Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Recurring Trojans		 « Previous topic | Next topic »
Pages: 1 2    Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Recurring Trojans  (Read 3671 times)
redcell
Newbie
*





   


Gender: male
 Posts: 46
Recurring Trojans
« on: Oct 25th, 2009, 10:27am »
Im hoping I can get some help with an issue im having. I am running xp professional. I use  Trojan Hunter “paid subscription”  Macafee internet security and Spysweeper. Lately my spy sweeper picks up and puts the following items in Quarantine:
 
Trojan-Backdoor-Yat
Trojan-Backdoor-Cybertakover
Xdialer
Gain-Common-Components
 
I delete them and about 5 hrs later  they are picked up again.  Trojan Checker comes up clean. I scanned in Safe Mode as well and nothing. Macafee comes up clean as well. I took the unit to a office supply tech dept and they ran a scan and it came up clean as well. My question is, how can I tell if these Trojans are in fact Trojans. Spysweepr  that I have is part of a suite provided by MSN. Their support is dismal at best. I also had Superanti Spyware sweeper” That came up clean as well. I unloaded that program thinking there maybe was a conflict. I trust Trojan Checker ,as ive used it for years and never knew it oo miss anything.  
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #1 on: Oct 25th, 2009, 12:06pm »
Quote:
Trojan Checker comes up clean.

 
I assume that you mean TrojanHunter, not Trojan Checker ?
 
Please do the following:
 
1.  Download/Install Hijackthis and then run a scan with it.  The link below is for Hijackthis download.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
2.  Post the Hijackthis scan log back here for us to examine.
 
Quote:
Lately my spy sweeper picks up and puts the following items in Quarantine:  
 
Trojan-Backdoor-Yat  
Trojan-Backdoor-Cybertakover  
Xdialer  
Gain-Common-Components
 
 
What are the names of the files that SS is detecting as the above?  Is there a SS log that you can post back here that shows what SS is detecting/quarantining?  If so, please post it back here also.  It is possible that SS is detecting some False Positives.  
 
Are you running the antivirus version of SS along side McAfee antivirus?  Conflicts can occur if you run two antivirus engines at the same time.  This is not a problem with antispyware programs...just antivirus engines.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #2 on: Oct 25th, 2009, 1:51pm »
Thanks for your reply, Yes I meant Trojan Hunter! Sorry.
No I am not eunning the antivirus part of spy sweeper. I can view the files associated with these items. However there is no way to copy or save them There are only 2 with the first however with the 2nd and third there are like 70 files associated with each of them . I typed some for cybertakover.
 
Trojan-Backdoor-Yat
C:\windows\temp\eq8e.exe
C:\windows\temp\gqwh0xy.exe
 
Trojan-Backdoor-Cybertakover
C:\windows\temp\xdonrz5x.exe
C:\windows\temp\7no3xt0.exe
C:\windows\temp\epkke.exe
C:\windows\temp\1opk5eo.exe
C:\windows\temp\nudges.exe
C:\windows\temp\zep1c.exe
C:\windows\temp\cmxtsrgk.exe
C:\windows\temp\5wnw.exe
C:\windows\temp\yfnr1p9.exe
C:\windows\temp\fq2yaf.exe
C:\windows\temp\ ekzrfg
50 more listed
 
 
 
 
Xdialer
70 files associated
 
 
 
Gain-Common-Components
C:\windows\temp\2yxsifo.exe
 
 
I ran Hijack this and here is the log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:06 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\pctspk.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s =consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yah oo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s =consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [srmclean] "C:\Cpqs\Scom\srmclean.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [Compaq_RBA] "C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe" -z
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {E6D8BD90-5070-4C6D-BAF3-B47703BB2A20} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsct l.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr. cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Google Update Service (gupdate1ca452dbd456800) (gupdate1ca452dbd456800) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\Windows\System32\ImapiRox.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\Windows\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc.(www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc.  - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 0: (no name) - http://www.draugiem.lv/img/x.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
 
--
End of file - 11189 bytes
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #3 on: Oct 25th, 2009, 4:03pm »
There is nothing obvious showing up in your HiJackthis log.  From your posting of what SS is quarantining, it is definitely finding malicious items.  Please do the following.
 
