| View previous topic :: View next topic |
| Author |
Message |
cubsbaseball
Cadet
Joined: Apr 23, 2004
Posts: 5
Location: USA
|
 Posted: Sat Apr 24, 2004 12:11 am Post subject: backdoor.trojan py[1].exe |
|
|
Help. I've got backdoor.trojan and don't know what I'm doing. I've run norton antivirus after LiveUpdate and it found mykecshn.exe and py[1].exe I turned of system restore, safebooted ran a scan again. Deleted the files...it's back. So i dowloaded Hijackthis and here's my log...
Help me.
Logfile of HijackThis v1.97.7
Scan saved at 10:48:12 PM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {D10AC055-F0DF-D565-C339-51B7835EB234} - (no file)
O2 - BHO: (no name) - {DCD59F01-C5C6-FF5D-E415-BD306B8396AC} - C:\WINDOWS\system32\qgmzwqvp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - http://mirror.worldwinner.com/games/v40/mines/mines.cab
O16 - DPF: {4E43BBE2-39BC-4789-BEF7-136BDC10F284} - https://www.ip-vrs.com/PlayerSetup/setup.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://mirror.worldwinner.com/games/v44...attack.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://mirror.worldwinner.com/games/v40...angman.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - http://mirror.worldwinner.com/games/v41...olfsol.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.c..._1_3_0.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - http://mirror.worldwinner.com//games/v4...2hpool.cab |
|
| Back to top |
|
 |
mrrockford
AVPE Host
wackyidea guy
Joined: Apr 24, 2004
Posts: 258
Location: Germany
|
| Posted: Sat Apr 24, 2004 3:55 pm Post subject: |
|
|
Howdy,
Where was it located? Complete path please.
mrrockford |
|
| Back to top |
|
|
cubsbaseball
Cadet
Joined: Apr 23, 2004
Posts: 5
Location: USA
|
| Posted: Sun Apr 25, 2004 1:21 am Post subject: |
|
|
both in windows/system32 and in documents and settings...
I've been doing some virus fighting. I scanned online at panda and deleting the 4 files it found. I loaded Adware and Spybot.
I think I got it taken care of...for now...
This is my latest highjack log
Logfile of HijackThis v1.97.7
Scan saved at 12:18:25 AM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C11049-F8C1-4388-A75F-A1FCDB87264F}: NameServer = 209.153.128.4 |
|
| Back to top |
|
|
dousugar
Cadet
Joined: Apr 25, 2004
Posts: 2
Location: France
|
| Posted: Sun Apr 25, 2004 9:22 am Post subject: |
|
|
hi. I've got the same problem with this same virus. Mine is in
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4TYBK527\py[1].exe
When I delete the file and then check the computer with Norton, it says no virus found. When I then turn off the computer and turn it on again, it finds the virus again, in the same place, only not in the same file (the 4TYBK527 one). Please please please, help me because I suck so much at computers and I really don't want that virus to mess with my stuff!!!
Thank you
dousugar |
|
| Back to top |
|
|
mrrockford
AVPE Host
wackyidea guy
Joined: Apr 24, 2004
Posts: 258
Location: Germany
|
| Posted: Sun Apr 25, 2004 3:12 pm Post subject: |
|
|
Howdy,
@dousugar
shut off your restore like cubsbaseball did, reboot in safe mode and scan again, all this after emptying yout temps to include offline and TIFs. It should be gone then. 
 Question @ both of you: Do you have an Nvidia Graphics Card? |
|
| Back to top |
|
|
dousugar
Cadet
Joined: Apr 25, 2004
Posts: 2
Location: France
|
| Posted: Sun Apr 25, 2004 3:52 pm Post subject: |
|
|
 Hold on a second, I'm RRRReally bad in computers, so what is restoring? And what is Nvidia Graphics Card?
Thanks!!!
Diane |
|
| Back to top |
|
|
cubsbaseball
Cadet
Joined: Apr 23, 2004
Posts: 5
Location: USA
|
| Posted: Sun Apr 25, 2004 4:27 pm Post subject: |
|
|
mrrockford,
I do have an Nvidia GeForce2 MX400 graphics card. Why do you ask?
Again, I think I cleaned my system of this backdoor.trojan.
The reason I think so is because when I had it my Explorer would only give 404 not found page when my Norton Internet Security was enabled. Explorer would only work when disabled Norton Internet Security. Now that is not the case. My Explorer works fine with Norton Internet Security up and running.
If it comes back I'll post again.
Thanks. |
|
| Back to top |
|
|
mrrockford
AVPE Host
wackyidea guy
Joined: Apr 24, 2004
Posts: 258
Location: Germany
|
| Posted: Mon Apr 26, 2004 1:06 am Post subject: |
|
|
Howdy,
@dousugar,
Read through this and it will help you learn about the Restore function.
http://service1.symantec.com/SUPPORT/ts...ec_doc_nam
Check the book that came with your comp to see what Graphic Card is in your machine
@all,
I have noticed that several people have been having problems with NIS(and other AV's) that have Nvidia GC's with older drivers. Don't know if it really works(I have ATI) but some have reported better results after having updated to the newest driver version. |
|
| Back to top |
|
|
bendnwiggle
Cadet
Joined: May 21, 2004
Posts: 4
Location: Canada
|
| Posted: Sat May 22, 2004 9:14 pm Post subject: |
|
|
your executables may be returning because there has been an entry included in your startup registry. Even if you delete the files, they will return when you reboot. It can be a little tricky, but you can check your registry using RUN...."regedit". Follow the path HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
Now double click on Run. The right side panel will show a list of programs started on startup. There may be a reference to your virus executable file in there. (Mine was in "Load32"). If there is..you can delete it. Warning ....be careful not to delete a valid file...you can do harm to your computer. Make sure whatever file you delete is not one you need. |
|
| Back to top |
|
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
