The Mother Board

Motherboards.org forums. Free tech support, motherboard ID, and more.
It is currently Wed Sep 19, 2018 3:21 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: trojan war
PostPosted: Wed Dec 22, 2004 12:16 am 
Offline
Initiate
Initiate

Joined: Fri Jun 25, 2004 5:22 pm
Posts: 83
i'm workin' on a dell inspiron 2650 xp os. this laptop has a trojan.just installed avg 7 free. avg6 "would not install in system running dos and windows"
avg found several trojan horse downloader agent 2BN 2BO that could not be healed, deleted or quaranteened. installed trojan remover that said it removed them and avg could no longer find any. (temp files removed and restore turned off first) adaware was run and in the process avg found the same trojans and can't stop them. they seem to be located in windows\taskman. i can delete this file and its infected files but it comes back immediately like a refresh. i have shut down almost all unnecessary processed in msconfig; still the same.i have a hi jack log at this point
Logfile of HijackThis v1.98.2
Scan saved at 11:09:43 PM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\NetZero\exec.exe
F:\1104\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [BEEEED6F] C:\WINDOWS\System32\fknsoz.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... c0991b9912
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Einnla32.dll (file missing)

can anybody help?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 1:58 am 
Offline
Black Belt 2nd Degree
Black Belt 2nd Degree

Joined: Tue Jun 29, 2004 9:05 am
Posts: 2792
Location: St. Augustine, Fl
Im looking into this, just wanted you yo know.

What I would recommend until I put my full post up is to start in safe mode.

Clear all temp files
Clear all the users temp files in c:\documents and settings\USER\local settings\temp
c:\temp
c:\windows\temp
c:\windows\downloaded programs
c:\windows\prefetch
Make sure you get each one, clear all files and folders

And all users temp internet files
Similar to above c:\documents and settings\etc

Empty recycle bin

Goto add remove programs and remove anything you dont like
I see ibis toolbar and websearch
Remove them if adaware hasnt already, im sure there are many more.

Open task manager and end wtools.exe (or similar),and WSUP.exe.
Delete folder C:\programfiles\Toolbar
Go to C:\Program Files\Common Files\WinTools and delete all the files in that folder.

Empty reclying bin
Run adaware again (make sure no explorer windows or ie explorer windows is open and post a new HJT log.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 2:19 am 
Offline
Black Belt 2nd Degree
Black Belt 2nd Degree

Joined: Tue Jun 29, 2004 9:05 am
Posts: 2792
Location: St. Augustine, Fl
Ok heres more, This one is a little tricky.
It needs to be removed manually from many areas
http://securityresponse.symantec.com/av ... sylum.html

After doing that delete these in HJT

C:\Program Files\Common Files\WinTools\WToolsS.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa


R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [BEEEED6F] C:\WINDOWS\System32\fknsoz.exe

O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"


O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... c0991b9912
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Einnla32.dll (file missing)

Now you can post a new HJT log

You will also have to run a winsock fix to cure messed up bho's, Ill look up the addy in a bit.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 2:23 am 
Offline
Black Belt 2nd Degree
Black Belt 2nd Degree

Joined: Tue Jun 29, 2004 9:05 am
Posts: 2792
Location: St. Augustine, Fl
PS: NEVER post a hjt log when booting the system with a modified msconfig startup!!

Its best to clean in safe mode and/or end tasks as needed. But when you post/scan with HJT make sure you are in normal boot ..


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 2:29 am 
Offline
Black Belt 3rd Degree
Black Belt 3rd Degree

Joined: Sat Jul 24, 2004 12:34 pm
Posts: 3430
Location: UK
I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)

_________________
"that's some catch that Catch 22"
"It's the best that there is"

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 2:44 am 
Offline
Black Belt 2nd Degree
Black Belt 2nd Degree

Joined: Tue Jun 29, 2004 9:05 am
Posts: 2792
Location: St. Augustine, Fl
colinJohn wrote:
I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


I dont think its necessary, the above should work quite fine.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Dec 22, 2004 7:33 am 
Offline
Black Belt 5th Degree
Black Belt 5th Degree

Joined: Mon Sep 13, 2004 3:22 pm
Posts: 9258
Location: 33258
colinJohn wrote:
I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image

_________________
[url=http://www.motherboards.org/folding/index.html] Lend a hand and help with the folding project. Come join our 33258 team!

Image
[/url]


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Dec 23, 2004 12:17 am 
Offline
Black Belt 1st Degree
Black Belt 1st Degree

Joined: Wed Sep 22, 2004 9:09 pm
Posts: 1032
Location: Mount Holly New Jersey
snap355 wrote:
colinJohn wrote:
I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image


This is why you are suppose to partition your drives! C:=OS, D:=DATA, E:=APPZ, F:=WEB CACHE. This way if some shizz like this goes down all you have to do is if format your OS, APPZ, and WEB CAHCE. Your data will be untouched and you data partition is most likely the largest of the other three so you will save time formating, YES, you will have to reinstall your appz but thats the price you pay for letting something infectious get into your system.

_________________
A.C. Ryan | Thrust & HEXX


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Dec 23, 2004 12:44 am 
Offline
Black Belt 2nd Degree
Black Belt 2nd Degree

Joined: Tue Jun 29, 2004 9:05 am
Posts: 2792
Location: St. Augustine, Fl
WWAAITTTTTTTTTTTT.

I was rereading my posts.
I missed something big time., I must have deleted it accidently
You have a really nasty version of COOLWEBSEARCH

Download and run CWSHREDDER

http://www.intermute.com/spysubtract/cw ... nload.html
get the standalone version here http://cwshredder.net/bin/CWShredder.exe

Not doing this may make it really angry and cause some problems..

Sorry I dont know how i missed not posting as the very first thing you should do.

I am not sure if this version of cwshredder gets this variant of cws, it should.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Dec 23, 2004 12:48 am 
Offline
Black Belt 1st Degree
Black Belt 1st Degree

Joined: Wed Sep 22, 2004 9:09 pm
Posts: 1032
Location: Mount Holly New Jersey
Format. The only way to be sure.

_________________
A.C. Ryan | Thrust & HEXX


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group