1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need help with this Trojan Horse....please!!

Discussion in 'Windows - Virus and spyware problems' started by gwendolin, Mar 10, 2007.

  1. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    Just one final question, can I now delete the folders made by Vudofix etc.
     
  2. bkf

    bkf Guest

    YES you can. And think it was my first time at bat. I still got so much to learm. Kota knowes it by heart, I still have to look it up, but im getting there. If I learn I can help and im happy with that. :)

    Gwen question: did you run an AV against that disk before you opened any files?

    It is a pitty, they have so much to offer but they take the dark side of the moon.

    Best to you and Kota! It was an honer to work with you!! You don't know how much I learned. Ken
     
    Last edited by a moderator: Mar 11, 2007
  3. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    As bkf as said... you can delete the VundoFix backup folder. You can also delete the SDFix folder(C:\SDFix) and the WinPFind folder too if you wish.

    And I'm glad you're learning things, bkf :)
     
  4. bkf

    bkf Guest

    Yea now I have to take your class for the next year or two to become good. I just hope cancer don't get in the way. I would miss helping. Your one person, can you figure 50 of us with the same passion in your group you and your group feels? :)
     
    Last edited by a moderator: Mar 11, 2007
  5. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    Its an ongoing battle, bkf. Malware coders are constantly developing new crap to infest computers with. We see new junk every day.

    So the need for people that can provide competent help is great.

    There is a lot to learn. But it can be done in about 4-6 months or so depending on how quickly a person picks things up.

    We have many students at MRU... all with the same passion.

    Would be great to see you sign up :)
     
  6. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    OK guys, here comes the big test...my son has NEVER run an Antivirus check so I'm going to do one now. Will let you know what happens, Cheers.
     
  7. bkf

    bkf Guest

    I will do that and you can see im no dummy, I can spend 24/365 in the effort. My words might be a bit different like "Trigger" but you know what I mean
     
  8. bkf

    bkf Guest

    Gwen you killing us. No matter what, we fight to win! A motto of a group I still need to join.

    My spelling still sucks. Does that count?

    Bring it on Grew, We live to WIN

    Reason I read every log that was ever posted :)
     
    Last edited by a moderator: Mar 11, 2007
  9. bkf

    bkf Guest

    I will request a join tomorrow Kota.
     
  10. bkf

    bkf Guest

    I requested join; Why wait till tomorrow. I know things change. So no big deal, We will win. Ken aka bkf
     
    Last edited by a moderator: Mar 11, 2007
  11. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    Well the scan (Spyware ) is only 235,000 files and so far 324 infections found. Cant wait to run the AntiVirus....it's been 2 years since he's done any scans...OUCH!!!
     
  12. bkf

    bkf Guest

    Gwen you worry to much LOL I got 2 million files and the only one it pukes on is the one that sets the tcip stack to 50 rather then 10 on the last drive. Set to ignore.

    Gwen I see you have Logitec setpoint, Don't upgrade to 3.30. It plays with office like crazy. Stay with 3.01. They messed up once again. i just backed my system up to a point before the new update. Everything is working well again. 3.30 was their first attempt at vista and even that update requires another update
     
    Last edited by a moderator: Mar 11, 2007
  13. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    Thanks for the info. I wont upgrade.

    AntiSpyware scan......350
    AntiVirus..after 6000 file 39 Viruses.....how disgusting is that.
     
  14. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    Gah!

    Two years without any scans???

    Surprised the machine is still useable :p

    Nice to hear you requested to join up, Ken.
     
    Last edited: Mar 11, 2007
  15. bkf

    bkf Guest

    LOL 39???? Thats a bonus. New motto: what ever it takes we will win! Once you join this group there is no turning back.

    Thanks Koda: I guess it's up to you now. You seen my faith and my will to spread my wings without hurting anyones systems. Im still on phase one. Reading logs. Time to move to phase 2 I guess with a constent virgil on phase one.
     
    Last edited by a moderator: Mar 11, 2007
  16. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    Yes, I find it hard to believe also, it's now up to 47 Trojan Horses...I dont think the Romans had that many horses!!....only 47000 files scanned so far....get some rest guys I will soon be looking for you Cheers.
     
  17. bkf

    bkf Guest

    Gwen no matter what happens it can be fixed. But two years is a little over the top. I run my stuff several times a single day.
    Chill: Everything will be fine :)

    If the system had anything serious it would not be working.
    As long as it has connection it can be fixed. We know a few tricks.
     
    Last edited by a moderator: Mar 11, 2007
  18. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    I absolutely LOVE your Attitude....you'll be hearing from me as soon as scan finishes.
     
  19. gwendolin

    gwendolin Senior member

    Joined:
    Jun 29, 2005
    Messages:
    7,447
    Likes Received:
    0
    Trophy Points:
    116
    OK guys, here goes, couldnt get past the 47 mark,good luck


    ogfile of HijackThis v1.99.1
    Scan saved at 3:39:23 AM, on 3/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\vsnpstd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Ares Galaxy Classic\Ares.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Aaron.B\Desktop\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
    F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
    O2 - BHO: (no name) - {04A3DB14-A063-913C-2A0F-EB1F92BFE292} - C:\DOCUME~1\Aaron.B\APPLIC~1\FLAPOK~1\thislite.exe (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - (no file)
    O2 - BHO: C:\WINDOWS\adsldpbc.dll - {F50E78F8-7983-486F-912D-A927EA0164A1} - C:\WINDOWS\adsldpbc.dll (file missing)
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\Kernel32.win
    O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\system32\Israfel.vbs
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
    O4 - HKCU\..\Run: [Soap Hole] C:\DOCUME~1\LOCALS~1\APPLIC~1\GLOBAL~1\tonslogbolt.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Lhbe] "C:\Program Files\uwaw\aoao.exe" -vt mt
    O4 - HKCU\..\Run: [Kginnkuu] C:\WINDOWS\system32\w?nword.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Galaxy Classic\Ares.exe" -h
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat 3.6\CamfrogNet.exe" 0 C:\Program Files\Camfrog\Camfrog Video Chat 3.6\Camfrog Video Chat.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
    O15 - Trusted Zone: *.coolwebsearch.com
    O15 - Trusted Zone: *.i-lookup.com
    O15 - Trusted Zone: *.offshoreclicks.com
    O15 - Trusted Zone: *.searchmeup.com
    O15 - Trusted Zone: *.teensguru.com
    O16 - DPF: v3cab - http://searchmiracle.com/cab/6.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c1.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128424126250
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_pack_XP.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

     
  20. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    Wow... CWS... LOP... PurityScan... VBS Script infection thats a file infecter/appender... SDBot... and who know what else. Wouldn't be surprised to find a RootKit either.

    This machine has been totally messed up.

    I can try to clean it up... but because of the nature of the infections I cannot guarantee its security afterwards. This one would be a challenge... even for me.

    Safest course of action would be to wipe it and reinstall Windows.

    But if you want me to try and clean I'll do my best.

    Though it will take some work ;)
     

Share This Page