1.  Run another scan with Hijackthis.  When the scan is completed, place a check mark in the box next to the following items.  BE SURE that these are the only items checked.
 
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
 
2.  Close your browser if it is open.
 
3.  Click on Fix Checked located at the lower left of the Hijackthis window.  Confirm that you want HJT to fix these items and let it fix them.
 
4.  Close HiJackthis
 
5.  Go to the link below and download Combofix.exe and save it on your desktop.
 
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
6.  Temporarily disable your security programs except your software firewall.
 
7.  Close down as many programs as you can (the icons next to the system clock in the Notification tray/Systray)
 
8.  Now carefully follow the instructions in the link above and run Combofix.exe.
 
9.  Once Combofix is completed, please post the Combofix log back here for us to examine.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #4 on: Oct 25th, 2009, 5:34pm »
Here is the combofix log.  
 
 
ComboFix 09-10-25.01 - Owner 10/25/2009 18:58.1.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.655 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\compaq.reg
c:\windows\INET.reg
 
.
(((((((((((((((((((((((((   Files Created from 2009-09-25 to 2009-10-25  )))))))))))))))))))))))))))))))
.
 
2009-10-25 19:36 . 2009-10-25 19:36--------d-----w-c:\program files\Trend Micro
2009-10-25 15:52 . 2009-10-25 15:52--------d-----w-c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-10-24 16:25 . 2009-10-24 16:34--------d-----w-c:\documents and settings\All Users\Application Data\support.com
2009-10-24 16:22 . 2009-10-24 16:22--------d-----w-c:\documents and settings\Owner\Application Data\supportdotcom
2009-10-24 16:21 . 2009-10-24 17:06--------d-----w-c:\program files\Common Files\supportdotcom
2009-10-24 16:03 . 2009-10-24 16:03--------d-----w-c:\documents and settings\Owner\Application Data\SupportSoft
2009-10-24 16:02 . 2009-10-24 16:20--------d-----w-c:\program files\Common Files\supportsoft
2009-10-05 20:15 . 2009-10-05 20:15--------d-----w-c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-10-04 20:10 . 2009-10-14 00:15--------d-----w-c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-10-04 20:05 . 2009-10-04 20:05--------d-----w-c:\program files\Common Files\xing shared
2009-10-04 20:03 . 2009-10-04 20:03499712----a-w-c:\windows\system32\msvcp71.dll
2009-10-04 00:03 . 2009-10-04 00:03--------d-----w-c:\program files\Pure Networks
2009-10-04 00:00 . 2008-05-16 10:1023992----a-w-c:\windows\system32\drivers\pnarp.sys
2009-10-03 23:59 . 2008-05-16 10:1025272----a-w-c:\windows\system32\drivers\purendis.sys
2009-10-03 23:58 . 2009-10-03 23:58--------d-----w-c:\program files\Common Files\Pure Networks Shared
2009-10-02 19:34 . 2009-10-02 19:34--------d-----w-c:\program files\DIFX
2009-10-02 19:30 . 2009-10-03 23:58--------d-----w-c:\documents and settings\All Users\Application Data\Pure Networks
2009-09-29 08:43 . 2009-09-29 08:432560----a-w-c:\windows\system32\drivers\ssrangdr.sys
2009-09-29 08:43 . 2009-09-29 08:4318560----a-w-c:\windows\system32\ssrangdr.dll
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 23:00 . 2005-01-08 01:44--------d-----w-c:\documents and settings\Owner\Application Data\MSN6
2009-10-24 18:50 . 2006-06-28 10:03--------d-----w-c:\documents and settings\Owner\Application Data\Skype
2009-10-24 16:17 . 2009-02-11 01:14--------d-----w-c:\program files\SUPERAntiSpyware
2009-10-21 21:49 . 2007-08-04 13:54--------d-----w-c:\program files\McAfee
2009-10-20 03:07 . 2005-01-08 03:14--------d-----w-c:\program files\QUICKENW
2009-10-04 20:07 . 2002-09-23 22:39--------d-----w-c:\program files\Common Files\Real
2009-10-04 20:06 . 2005-09-04 00:10--------d-----w-c:\program files\Google
2009-10-03 01:35 . 2009-06-30 17:59--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-25 05:37 . 2004-01-08 20:23667136----a-w-c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2005-01-15 20:3881920------w-c:\windows\system32\ieencode.dll
2009-09-16 14:22 . 2007-08-04 14:4240552----a-w-c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-08-04 14:4235272----a-w-c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-08-04 14:4279816----a-w-c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-08-04 14:42214664----a-w-c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-08-04 14:4234248----a-w-c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2001-08-18 13:00136192----a-w-c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 13:0058880----a-w-c:\windows\system32\msasn1.dll
2009-08-28 01:43 . 2005-01-15 23:29--------d-----w-c:\program files\Paltalk Messenger
2009-08-28 01:39 . 2008-06-29 01:40--------d-----w-c:\documents and settings\All Users\Application Data\Kodak
2009-08-26 08:00 . 2001-08-18 13:00247326----a-w-c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2005-01-10 17:19327896----a-w-c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-01-10 17:19209632----a-w-c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:1644768----a-w-c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-01-10 17:1935552----a-w-c:\windows\system32\wups.dll
2009-08-06 23:24 . 2001-08-18 13:0053472----a-w-c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2001-08-18 13:0096480----a-w-c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-01-10 17:19575704----a-w-c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2001-08-18 13:001929952----a-w-c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2001-08-18 13:00204800----a-w-c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2001-08-18 13:002189184----a-w-c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2001-08-18 13:002066048----a-w-c:\windows\system32\ntkrnlpa.exe
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 1046688]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-04 198160]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-24 6155808]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2005-1-7 36864]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
backupExtension=Common Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
backupExtension=Common Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
backupExtension=Common Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
backupExtension=Common Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
backupExtension=Common Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FastUserSwitchingCompatibility"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPCheesyHCP Discovery Service
 
