris\Local Settings\Temp\b111.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Chris\Local Settings\Temp\b123.exe=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Infected with: Trojan.Downloader.Qoologic.BC

C:\Documents and Settings\Chris\Local Settings\Temp\b123.exe=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temp\b123.exe=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Deleted

C:\Documents and Settings\Chris\Local Settings\Temp\b123.exe=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)
Update failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\103[1].net
Infected with: Trojan.Downloader.TSUpdate.D

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\103[1].net
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\103[1].net
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\123[1].net=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Infected with: Trojan.Downloader.Qoologic.BC

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\123[1].net=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\123[1].net=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)=>lzma_solid_nsis0001
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\123[1].net=>(NSIS o)=>lzma_solid_nsis0002=>(NSIS o)
Update failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\popup[1].htm
Detected with: Application.JS.ForcePopup.D

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\popup[1].htm
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0PE3G5UV\popup[1].htm
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KTI3WN61\popup[1].htm
Detected with: Application.JS.ForcePopup.D

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KTI3WN61\popup[1].htm
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KTI3WN61\popup[1].htm
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\PTIPZ91B\popup[1].htm
Detected with: Application.JS.ForcePopup.D

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\PTIPZ91B\popup[1].htm
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\PTIPZ91B\popup[1].htm
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\U1ETYVK9\popup[1].htm
Detected with: Application.JS.ForcePopup.D

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\U1ETYVK9\popup[1].htm
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\U1ETYVK9\popup[1].htm
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\YZCXEJA5\xp-adtegrity-box[1].swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\YZCXEJA5\xp-adtegrity-box[1].swf=>[SWF command]
Disinfection failed

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\YZCXEJA5\xp-adtegrity-box[1].swf=>[SWF command]
Deleted

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\YZCXEJA5\xp-adtegrity-box[1].swf
Update failed

C:\Documents and Settings\Chris\My Documents\My Pictures\brookeburketool3.exe=>wise0017
Infected with: Dropped:Application.BHO.Ignet.A

C:\Documents and Settings\Chris\My Documents\My Pictures\brookeburketool3.exe=>wise0017
Disinfection failed

C:\Documents and Settings\Chris\My Documents\My Pictures\brookeburketool3.exe=>wise0017
Deleted

C:\Documents and Settings\Chris\My Documents\My Pictures\brookeburketool3.exe
Update failed

C:\drsmartload.exe
Infected with: Trojan.Downloader.Drsmart.B

C:\drsmartload.exe
Disinfection failed

C:\drsmartload.exe
Deleted

C:\Program Files\QUICKENW\QWDELUXE\DISK24\DATA24.CAB=>(IShield Module 147)
Infected with: Generic.XPL.Codebase.41C2DB21

C:\Program Files\QUICKENW\QWDELUXE\DISK24\DATA24.CAB=>(IShield Module 147)
Disinfection failed

C:\Program Files\QUICKENW\QWDELUXE\DISK24\DATA24.CAB=>(IShield Module 147)
Deleted

C:\Program Files\QUICKENW\QWDELUXE\DISK24\DATA24.CAB
Update failed

C:\Program Files\QUICKENW\QWHB\DISK26\DATA26.CAB=>(IShield Module 156)
Infected with: Generic.XPL.Codebase.41C2DB21

C:\Program Files\QUICKENW\QWHB\DISK26\DATA26.CAB=>(IShield Module 156)
Disinfection failed

C:\Program Files\QUICKENW\QWHB\DISK26\DATA26.CAB=>(IShield Module 156)
Deleted

C:\Program Files\QUICKENW\QWHB\DISK26\DATA26.CAB
Update failed

C:\Program Files\TrojanHunter 4.6\Quarantine\EMS9ssx2.dat
Infected with: Trojan.Downloader.Qoologic.BC

C:\Program Files\TrojanHunter 4.6\Quarantine\EMS9ssx2.dat
Disinfection failed

C:\Program Files\TrojanHunter 4.6\Quarantine\EMS9ssx2.dat
Deleted

C:\Program Files\TrojanHunter 4.6\Quarantine\LcV.dat
Infected with: Trojan.Downloader.Small.BCN

