trojan war

Help and Discussion

Moderator: The Mod Squad

trojan war

Postby bubbatech » Wed Dec 22, 2004 12:16 am

i'm workin' on a dell inspiron 2650 xp os. this laptop has a trojan.just installed avg 7 free. avg6 "would not install in system running dos and windows"
avg found several trojan horse downloader agent 2BN 2BO that could not be healed, deleted or quaranteened. installed trojan remover that said it removed them and avg could no longer find any. (temp files removed and restore turned off first) adaware was run and in the process avg found the same trojans and can't stop them. they seem to be located in windows\taskman. i can delete this file and its infected files but it comes back immediately like a refresh. i have shut down almost all unnecessary processed in msconfig; still the same.i have a hi jack log at this point
Logfile of HijackThis v1.98.2
Scan saved at 11:09:43 PM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\NetZero\exec.exe
F:\1104\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [BEEEED6F] C:\WINDOWS\System32\fknsoz.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... c0991b9912
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Einnla32.dll (file missing)

can anybody help?
bubbatech
Initiate
Initiate
 
Posts: 83
Joined: Fri Jun 25, 2004 5:22 pm

Postby kltsin » Wed Dec 22, 2004 1:58 am

Im looking into this, just wanted you yo know.

What I would recommend until I put my full post up is to start in safe mode.

Clear all temp files
Clear all the users temp files in c:\documents and settings\USER\local settings\temp
c:\temp
c:\windows\temp
c:\windows\downloaded programs
c:\windows\prefetch
Make sure you get each one, clear all files and folders

And all users temp internet files
Similar to above c:\documents and settings\etc

Empty recycle bin

Goto add remove programs and remove anything you dont like
I see ibis toolbar and websearch
Remove them if adaware hasnt already, im sure there are many more.

Open task manager and end wtools.exe (or similar),and WSUP.exe.
Delete folder C:\programfiles\Toolbar
Go to C:\Program Files\Common Files\WinTools and delete all the files in that folder.

Empty reclying bin
Run adaware again (make sure no explorer windows or ie explorer windows is open and post a new HJT log.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby kltsin » Wed Dec 22, 2004 2:19 am

Ok heres more, This one is a little tricky.
It needs to be removed manually from many areas
http://securityresponse.symantec.com/av ... sylum.html

After doing that delete these in HJT

C:\Program Files\Common Files\WinTools\WToolsS.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa


R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [BEEEED6F] C:\WINDOWS\System32\fknsoz.exe

O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"


O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... c0991b9912
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Einnla32.dll (file missing)

Now you can post a new HJT log

You will also have to run a winsock fix to cure messed up bho's, Ill look up the addy in a bit.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby kltsin » Wed Dec 22, 2004 2:23 am

PS: NEVER post a hjt log when booting the system with a modified msconfig startup!!

Its best to clean in safe mode and/or end tasks as needed. But when you post/scan with HJT make sure you are in normal boot ..
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby colinJohn » Wed Dec 22, 2004 2:29 am

I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)
"that's some catch that Catch 22"
"It's the best that there is"

Image
colinJohn
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3430
Joined: Sat Jul 24, 2004 12:34 pm
Location: UK

Postby kltsin » Wed Dec 22, 2004 2:44 am

colinJohn wrote:I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


I dont think its necessary, the above should work quite fine.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby snap355 » Wed Dec 22, 2004 7:33 am

colinJohn wrote:I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image
[url=http://www.motherboards.org/folding/index.html] Lend a hand and help with the folding project. Come join our 33258 team!

Image
[/url]
snap355
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 9258
Joined: Mon Sep 13, 2004 3:22 pm
Location: 33258

Postby tribaloverkill » Thu Dec 23, 2004 12:17 am

snap355 wrote:
colinJohn wrote:I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image


This is why you are suppose to partition your drives! C:=OS, D:=DATA, E:=APPZ, F:=WEB CACHE. This way if some shizz like this goes down all you have to do is if format your OS, APPZ, and WEB CAHCE. Your data will be untouched and you data partition is most likely the largest of the other three so you will save time formating, YES, you will have to reinstall your appz but thats the price you pay for letting something infectious get into your system.
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Postby kltsin » Thu Dec 23, 2004 12:44 am

WWAAITTTTTTTTTTTT.

I was rereading my posts.
I missed something big time., I must have deleted it accidently
You have a really nasty version of COOLWEBSEARCH

Download and run CWSHREDDER

http://www.intermute.com/spysubtract/cw ... nload.html
get the standalone version here http://cwshredder.net/bin/CWShredder.exe

Not doing this may make it really angry and cause some problems..

Sorry I dont know how i missed not posting as the very first thing you should do.

I am not sure if this version of cwshredder gets this variant of cws, it should.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby tribaloverkill » Thu Dec 23, 2004 12:48 am

Format. The only way to be sure.
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Next

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 1 guest