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [1/15/2005 6:43 PM 17792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 6:14 PM 203280]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [5/17/2009 3:41 PM 1181040]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [11/23/2007 10:24 AM 114672]
S2 gupdate1ca452dbd456800;Google Update Service (gupdate1ca452dbd456800);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2009 4:03 PM 133104]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [1/11/2008 8:40 PM 39048]
S3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [9/29/2009 4:43 AM 2560]
 
--- Other Services/Drivers In Memory ---
 
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
 
2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-12-26 21:57]
 
2009-10-24 c:\windows\Tasks\Defragmentation.job
- c:\windows\system32\defrag.exe [2001-08-18 00:12]
 
2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 20:02]
 
2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 20:02]
 
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-08-04 16:22]
 
2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-08-04 16:22]
 
2002-09-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-09-23 00:23]
 
2009-10-25 c:\windows\Tasks\TrojanHunter Scanner.job
- c:\program files\TrojanHunter 5.0\thcl.exe [2007-10-20 13:31]
 
2009-10-25 c:\windows\Tasks\wrSpySweeper_L0BF451ABDC6D49A0BE88B81340BB19FB.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-07-31 17:19]
 
2009-10-25 c:\windows\Tasks\wrSpySweeper_L0BF451ABDC6D49A0BE88B81340BB19FB.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-07-31 17:19]
.
.
------- Supplementary Scan -------
.
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s =consumerfav&c=1c02&lc=0409
mStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s =consumerfav&c=1c02&lc=0409
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yah oo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y6rwz5xq.default\
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\y6rwz5xq.default\extensions\keyscrambler@q fx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowser recordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava11.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava12.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava131.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPJava32.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1\bin\NPOJI600.dll
 
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
 
HKLM-Run-POINTER - point32.exe
SafeBoot-svcWRSSSDK
 
 
 
************************************************************************ **
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 19:11
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...  
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
************************************************************************ **
.
Completion time: 2009-10-25 19:16
ComboFix-quarantined-files.txt  2009-10-25 23:16
 
Pre-Run: 51,417,989,120 bytes free
Post-Run: 51,474,837,504 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
 
- - End Of File - - 458F3C512402D03D6306FD292C688EAC
IP Logged
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #5 on: Oct 25th, 2009, 5:38pm »
Here is the log file of what it quarantined.
 
