TheTrueDarkOne Posted July 22, 2006 Report Share Posted July 22, 2006 (edited) Recently had a rash of trojans (well 2) just making sure everything looks good Logfile of HijackThis v1.99.1Scan saved at 7:12:08 AM, on 7/22/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\brss01a.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\Brmfrmps.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINDOWS\system32\keyhook.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netpede.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.170.214.191:8888R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXEO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorunO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [Cleanup] MCRGO4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150153655\ee\AOLSoftware.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dllO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{6A8B46F6-045B-4050-A1B7-8756D730C824}: NameServer = 64.233.217.5,64.233.217.2O17 - HKLM\System\CS1\Services\Tcpip\..\{6A8B46F6-045B-4050-A1B7-8756D730C824}: NameServer = 64.233.217.5,64.233.217.2O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXEO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeActivescan.txtEwido.txt Edited July 22, 2006 by TheTrueDarkOne Quote Link to post Share on other sites
therock247uk Posted July 23, 2006 Report Share Posted July 23, 2006 Looks clean... what were the names of these trojans? and what did you use to get rid of them? Quote Link to post Share on other sites
TheTrueDarkOne Posted July 24, 2006 Author Report Share Posted July 24, 2006 i believe trojan.zlob and it came back one more time and NORTON zapped it both times I thought my logs were clean, but after it came back the 2nd time i thought i'd post my stuff here to double check I'll check my norton log later today Quote Link to post Share on other sites
TheTrueDarkOne Posted July 24, 2006 Author Report Share Posted July 24, 2006 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.170.214.191:8888I am not running a proxy, so this scares me :/ Quote Link to post Share on other sites
therock247uk Posted July 24, 2006 Report Share Posted July 24, 2006 Lets just see if theres any left overs from zlob...Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm Quote Link to post Share on other sites
TheTrueDarkOne Posted July 26, 2006 Author Report Share Posted July 26, 2006 sorry about the late reply SmitFraudFix v2.75bScan done at 0:36:42.53, Wed 07/26/2006Run from C:\Documents and Settings\BIZKIT\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTFix ran in normal modeテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\テつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\WINDOWSテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\WINDOWS\systemテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\WINDOWS\Webテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\WINDOWS\system32テつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\WINDOWS\system32\LogFilesテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\Documents and Settings\BIZKIT\Application Dataテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ Start Menuテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ テつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ Desktopテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ C:\Program Files テつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ Corrupted keysテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"テつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサテつサ Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll Quote Link to post Share on other sites
therock247uk Posted July 26, 2006 Report Share Posted July 26, 2006 Your logs look to be all clean....Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:Spywareblaster <= SpywareBlaster will prevent spyware from being installed.Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.To protect yourself further: IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerGoogle Toolbar <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.