Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:49pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Using TrojanHunter		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Using TrojanHunter  (Read 1104 times)
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Using TrojanHunter
« on: Dec 7th, 2006, 9:11am »		 Quote Quote  Modify Modify
I have recently installed TrojanHunter and it seems to be doing a good job.  I have somehow gotten the NSIS Media worm and it appears that TrojanHunter is preventing the pop-ups (they stopped around the same time as the installation).  
 
But TrojanHunter isn't finding NSIS Media.  
 
It is finding this though:
 
Found adware file: C:\WINDOWS\system32\avwmdm.dll (Adware.Cydoor.100)
 
But it doesn't seem to be able to completely remove it.  It keeps getting re-installed.
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #1 on: Dec 7th, 2006, 9:35am »		 Quote Quote  Modify Modify
Welcome to the forum cwroblew  Cheesy
 
Sorry that you are having some infection problems.  Here is what I'd recommend that you do.
 
1.  Install Hijackthis-
Please go to the link below and follow the instructions on installing HiJackthis.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
2.  Clean out your temporary files and junk.
If you have not already installed CCleaner or do not have an equivalent cleaning tool, please go to the link below and install CCleaner.  Run the Cleaner tool and clean out your junk files.  Do NOT run the Issues tool because that is a registry cleaner.  
 
http://www.ccleaner.com
 
3.  Obtain the latest updates for TH.
Run TH LiveUpdate to obtain the latest rulesets.
 
4.  Make all your folders and files visible:
Follow the instructions in the link below.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
5.  Run TH scanner in SAFE MODE:
Reboot your computer into SAFE MODE.  The link below describes how to boot in SAFE MODE if you do not know how.  
 
http://www.misec.net/forum/board/FAQ/1144043085
 
Once in SAFE MODE, run a full scan with TH scanner and let it quarantine what it finds.  Save the scan/cleaning log so that you can post it back here.  
 
IF TH finds that you have infections in your System Restore folder at C:\System Volume Information, please follow the procedure defined in the link below to clean out this folder.  Do this after the TH scan is completed and while you are still in SAFE MODE.
 
http://www.misec.net/forum/board/FAQ/1139255588
 
6.  Reboot into Normal Mode.  
 
-  Post the scan/cleaning log from the TH scan/cleaner back here on this thread.
 
7.  Now run a REMOTE Scan with Bit Defender.  Let it clean what it finds.  The link below provides the link for the Bit Defender remote scan.  BE SURE your normal Anti-virus program is disabled when running this remote scan.  Also you will need to use IE because Bit Defender requires an ActiveX download.  
 
http://www.misec.net/forum/board/FAQ/1141894786
 
8.  After the scan/cleaning with Bit Defender is complete, immediately reboot your computer.  Post back here the scan/cleaning log for Bit Defender.
 
9.  Now run a HiJackthis scan and post the log back here on this thread.  DO NOT FIX anything just yet.  Let us take a look at what you the HJT log shows.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #2 on: Dec 8th, 2006, 3:10am »		 Quote Quote  Modify Modify
cwroblew
 
Any luck on the scans and the problem resolution?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Re: Using TrojanHunter
« Reply #3 on: Dec 8th, 2006, 7:31am »		 Quote Quote  Modify Modify
I'm still working on it.  Its going to take over 2 hours to finish the BitDefender scan.  Do I really need to do more than the windows partition of the hard drive?
 
This is my current HijackThis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 7:28:46 AM, on 12/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
h:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
j:\Program Files\Belkin Bulldog Plus\upsd.exe
J:\Program Files\RAMpage\RAMpage.exe
J:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
J:\Program Files\Startup Mechanic\StartupMonitor.exe
J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
j:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
J:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
i:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Skype\Phone\Skype.exe
H:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Netscape\Netscape\Netscp.exe
J:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
J:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
J:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe
J:\Program Files\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\Program Files\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crosswalk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - J:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - J:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RegistryMechanic] I:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [RAMpage] "j:\Program Files\RAMpage\RAMpage.exe" M=64 T=160 A LG D=Y P="j:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [WinPatrol] J:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] j:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] "j:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [FLMK08KB] j:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpybotSnD] "J:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [THGuard] "J:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "j:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Taskbar Shuffle] j:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] j:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpeedItUpEX] "J:\Program Files\SpeedItUpExtreme\SpeedItUpEx.exe" -MINI
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter .cab?
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1156626456469
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - J:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2 - Unknown owner - h:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - i:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - H:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=h:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - j:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - h:\Program Files\xampp\service.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #4 on: Dec 8th, 2006, 3:37pm »		 Quote Quote  Modify Modify
Sorry for the slow response.  My ISP lost a couple of servers early this morning and just got back on line.   Sad
 