2009-10-25 23:14:14 . 2009-10-25 23:14:14    554 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-svcWRSSSDK.reg.dat
2009-10-25 23:13:48 . 2009-10-25 23:13:48    106 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-POINTER.reg.dat
2009-10-25 23:07:42 . 2009-10-25 23:07:42  7,535 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-10-25 22:50:49 . 2009-10-25 22:50:49     51 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2005-01-09 11:04:02 . 2005-01-09 11:04:02    335 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\INET.reg.vir
2002-09-23 22:40:03 . 2009-10-25 22:49:43  4,646 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\compaq.reg.vir
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #6 on: Oct 25th, 2009, 11:37pm »
Okay, Combofix.exe caught some items.  Now let's run a couple of REMOTE scans to see if anything is found.  The reason for requesting that you run remote scans is that it negates something malicious on your system that might be embedded in your security software and affecting them in their detections.  
 
First remove Combofix.exe from your system.  Do the following:
 
1.  Go to START>Run and type in   Combofix.exe /u
(Note the space before the /u)
 
2.  Click on OK and let Combofix remove itself.
 
3.  Reboot
 
Temporarily disable your security software except your software firewall.  Close down as many programs as you can.
 
1.  Perform a remote scan with SuperAntiSpyware.  Let it quarantine what it finds.  
 
http://www.superantispyware.com/onlinescan.html
 
2.  Perform a remote scan with Bit Defender.
 
http://www.bitdefender.com/scanner/online/free.html
 
3.  Please post back here the scan logs for SAS and BitDefender.
« Last Edit: Oct 25th, 2009, 11:40pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #7 on: Oct 26th, 2009, 8:12pm »

I ran the scans you suggested, here are the reports.
 
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
 
Generated 10/26/2009 at 07:21 PM
 
Application Version : 4.29.1002
 
Core Rules Database Version : 4176
Trace Rules Database Version: 0
 
Scan type  : Complete Scan
Total Scan Time : 01:01:31
 
Memory items scanned : 498
Memory threats detected   : 0
Registry items scanned    : 5382
Registry threats detected : 0
File items scanned   : 29139
File threats detected     : 7
 
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@list[1].txt
C:\Documents and Settings\Owner\Cookies\owner@spylog[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ak[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tns-counter[1].txt
 
 
 
 
BitDefender Online Scanner
 
 
 
 
 
 
 
Scan report generated at: Mon, Oct 26, 2009 - 22:02:34
 
 
 
 
 
 
 
 
 
Scan path: A:\;C:\Grin:\;E:\;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Statistics
 
Time
 
 
02:04:11
 
Files
 
 
248505
 
Folders
 
 
9467
 
Boot Sectors
 
 
0
 
Archives
 
 
11753
 
Packed Files
 
 
9919
 
 
 
 
 
 
 
Results
 
Identified Viruses
 
 
0
 
Infected Files
 
 
0
 
Suspect Files
 
 
0
 
Warnings
 
 
0
 
Disinfected
 
 
0
 
Deleted Files
 
 
0
 
 
 
 
 
 
 
Engines Info
 
Virus Definitions
 
 
4461643
 
Engine build
 
 
AVCORE v2.1 Windows/i386 11.0.0.26 (Aug 27 2009)
 
Scan plugins
 
 
17
 
Archive plugins
 
 
44
 
Unpack plugins
 
 
8
 
E-mail plugins
 
 
6
 
System plugins
 
 
4
 
 
 
 
 
 
 
Scan Settings
 
First Action
 
 
Disinfect
 
Second Action
 
 
Delete
 
Heuristics
 
 
Yes
 
Enable Warnings
 
 
Yes
 
Scanned Extensions
 
 
*;
 
Exclude Extensions
 
 
 
 
Scan Emails
 
 
Yes
 
Scan Archives
 
 
Yes
 
Scan Packed
 
 
Yes
 
Scan Files
 
 
Yes
 
Scan Boot
 
 
Yes
 
 
 
 
 
 
 
 
Scanned File
 
 
 Status
 
No virus found.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #8 on: Oct 26th, 2009, 10:16pm »
Okay, SAS only found tracking cookies...which is no big deal and would not be causing you any problems.  Bit Defender found nothing.  
 
Let's check your HOSTS file and see if it has been maliciously modified.  As you probably know, the HOSTS file is used by your browser and can be maliciously modified to send you to bad websites.  Please do the following.
 