C:\Program Files\TrojanHunter 4.6\Quarantine\LcV.dat
Disinfection failed

C:\Program Files\TrojanHunter 4.6\Quarantine\LcV.dat
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 54.exe
Infected with: Trojan.Downloader.VB.TX

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 54.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 54.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 55.exe
Infected with: Trojan.Downloader.VB.TX

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 55.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 55.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 80.exe
Infected with: Trojan.Downloader.Adload.DZ

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 80.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 80.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 85.exe
Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 85.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 85.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 86.exe
Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 86.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1014\A00620 86.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1018\A00633 42.exe
Infected with: Trojan.Downloader.Drsmart.B

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1018\A00633 42.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1018\A00633 42.exe
Deleted

C:\WINDOWS\SYSTEM32\xuhkm.dat
Infected with: Trojan.Downloader.Qoologic.BJ

C:\WINDOWS\SYSTEM32\xuhkm.dat
Disinfection failed

C:\WINDOWS\SYSTEM32\xuhkm.dat
Deleted

C:\WINDOWS\thiselt.exe
Infected with: Trojan.Lowzones.CZ

C:\WINDOWS\thiselt.exe
Disinfection failed

C:\WINDOWS\thiselt.exe
Deleted

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #5 on: Oct 4^th, 2006, 12:11pm »

Quote

Modify

Okay! Bit Defender really tagged things. Let's do this before proceeding.

1. Go to the website below and download/install CCleaner. Install it via its own installer to its default folder. NOTE: This is a really good freebie program to run frequently to clean out your temp junk.

http://www.ccleaner.com

2. Run the Cleaner component and let it clean out temporary files and folder...junk. Do not run the Issues component which is the registry cleaner component.

3. Now lets turn off System Restore which is your System Volume Information folder. It is badly infected and is of no use at the moment. The only way to clean it out is to turn it off.

- START>SETTINGS>CONTROL PANEL>SYSTEM>System Restore tab.

- Check mark the box that says to turn OFF system restore.

- Click on APPLY and OK to close the window.

- Reboot your computer.

- Let's leave System Restore OFF until we get things cleaned up. Then we'll turn it back on.

4. ReRun the remote Bit Defender scan and see if is still detecting anything. Post its new scan/disinfecting log.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #6 on: Oct 4^th, 2006, 2:00pm »

Quote

Modify

mkay, im currently running the CCleaner program now but i forgot to attach the log from the spy sweeper ( i dunno if this is relevant anymore)... so heres that as well:

12:58 PM: Starting Registry Sweep
12:58 PM: Memory Sweep Complete, Elapsed Time: 00:01:30
12:57 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jgjla.exe (ID = 268934)
12:57 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jgjla.exe (ID = 268934)
12:57 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jgjla.exe (ID = 268934)
12:57 PM: Detected running threat: C:\WINDOWS\SYSTEM32\yerhrnb.dll (ID = 268933)
12:57 PM: HKU\S-1-5-21-2975269026-2149897979-1700636632-1007\Software\Microsoft\Wi ndows\CurrentVersion\Run || oldab (ID = 0)
12:57 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || rowyad (ID = 0)
12:57 PM: Detected running threat: C:\WINDOWS\SYSTEM32\swshaf.exe (ID = 268995)
12:57 PM: Found Adware: clkoptimizer
12:56 PM: Starting Memory Sweep
12:56 PM: Sweep initiated using definitions version 691
12:56 PM: Spy Sweeper 5.0.5.1286 started
12:56 PM: | Start of Session, Wednesday, October 04, 2006 |
********
12:56 PM: | End of Session, Wednesday, October 04, 2006 |
12:53 PM: Startup Shield: Off
12:53 PM: Hosts File Shield: Off
12:53 PM: Keylogger Shield: Off
12:53 PM: Spy Communication Shield: Off
12:53 PM: Spy Installation Shield: Off
12:53 PM: Memory Shield: Off
12:53 PM: Windows Messenger Service Shield: Off
12:53 PM: Alternate Data Stream (ADS) Execution Shield: Off
12:53 PM: ActiveX Shield: Off
12:53 PM: IE Hijack Shield: Off
12:53 PM: BHO Shield: Off
12:53 PM: IE Security Shield: Off
12:53 PM: IE Favorites Shield: Off
12:50 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:50 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: DL.WEB-NEXUS.NET
12:49 PM: The Spy Communication shield has blocked access to: STECH.WEB-NEXUS.NET
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
12:49 PM: Shield States
12:49 PM: Spyware Definitions: 691
12:49 PM: Spy Sweeper 5.0.5.1286 started
12:49 PM: Spy Sweeper 5.0.5.1286 started
12:49 PM: | Start of Session, Wednesday, October 04, 2006 |
********

