Recommended Posts

lol, I just saw the vfp start thing in the registry report which u had me fix with the reg file... that should stop that bad boy from resurfacing, thanks. Can't believe I didnt think to scan the report for mentions of vfp... :wacko:

--- On second look, Y is the CD drive and those files are only on the CD... so something else was running first...

Edited by Steviebone
Link to post
Share on other sites

Would you upload another file or two for me plz to the same link as before

C:\XP\system32\71430B71.exe

C:\xqsjepbn.bat

They are probably or something we have done in the last couple days or so.......or if YOU know what they are no need to upload.

Updating Java and Clearing Cache

  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )
    It should have next icon next to it: javaicon.jpg
    Select it and click Remove.
    1. Now please install the Java Runtime Environment (JRE) 6.0 Update 1 manually..
    2. Note to reboot the computer after updating:http://java.sun.com/javase/downloads/index.jsp

[*]After the reboot, go back into the Control Panel and double-click the Java Icon.

[*]Under Temporary Internet Files, click the Delete Files button.

[*]There are three options in the window to clear the cache - Leave ALL 3 Checked

  • Downloaded Applets
    Downloaded Applications
    Other Files

[*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

[*]Click OK to leave the Java Control Panel.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

When done post the Kaspersky log.

PS you may also want to look at the last couple of Scheduled tasks added. Did YOU add these or perhaps legit proggies..I just don't like the name much.

2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job

2007-05-22 10:54:10 C:\XP\tasks\New Task.job

You should be able to open them with Notepad or similiar

Link to post
Share on other sites

ok, will do...

the newtasks I created... I was just trying to get the task scheduler to work... wanted to see if I deleted a task and recreated it... but no luck... i have those tasks backed up so I am prolly about to delete all of them... at present they keep trying to run but just generate 'could not start' messages...

will work the java over next...

get back to u later today...

and as always, thanks

Link to post
Share on other sites

oops, forgot I had run avenger where I had already killed those files:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fjobmayi

*******************

Script file located at: \??\C:\Program Files\kroancfe.txt

Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\XP\system32\71430B71.exe deleted successfully.

File C:\chdir.bat not found!

Deletion of file C:\chdir.bat failed!

Could not process line:

C:\chdir.bat

Status: 0xc0000034

File C:\XP\system32\drivers\k^nymapg.sys deleted successfully.

File C:\xqsjepbn.bat deleted successfully.

File C:\XP\system32\IE_Backup.reg deleted successfully.

File C:\XP\system32\Windows_Backup.reg deleted successfully.

File C:\XP\system32\startupBackup.reg deleted successfully.

File C:\XP\system\SysSD.dll deleted successfully.

File C:\XP\system32\CloseAll.exe deleted successfully.

File C:\XP\system32\CheckDll.dll deleted successfully.

File C:\XP\iun6002ev.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites
1% complete after 6 hours.

I wouldn't have been THAT patient......hee hee

But i also REALLY would like to see log from a scan...

would you be willing to try ONE more??

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan..NOTE Just select your C:\ Drive instead...As you have several others But I'm mainly interested in C:
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Link to post
Share on other sites

couldnt find a way to restrcit the scan to c: so I let it run until most of c & d were done and the stopped it. It found three threats, all of which were identifiable by me:

pskill - I use it to kill local process from a batch file before running games

ipscan - I use it to scan my network for open ports

lzx32 - quarantined by combofix (this was the culprit and is zipped up inside the combo quarantine folder)

couple of comments, couple of questions

first, I think I'll hold on to all the handy tools I have used during this process, don't see any need to to trash them... any reason I shouldn't run combofix once in a while? It seemed to find things nothing else did. Which brings me to my next question...

I have installed now on this computer: Avast, Nod32, AVG, Spyware Detector, SpybotS&D, Spysweeper, KeyScrambler, KeyloggerHunter. Avast and Nod32 have always worked together. So far, no problems running Spyware Detector at the same time either. The others I keep unloaded and run a scheduled scan with each of them periodically. When running scans from the others I have to disable everything else first (something I dont like to do since it requires me disconnecting the machine from the Internet for the duration).

I'm wondering why Nod32 and AVAST failed to pick up the rootkit even though in the case of AVAST I used a boot time scan. And, BTW... I could never find a way to to do a boot time scan with Nod32, making it next to useless IMO. Wish I could get my money back on that one.

So in your opinion, what is the best virus scanner to leave active? I really like avasts script scanner and the fact that u can turn on verbose display of real-time scans. This allowed me to spot a yahoo mail virus once that was running undetected by everything. Funny, Avast displayed the running script in the verbose window but failed to identify it as a virus. Nevertheless, has it not been for this feature of Avast I would never have spotted it so easily excepot through careful inspection of syslogs.

More importantly, in trying to understand how the infection got there in the first place... I am VERY careful NEVER to open any emails that I don't already know the origin of... even tho all the emails are scanned on inbound by at least three scanners... the ISP's, Nod32 and Avast. And I never browse the Internet at large and keep the IE settings pretty tight, following the server2003 model.

I use a hardware firewall which is set to reject EVERYTHING that is not explicitly allowed. And I regularly scan my network ports to make sure no holes open up. Of course, the Windows firewall, which also next to useless IMO, was left active. Should I run a software firewall in addition to the hardware one?

Recently, tho, I allowed someone to plug their laptop into my hub for a few minutes. Out of curiosity, I ran a virus check for them. Despite their assurances the system was clean, I found 42 viruses almost immediately (lol). I immediately disconnected the machine...

I had assumed that since the laptop was NOT configured to address my workgroup or domain and had no log on name and passwords that it could NOT communicate with the other computers on the network all of whom have guest access removed, etc. I know that none of the computers were visible to the laptops explorer, etc. However, I must now assume that I am overlooking something... could it be port 80? Could the laptop have infected the only XP machine on the subnet by channeling thru port 80? Seems unlikely since that computer had at least two virus scanners running at the time... As far as I can tell, all the other machines on the subnet are clean (they are all running 2003 server tho). Could the rootkit have proliferated to a neighboring machine without workgroup access and logon credientials?

My new rule: absolutely NO outside machines anywhere on my subnet even for a second.

The only other thing I can think of is that the infection was coincidental and resulted from something I loaded on to the machine that the virus scanners failed to pick up... after all they didn't see it when combofix did. This is the only machine I surf and get email from. That is an intentional design. All of the other computers on the subnet are used for specific purposes and are configured, in most cases, for little or no access to the outside world.

I know this is more security related dialogue, but any comments or suggestions?

Steve

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...