Quote:
Do I really need to do more than the windows partition of the hard drive?

 
Your HJT log shows that you are using serveral different hard drives to load programs.  You should scan them all.
 
I'm looking over your HJT log.
 
« Last Edit: Dec 8th, 2006, 3:47pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #5 on: Dec 8th, 2006, 3:45pm »		 Quote Quote  Modify Modify
I do not see any evidence of an infection in the HJT scan.  Did TH find and clean something in SAFE MODE?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #6 on: Dec 8th, 2006, 4:33pm »		 Quote Quote  Modify Modify
I think I have possibly found where you are infected.
 
Please go to the link below and read the beginning info.  It states that STARTUP MECHANIC is the source of NSIS Media malware.  If you look at the list of DLLs installed, it shows avwmdm.dll as one of the malicious files.
 
http://kichik.net/
 
Would you please submit these two files for analysis by Gavin.  
 

StartupMonitor.exe
RegMech.exe

 
The link below describes how to submit files to Mischel Internet Security.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Re: Using TrojanHunter
« Reply #7 on: Dec 8th, 2006, 7:05pm »		 Quote Quote  Modify Modify
I've been running Startup Mechanic since before I first upgraded to XP from W2K on this machine.  I did have the NSIS Media worm before and found something to remove it but I couldn't find that link again.  I don't remember if it was before or after the upgrade back in July.
 
It took over 8 hours for the av scan and it didn't quite finish the last drive (s), but it found and deleted stuff in zip files that I had for intrusion detection but it didn't find either NSIS Media or Cydoor.
 
I'm a little distracted right now (I deleted some important XP files accidently, but managed to retrieve them), and I'm not sure if I can find the log from running Trojan Hunter in safe mode.  I'll try again a little later.
 
This is all I found so far for logs of the Trojan Hunter scan:
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found adware file: C:\WINDOWS\system32\avwmdm.dll (Adware.Cydoor.100)
1 files identified
 
I will submit the two files you requested.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #8 on: Dec 8th, 2006, 11:53pm »		 Quote Quote  Modify Modify
I've emailed Gavin to examine this post and also alerted him that you will be submitting the two files.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Re: Using TrojanHunter
« Reply #9 on: Dec 14th, 2006, 6:10am »		 Quote Quote  Modify Modify
I finally got rid of it.   Smiley
 
I installed AVG Anti-Spyware and with the help of Trojan Hunter and Spyware Search and Destroy (each program removed one piece), everything seems to be gone.  Today is the first day I booted up with no alerts.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #10 on: Dec 14th, 2006, 7:43am »		 Quote Quote  Modify Modify
Great!  Very glad it is finally out of your system.  Cheesy
 
Would it be possible for you to submit the guarantined files to Gavin that S&D and AVG AS removed so that he can strengthen TH's ruleset for this?  Certainly would appreciate it.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Re: Using TrojanHunter
« Reply #11 on: Dec 14th, 2006, 7:54am »		 Quote Quote  Modify Modify
I'm not sure how to do it, but I'll try.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: Using TrojanHunter
« Reply #12 on: Dec 14th, 2006, 8:00am »		 Quote Quote  Modify Modify
Thanks.
 
You may not be able to do it if S&D and/or AVG AS have their quarantined files locked.  Your mail program may not be able to copy them for the attachment transmittal.  Appreciate your effort in advance.  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cwroblew
Newbie
*





   


Gender: female
 Posts: 6
Re: Using TrojanHunter
« Reply #13 on: Dec 18th, 2006, 6:10am »		 Quote Quote  Modify Modify
Sorry it took so long.  I sent the email today.
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register