NOTE:  SpySweeper used to insert entries in the HOSTS file.  I don't know if newer versions of SS still does this.  If SS does still control the HOSTS file, then you may not be able to make any manual modifications to it.
 
1.  Using Windows Explorer, navigate to folder etc located at C:\Windows\System32\drivers\etc
 
You will see a file that is named HOSTS with no extension
 
2.  Open file HOSTS with NotePad.
 
3.  The first active line entry must be  
127.0.0.1 localhost  
(Note: lines beginning with # are comment lines and are not active)
 
IF the first active line is 127.0.0.1 localhost,  then every active line following must start with 127.0.0.1 as shown below:
 
Quote:

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net

 
IF your first active line is not 127.0.0.1   localhost OR if you find active lines that start with something other than 127.0.0.1, then your HOSTS file probably has been tampered with.  If so,
 
-  Delete all lines in the HOSTS file.
 
-  Insert one line that is 127.0.0.1 localhost  
 
-  Save the new HOSTS file and exit NotePad
 
4.  Exit NotePad and reboot IF you made any modifications to the HOSTS file.  
 
5.  Please post back here what you discovered concerning your HOSTS file.
 
Is Spy Sweeper still finding the original malicious files?
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #9 on: Oct 27th, 2009, 9:56am »
here is the hostv report!
 
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97     rhino.acme.com     # source server
#  38.25.63.10     x.acme.com    # x client host
 
127.0.0.1  localhost
 
 
I deleted the quarantined files from spysweepr this morning and its been about 6 hrs. Nothing yet. But let ne give it some more time. These things can come back in 24hrs.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #10 on: Oct 27th, 2009, 4:20pm »
Your HOSTS file is fine.  Okay, let me know if the critter returns.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #11 on: Oct 27th, 2009, 4:57pm »
Sure will! Its been almost 12 hrs so far and I ran a sweep with Spy Sweeprr.All I got was the few normal cookies. So far so good. Let me take the time to thank you for all your help so far! Thats why ill always have  Trojan Hunter on my PC.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #12 on: Oct 27th, 2009, 9:09pm »
You are most welcome.   Cheesy
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
redcell
Newbie
*





   


Gender: male
 Posts: 46
Re: Recurring Trojans
« Reply #13 on: Oct 28th, 2009, 4:20am »
Sorry to say, this morning they were back. Now TH picked up some in a scan last night
TrojanHunter Scan Report
Saved 2009-10-28 at 03:58
 
Scanning drives C:\
Found trojan file: C:\32788R22FWJFW\hidec.exe (RiskTool.Hidec.100)
Found trojan file: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe/hidec.exe (RiskTool.Hidec.100)
Found trojan file: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe/Upxllkseykj/hidec.exe (RiskTool.Hidec.100)
Found trojan file: C:\System Volume Information\_restore{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP1788\A01937 46.exe (RiskTool.Hidec.100)
Quarantined file C:\32788R22FWJFW\hidec.exe
Quarantined file C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe
Unable to quarantine file C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe: Scheduling file to be quarantined when computer is restarted
Quarantined file C:\System Volume Information\_restore{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP1788\A01937 46.exe
 
In addition Macafee picked up a Potentially unwanted program named "Tool-NirCMD"
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: Recurring Trojans
« Reply #14 on: Oct 28th, 2009, 7:31am »
It looks to me TrojanHunter found remnants of removal tool Combofix.exe that you used earlier.  Did you remove Combofix from your system as I described  
 
Quote:
First remove Combofix.exe from your system.  Do the following:  
 
1.  Go to START>Run and type in   Combofix.exe /u  
(Note the space before the /u)  
 
2.  Click on OK and let Combofix remove itself.  
 
3.  Reboot

 
The item that TH found in your system restore folder is probably Combofix as well.
 
Quote:
Quarantined file C:\System Volume Information\_restore{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP1788\A01937  46.exe

 
System Restore can be totally cleared out as described in the link below.  
 
http://www.misec.net/forum/board/FAQ/1139255588
 
Please see the link below concerning the McAfee detection.
 
http://forums.majorgeeks.com/showthread.php?t=177888
 
So I think that all this activity is due to Combofix and none of it is malicious.  
 
 
 
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Pages: 1 2    Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »