ComputerForum.com ComputerForum.com  

Go Back   Computer Forum > Computer Software > Computer Security

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 10-27-2005, 02:12 PM   #1 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default trojans and spyware, oh my. Check my HJT log plz

My second post has my log. I have several files download from kaza, which I woulndt be suprised may be a suspect. Ive also been playing the game kings of chaos, which has a number of adds, and may have automaticly downloaded some spyware.

Anyway, Ive run and updated version of ad-aware, ms anti spy ware, and spy bot, all removed some stuff, but things keep shiwng up. I also did a full Norton AV scan. I found two trojans, quarantimed.

However, spybot keeps finding ms auto-updater, windowsupdates.mediagateway as adaware, i dont think it is? Also, my live norton scanner keeps finding trojans every now and than. I havent had this problem in the past.
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive
lynx6200 is offline   Reply With Quote


Old 10-27-2005, 02:12 PM   #2 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

Logfile of HijackThis v1.99.1
Scan saved at 8:06:29 AM, on 10/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive
lynx6200 is offline   Reply With Quote
Old 10-27-2005, 05:02 PM   #3 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,613
Default

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe


Close all open windows and browsers, and hit "Fix Checked".

Delete these files.

C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
windir32.exe

Reboot and post a new log.
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 10-27-2005, 06:21 PM   #4 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

Will do, thanks. Ill have to do that tonight, Im not home at the moment, and will post back. Do you think those could lead to the random trogans Nortons been finding? Most of them have be in the system files, in windows folder and the like.

Thanks
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive

Last edited by lynx6200; 10-27-2005 at 06:38 PM.
lynx6200 is offline   Reply With Quote
Old 10-27-2005, 06:36 PM   #5 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,613
Default

I expect you'll find windir32.exe in the windows or system32 folder (make sure you can see hidden files and protected operating system files).
Where does spybot find those things? And can you get the full filepath to what norton's flagging.
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote


Old 10-28-2005, 01:58 AM   #6 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

Sorry for not clarifying before, but I am running Win XP pro, SP2. In my common files folder you mentioned, neither of those files exist that you said to delete. There are 3 files in that folder (AutoIt3 (AutoIt v3 Script), psapi.dll, and request (an html file)).

I cant seem to find either of those files you mentioned, but I did fix those entries in HJT you mentioned.

Here is the entry from ms anti spyware (it wasnt spybot).


and here the latest trojans norton found
stubsafullinstaller[1].exe
C:\documents and settings\michael\local settings\temporary internet files\content.ie5\mngj298x\

dnscatcher[1].exe
C:\documents and settings\michael\local settings\temporary internet files\content.ie5\k5chwh03\

A0017672.exe
C:\System Volume Information\_restore{06867CB4-14C7-4CC6-B46E-C8CEA6271A88}\RP126\

services32.exe
C:\Program Files\Common Files\Windows\

mc-110-12-0000080.exe (came up twice in the same day)
C:\Program Files\Common Files\InetGet2\

Setup.exe
C:\Documents and Settings\Michael\Desktop\

There are a few others, but they have similar names and paths.
Thanks.
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive
lynx6200 is offline   Reply With Quote
Old 10-28-2005, 02:04 AM   #7 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

A list of the Virus Names infecting those files
Trojan.Dropper
Trojan Horse
Downloader.Trojan
Trojan Horse
W32.Randex
Trojan.Dropper
Trojan.Dropper
Downloader.Trojan
Trojan Horse
Trojan.Dropper
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
W32.Alcra.B
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive
lynx6200 is offline   Reply With Quote
Old 10-29-2005, 12:15 AM   #8 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

anyone plz?
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive
lynx6200 is offline   Reply With Quote
Old 10-29-2005, 12:26 AM   #9 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,613
Default

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:

Next: click Options click the Advancedtab.
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Download, install and update Ewido.
http://download.ewido.net/ewido-setup.exe

Boot to safemode and run a full scan.

Boot back to normal mode and post a new log.

Did you install the thing Don't Hack posted?
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 10-29-2005, 02:01 AM   #10 (permalink)
Platinum Member
 
Join Date: Mar 2005
Location: NC
Age: 27
Posts: 794
Default

I'm not sure what other thing you mentioned from Don't Hack, and that mediagateway ms anitspyware keeps flagging should be ignored?
Below is my new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:58:19 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
__________________
[SIZE=2][SIZE=1][COLOR=DarkGreen][COLOR=Navy]
CoolerMaster Case
Asus A8N SLI- Deluxe
AMD athlon 64 3400+
1GB Ultra DDR ram
XFX 7600 GT 256mb videe
230GB SATA HD
Combo drive

Last edited by lynx6200; 10-29-2005 at 02:03 AM.
lynx6200 is offline   Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:38 PM.


Powered by: vBulletin Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.0 ©2009, Crawlability, Inc.