Steviebone Posted May 22, 2007 Author Report Share Posted May 22, 2007 (edited) lol, I just saw the vfp start thing in the registry report which u had me fix with the reg file... that should stop that bad boy from resurfacing, thanks. Can't believe I didnt think to scan the report for mentions of vfp... --- On second look, Y is the CD drive and those files are only on the CD... so something else was running first... Edited May 22, 2007 by Steviebone Quote Link to post Share on other sites
jwbirdsong Posted May 23, 2007 Report Share Posted May 23, 2007 Would you upload another file or two for me plz to the same link as beforeC:\XP\system32\71430B71.exeC:\xqsjepbn.batThey are probably or something we have done in the last couple days or so.......or if YOU know what they are no need to upload.Updating Java and Clearing CacheGo to Start > Control Panel double-click on the Software icon > Add/Remove Programs.Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )It should have next icon next to it: Select it and click Remove.Now please install the Java Runtime Environment (JRE) 6.0 Update 1 manually..Note to reboot the computer after updating:http://java.sun.com/javase/downloads/index.jsp[*]After the reboot, go back into the Control Panel and double-click the Java Icon.[*]Under Temporary Internet Files, click the Delete Files button.[*]There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded ApplicationsOther Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Java Control Panel.Please do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.When done post the Kaspersky log.PS you may also want to look at the last couple of Scheduled tasks added. Did YOU add these or perhaps legit proggies..I just don't like the name much.2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job2007-05-22 10:54:10 C:\XP\tasks\New Task.jobYou should be able to open them with Notepad or similiar Quote Link to post Share on other sites
Steviebone Posted May 23, 2007 Author Report Share Posted May 23, 2007 ok, will do...the newtasks I created... I was just trying to get the task scheduler to work... wanted to see if I deleted a task and recreated it... but no luck... i have those tasks backed up so I am prolly about to delete all of them... at present they keep trying to run but just generate 'could not start' messages...will work the java over next...get back to u later today...and as always, thanks Quote Link to post Share on other sites
Steviebone Posted May 23, 2007 Author Report Share Posted May 23, 2007 oops, forgot I had run avenger where I had already killed those files:Logfile of The Avenger version 1, by Swandog46Running from registry key:\Registry\Machine\System\CurrentControlSet\Services\fjobmayi*******************Script file located at: \??\C:\Program Files\kroancfe.txtScript file opened successfully.Script file read successfullyBackups directory opened successfully at C:\Avenger*******************Beginning to process script file:File C:\XP\system32\71430B71.exe deleted successfully.File C:\chdir.bat not found!Deletion of file C:\chdir.bat failed!Could not process line:C:\chdir.batStatus: 0xc0000034File C:\XP\system32\drivers\k^nymapg.sys deleted successfully.File C:\xqsjepbn.bat deleted successfully.File C:\XP\system32\IE_Backup.reg deleted successfully.File C:\XP\system32\Windows_Backup.reg deleted successfully.File C:\XP\system32\startupBackup.reg deleted successfully.File C:\XP\system\SysSD.dll deleted successfully.File C:\XP\system32\CloseAll.exe deleted successfully.File C:\XP\system32\CheckDll.dll deleted successfully.File C:\XP\iun6002ev.exe deleted successfully.Completed script processing.*******************Finished! Terminate. Quote Link to post Share on other sites
Steviebone Posted May 24, 2007 Author Report Share Posted May 24, 2007 kapersky on-line was slower than dog... 1% complete after 6 hours... fook that... donwloaded the latest kaspesky but it wouldnt install as long as I had avast installed... sorry I already paid for avast and I like the script monitoring feature... Quote Link to post Share on other sites
jwbirdsong Posted May 24, 2007 Report Share Posted May 24, 2007 1% complete after 6 hours.I wouldn't have been THAT patient......hee heeBut i also REALLY would like to see log from a scan...would you be willing to try ONE more??Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scan..NOTE Just select your C:\ Drive instead...As you have several others But I'm mainly interested in C: When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Quote Link to post Share on other sites
Steviebone Posted May 24, 2007 Author Report Share Posted May 24, 2007 lol, will do.... Quote Link to post Share on other sites
Steviebone Posted May 25, 2007 Author Report Share Posted May 25, 2007 couldnt find a way to restrcit the scan to c: so I let it run until most of c & d were done and the stopped it. It found three threats, all of which were identifiable by me:pskill - I use it to kill local process from a batch file before running gamesipscan - I use it to scan my network for open portslzx32 - quarantined by combofix (this was the culprit and is zipped up inside the combo quarantine folder)couple of comments, couple of questionsfirst, I think I'll hold on to all the handy tools I have used during this process, don't see any need to to trash them... any reason I shouldn't run combofix once in a while? It seemed to find things nothing else did. Which brings me to my next question...I have installed now on this computer: Avast, Nod32, AVG, Spyware Detector, SpybotS&D, Spysweeper, KeyScrambler, KeyloggerHunter. Avast and Nod32 have always worked together. So far, no problems running Spyware Detector at the same time either. The others I keep unloaded and run a scheduled scan with each of them periodically. When running scans from the others I have to disable everything else first (something I dont like to do since it requires me disconnecting the machine from the Internet for the duration).I'm wondering why Nod32 and AVAST failed to pick up the rootkit even though in the case of AVAST I used a boot time scan. And, BTW... I could never find a way to to do a boot time scan with Nod32, making it next to useless IMO. Wish I could get my money back on that one.So in your opinion, what is the best virus scanner to leave active? I really like avasts script scanner and the fact that u can turn on verbose display of real-time scans. This allowed me to spot a yahoo mail virus once that was running undetected by everything. Funny, Avast displayed the running script in the verbose window but failed to identify it as a virus. Nevertheless, has it not been for this feature of Avast I would never have spotted it so easily excepot through careful inspection of syslogs.More importantly, in trying to understand how the infection got there in the first place... I am VERY careful NEVER to open any emails that I don't already know the origin of... even tho all the emails are scanned on inbound by at least three scanners... the ISP's, Nod32 and Avast. And I never browse the Internet at large and keep the IE settings pretty tight, following the server2003 model.I use a hardware firewall which is set to reject EVERYTHING that is not explicitly allowed. And I regularly scan my network ports to make sure no holes open up. Of course, the Windows firewall, which also next to useless IMO, was left active. Should I run a software firewall in addition to the hardware one?Recently, tho, I allowed someone to plug their laptop into my hub for a few minutes. Out of curiosity, I ran a virus check for them. Despite their assurances the system was clean, I found 42 viruses almost immediately (lol). I immediately disconnected the machine...I had assumed that since the laptop was NOT configured to address my workgroup or domain and had no log on name and passwords that it could NOT communicate with the other computers on the network all of whom have guest access removed, etc. I know that none of the computers were visible to the laptops explorer, etc. However, I must now assume that I am overlooking something... could it be port 80? Could the laptop have infected the only XP machine on the subnet by channeling thru port 80? Seems unlikely since that computer had at least two virus scanners running at the time... As far as I can tell, all the other machines on the subnet are clean (they are all running 2003 server tho). Could the rootkit have proliferated to a neighboring machine without workgroup access and logon credientials?My new rule: absolutely NO outside machines anywhere on my subnet even for a second.The only other thing I can think of is that the infection was coincidental and resulted from something I loaded on to the machine that the virus scanners failed to pick up... after all they didn't see it when combofix did. This is the only machine I surf and get email from. That is an intentional design. All of the other computers on the subnet are used for specific purposes and are configured, in most cases, for little or no access to the outside world.I know this is more security related dialogue, but any comments or suggestions?Steve Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.