trojan war

Help and Discussion

Moderator: The Mod Squad

Postby kltsin » Thu Dec 23, 2004 2:59 am

tribaloverkill wrote:Format. The only way to be sure.


This maybe a true post, but there is alot of things wrong with this statement.
Its not his system, to spend time backing up someone elses data will take more time than fixing the issue.

Any good tech that works on a system has a responsibility to do this.
Yes the user is at fault and most techs just tell them they screwed up, then wipe their data and tell them they should have had better security or not be so stupid and back up more often. They then sell them abunch of programs and drives to back stuff up..

This isnt a good business plan or plan for anyone, this stuff can be fixed.

Too many people here are saying reformat reinstall because of a few bugs, chances are most of the systems I fix will be infected again and again and again no matter what software, firewall you install until the user makes better choices.

Have you ever had to reinstall an old 95 or 98 system running about 500mhz? What about having to reinstall all of those updated drivers?
This is a laptop which equals specialty drivers, a HUGE pain in the but when running windows 95/98/98se/me/2k/nt
You need to reboot inbetween each at least once, it takes hours, fixing the problem is much quicker. And after a while you get good at it...

Do you guys want to reinstall everytime something isnt working like you think it should?

More importantly I wont let the bastards win, ever.
But there is a time when an infection is so deep and is filled with some nasties that you can cave in, ive done it twice in the last 3 years because it attacked norton which then would not uninstall.
If norton didnt suck so much (design wise) I would have never reinstalled.
On my home systems I do reformat maybe once a year but i back up, and always have a new mobo installed so Im different than my clientel.

PS, I also have learned how the new cws variant attacks and can do it manually in a few minutes incase the cws shredder doesnt work, but I found it does so theres no worry.
PSS: sorry for rant but this is an easy fix
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby snap355 » Thu Dec 23, 2004 5:57 am

tribaloverkill wrote:
snap355 wrote:
colinJohn wrote:I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image


This is why you are suppose to partition your drives! C:=OS, D:=DATA, E:=APPZ, F:=WEB CACHE. This way if some shizz like this goes down all you have to do is if format your OS, APPZ, and WEB CAHCE. Your data will be untouched and you data partition is most likely the largest of the other three so you will save time formating, YES, you will have to reinstall your appz but thats the price you pay for letting something infectious get into your system.


Even if you partition your drive, your settings for Windows are lost, your programs need to be reinstalled, etc... The only thing partition gives you is data backup and such. You still have to update windows, virus, etc.
[url=http://www.motherboards.org/folding/index.html] Lend a hand and help with the folding project. Come join our 33258 team!

Image
[/url]
snap355
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 9258
Joined: Mon Sep 13, 2004 3:22 pm
Location: 33258

Postby tribaloverkill » Thu Dec 23, 2004 6:10 am

snap355 wrote:
tribaloverkill wrote:
snap355 wrote:
colinJohn wrote:I suppose a full format and re-install is out of the question?

(Sometimes is quicker and it's always safer; I realise it's not as much fun :-)


Yes a reinstall is quicker, but then you have to restore all the games and applications and your settings and data, so it's not really time consuming anymore unless you have a ghost image


This is why you are suppose to partition your drives! C:=OS, D:=DATA, E:=APPZ, F:=WEB CACHE. This way if some shizz like this goes down all you have to do is if format your OS, APPZ, and WEB CAHCE. Your data will be untouched and you data partition is most likely the largest of the other three so you will save time formating, YES, you will have to reinstall your appz but thats the price you pay for letting something infectious get into your system.


Even if you partition your drive, your settings for Windows are lost, your programs need to be reinstalled, etc... The only thing partition gives you is data backup and such. You still have to update windows, virus, etc.


Exactly:) Data back-up. You format your OS, APPZ, and WEBCACHE,... leaving the largest partition along, the data partition. You wipe everything thing else clean and then reinstall everything again. That way you dont waiste time backing anything up. I would rather do that then download this, do that, try this,... maybe this will work.

I am not sure if this version of cwshredder gets this variant of cws, it should.


Should? The time you spend trying stuff out, waiting for answers on this forum, downloading, researching because people write new maliciouc crap everyday,... you would be done. Even if it took the same amount of time,... you did it without the headache of being frustrated.
tribaloverkill
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1032
Joined: Wed Sep 22, 2004 9:09 pm
Location: Mount Holly New Jersey

Postby kltsin » Thu Dec 23, 2004 6:31 am

umm cough cough, all good points..

but isnt this post about editing a hjt log, this is a user fixing anothers system and i do see the merits of saving data but this isnt the time or place

I cant even remember who posted it anymore..

I worked pretty hard on making sure i didnt miss anything with this particular log.. would love some feedback. and a new log.
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby colinJohn » Thu Dec 23, 2004 7:08 am

hmm - didn't mean to 'hijack' the thread. I just mentioned format as an alternative for 2 reasons

1 I have no clue about editing registry entries or tracing malware entries. I think I'll have to start reading about it. Do you know any good sites klstin?

2 I like to format and re-install about once a year anyway just to de-crap things. I like that spring clean feel. It's the only time you *know* you have no malware on your machine. Speeds everything up too.
Got to allow a whole afternoon tho'
"that's some catch that Catch 22"
"It's the best that there is"

Image
colinJohn
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3430
Joined: Sat Jul 24, 2004 12:34 pm
Location: UK

Postby bubbatech » Thu Dec 23, 2004 6:53 pm

this battle seems to be over. before you guys came to the rescue i read previous forums and got the tip to try 'avast' virus control. it found them in various locations(they seemed to be spreading). but it wasn't able to end it. so when i read your posts i followed the process of delete and shut down with reckless abandon; then ran avast; turned on restore. run avast and now all is well. thank you for your help again
ps format would have been the easier route but i just didn't know how much back up would be required.
pss also about the hjt i figured that with the trojan still present with as little running processes as possible it would be easier to trace.
psss i didn't run spy subtract schredder since it is a 30 day trial it seems to me after the trial these things cause trouble.
thanks again the battle is ours; but, this war goes on.
bubbatech
Initiate
Initiate
 
Posts: 83
Joined: Fri Jun 25, 2004 5:22 pm

hjt log final

Postby bubbatech » Thu Dec 23, 2004 7:02 pm

Logfile of HijackThis v1.98.2
Scan saved at 7:06:59 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\Tanya\Application Data\eetu.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\1104\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\aasly.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {229FBE4F-22E5-1C6A-14A8-91F46DF45208} - C:\WINDOWS\system32\crvr.dll (file missing)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Login] system.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [A60A3154] C:\WINDOWS\System32\fknsoz.exe
O4 - HKLM\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Mslacyi] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [Fggqoj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Smps] C:\Documents and Settings\Tanya\Application Data\utsd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Tanya\Application Data\eetu.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\WINDOWS\system32\drivers\etc\rundll\winupd32.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
bubbatech
Initiate
Initiate
 
Posts: 83
Joined: Fri Jun 25, 2004 5:22 pm

Postby kltsin » Thu Dec 23, 2004 8:23 pm

bubbatech wrote:pss also about the hjt i figured that with the trojan still present with as little running processes as possible it would be easier to trace.
psss i didn't run spy subtract schredder since it is a 30 day trial it seems to me after the trial these things cause trouble.
thanks again the battle is ours; but, this war goes on.


There are 2 different downloads on that page, cwshredder or cwshredder with spysubtract.

The cwshredder is free and will not expire.
Heres the cwshredder direct link
http://cwshredder.net/bin/CWShredder.exe

Along with running cwshredder, download and run ABOUT:BUSTER
http://www.malwarebytes.biz/
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby kltsin » Thu Dec 23, 2004 8:33 pm

Also check the IE settings,
For the SecurityTab reset to default.
Delete everything in the Trusted internet sites as well.

dont run 2 anti-virus programs at the same time.
Pick one or the other..
kltsin
Black Belt 2nd Degree
Black Belt 2nd Degree
 
Posts: 2792
Joined: Tue Jun 29, 2004 9:05 am
Location: St. Augustine, Fl

Postby Mr T » Thu Dec 23, 2004 9:47 pm

Disable system restore, then run the AV's and removers in SAFE MODE....

However as others have pointed out doing a total reformat is the best way to clear a system of this crap... It is easy enough to back up data using a portable USB hard drive or a CDRW.. Applications are the responsibility of the customer - no discs - no applications - simple...

Economics is at play here - why waste hours removing adware, viruses etc when they can return on a simple reboot, cause a system crash 'cos AV deleted a system file or a virys fragment remains corrupting files...

I think I would rather spend half an hour reinstalling windows.....
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 17087
Joined: Fri Jun 14, 2002 1:03 am
Location: England

PreviousNext

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 1 guest