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #7 on: Oct 4^th, 2006, 2:09pm »

Quote

Modify

Okay, Spy Sweeper has found more. �I'll wait for you to post the results of the second Bit Defender scan and then we'll go back to Spy Sweeper with some additional instructions on it. � Wink

Before we go any further, I am very concerned that you may have the worst of all infections- �a rootkit. �Your machine is very heavily infected and some of the infections carry a hidden package called a rootkit.

Therefore after you post the results of the second Bit Defender scan, please go to the link below and download/install Blacklight. �

Run Blacklight rootkit detector and post back here the results of its scan. �It is a quick scan to execute. IF it detects a rootkit, let it attempt to remove it.�

http://www.f-secure.com/blacklight/blacklight.html

Be sure to download only BlackLight, not F-secure Internet Security 2006. �

« Last Edit: Oct 4^th, 2006, 3:14pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #8 on: Oct 6^th, 2006, 9:19am »

Quote

Modify

2nd run of bitdefender...

Statistics

Time
01:45:40

Files
534277

Folders
10471

Boot Sectors
3

Archives
3452

Packed Files
22155

Results

Identified Viruses
2

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3

Engines Info

Virus Definitions
474226

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:3 Cool

IP Logged

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #9 on: Oct 6^th, 2006, 9:52am »

Quote

Modify

the fun continues!!! i downloaded the f-secure program u recommended and tried to run it and it says this:"

F-Secure Blacklight could not secure necessary privileges (SeDebugPrivilege)

-Your computer settings may prevent acquiring these privileges.

-A malicious program might have disabled these privleges."

Undecided

i am def a tech weinie but i can recognize real bad things... time to format Huh

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #10 on: Oct 6^th, 2006, 10:19am »

Quote

Modify

Are you logged in using an account with full administrative priviliges? �You need to be logged in using an account that is NOT limited? �

Also, are you running one of the new 64 bit machines...dual core?

« Last Edit: Oct 6^th, 2006, 10:28am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #11 on: Oct 6^th, 2006, 11:32am »

Quote

Modify

yes... i have full administrative priv on this computer

IP Logged

cmessman
Newbie

Posts: 23

Re: should i be worried??
« Reply #12 on: Oct 6^th, 2006, 11:34am »

Quote

Modify

the computer specs are:
dell dimension 2400
celeron proc at 2.2ghz
512 mb ddr sdram at 333mhz

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #13 on: Oct 6^th, 2006, 11:44am »

Quote

Modify

Okay, let's not give up just yet. Let's shelve BlackLight for the moment.

Please do the following.

1. Open Spy Sweeper

- On the home page/window located on the lower right side is an hot key to update Spy Sweeper's definitions to the latest version...which is #776 or higher. Please download the latest definitions for Spy Sweeper. Then close Spy Sweeper.

2. Reboot your computer into SAFE MODE.

3. Run a full scan of your system with Spy Sweeper. Let it clean out what it finds.

3a). Be sure it scans memory, the registry and all the files on your primary hard drive (C:\) and any other drive that you execute programs from.

3b.) Be sure you select the scan options on the scan setup page to scan for rootkits and archives.

4. Reboot into normal mode and post the Spy Sweeper log back here.

5. Also post a new Hijackthis log after you post the SS log.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5960

Re: should i be worried??
« Reply #14 on: Oct 6^th, 2006, 11:57am »

Quote

Modify

Did you download the GUI version of BlackLight or the Command Line version? �If you downloaded the Command Line version, please download and try the GUI version. �

Also, you have to create a shortcut for Blacklight and start it from the shortcut...not the executable file itself.

« Last Edit: Oct 6^th, 2006, 12:58pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1 2 3

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register