|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
ben_cameron
Cadet
Joined: May 31, 2004
Posts: 6
Location: Canada
|
 Posted: Sat Jun 05, 2004 11:05 pm Post subject: Please Help... I'm Stuck |
|
|
ben_cameron
Cadet
Joined: May 31, 2004
Posts: 3
Location: Canada
Posted: Sun Jun 06, 2004 1:50 pm Post subject: Trojan Hunter Help - Please.. I'm Stuck
--------------------------------------------------------------------------------
I downloaded trojan hunter trial version 3.8 and it found quite a few possible trojans on my computer... for unliscenced users like me, one has to manually attach the suspicious file to an email and send it to ... I did this with several of them, but a good part of the possible trojans were reported by TH to be in folders I couldnt find, so I couldnt attach them... Most were in "C:\System Volume Information"... The rest were in "C:\WINDOWS\Downloaded Program Files", but when I opened this folder, it appeared empty... how do I access these folders?
Thank You in advance. Below is some information you may find useful:
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Administrator\Desktop\AdbeRdr60_enu_full.exe (Add to ignore list)
Found possible trojan file: C:\Documents and Settings\Administrator\Local Settings\Temp\optimize.exe/1Naa1.exe (SDBot) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{D666ADE2-3D19-4D90-B778-DCA68C7E5BC1}\RP172\A0012313.exe/HUkY.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{D666ADE2-3D19-4D90-B778-DCA68C7E5BC1}\RP174\A0013572.exe/Fx0bf.exe (SDBot) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{D666ADE2-3D19-4D90-B778-DCA68C7E5BC1}\RP174\A0013582.exe/kpMaj.exe (Adware.WinFavorites.100)
Found possible trojan file: C:\System Volume Information\_restore{D666ADE2-3D19-4D90-B778-DCA68C7E5BC1}\RP174\A0014627.exe/uok.exe (SDBot) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{D666ADE2-3D19-4D90-B778-DCA68C7E5BC1}\RP177\A0015413.exe/TEteTcm.exe (Adware.WinFavorites.100)
Found possible trojan file: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\VMInstaller.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\Downloaded Program Files\CONFLICT.2\VMInstaller.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\Downloaded Program Files\CONFLICT.3\VMInstaller.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\Downloaded Program Files\VMInstaller.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\siae3123.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
2 trojan files found
9 possible trojan files found
Logfile of HijackThis v1.97.7
Scan saved at 9:46:38 PM, on 6/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\sysupd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\BitTorrent\HijackThis.exe
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Internet Anonym - {00000000-0002-0002-0000-000000000000} - c:\program files\steganos internet anonym pro 6\siaiep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A618AFDC-5B97-402F-AA50-0E51D6949BC0}: NameServer = 142.161.130.155 142.161.2.155
ewido security suite - Startup report
---------------------------------------------------------
+ Created on: 9:47:56 PM, 6/5/2004
+ Report-Checksum: EDF2EFEF
Reg\HKCU\Run ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
Reg\HKCU\Run MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Reg\HKLM\Run GhostStartTrayApp C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
Reg\HKLM\Run NeroCheck C:\WINDOWS\System32\NeroCheck.exe
Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Reg\HKLM\Run nwiz nwiz.exe /install
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
Reg\HKLM\Run SysUpd C:\WINDOWS\sysupd.exe
Reg\HKLM\Run THGuard "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
Reg\HKLM\RunOnce SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup hp psc 1000 series.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
Shell\CommonStartup hpoddt01.exe.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk |
|
| Back to top |
|
 |
claire
Site Moderator
Premium Member
Joined: Apr 21, 2002
Posts: 4794
Location: Belgium
|
| Posted: Sun Jun 06, 2004 7:59 am Post subject: |
|
|
Hi Ben Cameron,
heres what you need to fix in your hijackthis log:
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O3 - Toolbar: Internet Anonym - {00000000-0002-0002-0000-000000000000} - c:\program files\steganos internet anonym pro 6\siaiep.dll
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A618AFDC-5B97-402F-AA50-0E51D6949BC0}: NameServer = 142.161.130.155 142.161.2.155
when you have fixed those, you need to restart your computer in safe mode (do this by tapping f8 lots when your computer restarts)
when you are in safe mode, you must find these file and delete it:-
C:\WINDOWS\sysupd.exe
when you have deleted it, empty the recycle bin and restart your computer normally.
scan your computer again with hijackthis, and paste back a new log here.
All credit for this help is due to Norbie
PS you should upgrade to the 3.9 version 
_________________
Carpe Diem |
|
| Back to top |
|
|
ben_cameron
Cadet
Joined: May 31, 2004
Posts: 6
Location: Canada
|
| Posted: Sun Jun 06, 2004 1:23 pm Post subject: |
|
|
ok... i did like you said ... heres the new log... and thanks again
Logfile of HijackThis v1.97.7
Scan saved at 12:31:35 PM, on 6/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\BitTorrent\HijackThis.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A618AFDC-5B97-402F-AA50-0E51D6949BC0}: NameServer = 142.161.130.155 142.161.2.155 |
|
| Back to top |
|
|
norbie
1st Responder
Joined: Feb 21, 2004
Posts: 249
Location: UK
|
| Posted: Sun Jun 06, 2004 3:12 pm Post subject: |
|
|
hi ben,
please fix this from your hijackthis log again:
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
you should also go into safe mode and delete it again.
i have noticed that you are not running windows xp sp1. this is a free update for windows xp, which includes a lot of patches for known viruses and trojans. it is seriously reccomended that you either download this for free, or order a cd, as this will probably save you a lot of hassle in the future 
you can download SP1 here:
www.windowsupdate.com
[i]it will appear as one of of the critical updates[i/]
or you can get a cd for $14.95 if you cant download it:
http://www.microsoft.com/WindowsXP/pro/...rdercd.asp
good luck 
_________________
Norbie
----------------------------
www.norbiesworld.co.uk |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
