Hi there everyone, yesterday webroot spysweeper detected a high risk trojan, but all my other scanners found nothing.. i thinking its more of a false positive. Just to be sure here is my hijackthis log. Logfile of HijackThis v1.99.1 Scan saved at 11:54:50 PM, on 8/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\UnHackMe\hackmon.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Agnitum\Outpost Firewall\outpost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\AntiSpy Pro\AntiSpyPro.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll O15 - Trusted Zone: http://www.adobe.com O15 - Trusted Zone: http://www.cloverchurch.com O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O15 - Trusted IP range: http://192.168.1.1 O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
the trojan is called maccess, spysweeper said one of the dlls in my firewalls program directory was infected.
Well, it's not a false positive, look here. http://www.sophos.com/security/analyses/trojmaccessa.html As for removing it, I can't find alot of help. On that site they give removal instuctions for trojans, but usually they want you to buy their products. And after looking over the removal instructions, they do not give much help. Ewido may pick it up and rid. Get it here http://free.grisoft.com/doc/1 Install and update. Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu). Run a full scan. If it finds it or anything else be sure to set all items to delete and then click "Apply All Actions". Then click "Save Report". Post back with results or the Ewido log.
well.. the problem is, i believe if i remove it then it could screw up my firewall.. here is a screenshot of what spysweeper detects http://img90.imageshack.us/img90/9696/trojanld6.jpg I havent noticed anything unusual, ive tried ewido and housecall, and they dont detect anything , heck even unhackme and trojan remover dont pick up anything. when i run active ports.. there is nothing out of the ordinary.
Quarantine it with SpySweeper. If your firewall doesn't work after that, you can restore the files. If it works fine, delete them.
ok, ive Quarantined the infected files and outpost still runs, hmmm.. oh well i have no idea were this thing came from.. everything still seems normal, thanks for help
i just did, i posted this over the outpost forums maybe they could give me an answer as to what this was, i mean.. i could have been a trojan.. or it could have been an innocent feature included with the firewall. there have been several times in the past were spysweeper detects a innocent program .. and says its something dangerous, examples would be peerguardian2 and anydvd.
One way you could find out if it came with the firewall is to reinstall it. Since you have now deleted them they will come back after the reinstallation.
well, i got a reply from the outpost forums, and it indeed is a false positive. Here is what one of the agnitum developers have to say
Yeh, it was a false possitive, you can tell from its location, it happends. Nothing to worry about. @Fartdude, you have both SpywareGaurd & SPyware Blaster installed and running at the same time, its highly recomended you uninstall one.
Thats the first ive heard of that, from what ive read both of them are highly recommended. and spyware blaster dosent run at all times, it just creates restricted internet zones and blacklists certain activeX controls. as were spywareguard protects against bad downloads, and uses heuristics to help detect newer threats, (thats one reason the defintions havent been updated since 04)
last night spysweeper blocked trojan maccess from coming in the back door.. i was on a new's site when it happened. Trojan Horse Trojan Maccess is a remote access Trojan that that may allow a hacker to gain unrestricted access to your computer when you are online Trojan Maccess may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence Trojan Maccess is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent This Trojan may open a port on your computer that may enable a hacker to gain remote control of your computer. Additional Comments: It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity
@FartDude, --------------------------------------- SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard. SpywareGuard now also features Download Protection and Browser Hijacking Protection! Features Listing: * Fast Real-Time Scanning engine - catch and block spyware before it is executed (EXE and CAB files supported) with signature-based scanning for known spyware and heuristic/generic detection capabilities to catch new/mutated spyware * Download Protection - prevent spyware from being download in Internet Explorer * Browser Hijacking Protection - stop browser hijacking activity in real-time * SG LiveUpdate - provides an easy updating solution * Small size - with a small size and small definition sizes, download and updates are quick * Report Capabilities - keep a detailed log of all spyware detected * Spyware files are blocked before being opened or run - they are not simply shut down after they are loaded in memory (and after they have performed their tasks) * It's a free download --From: http://www.javacoolsoftware.com/spywareguard.html --------------------------------------- It runs in real time, you should only have one Anti spyware program running in real time... Having more than one running can consume massive amounts of resources and create system instability
An little update here, i just restored my hdd (not formatted .. i love acronis true image ) and updated spysweeper and ran the scan once more and it detected nada.. so this was nothing after all.
My spysweerper found the same thing, but I want to say that the other computer on my network started giving me many problems. I found that it also had the same maccess trojan horse, after installing trial Webroot on it (couldn't access Outlook to activate it to remove however)but I did not have Spysweeper on it, and it did a great deal of damage to that computer. Norton kept being disabled, my upgrades to windows were deleted or did not show up anylonger on Add and Remove, Outlook could not be accessed. What has happened to it? It is unplugged and useless for now. Seems many people do not know about removing this trojan horse from what I am reading. I think that Webroot saved this new computer. About the same time I received a warning that HKCU was attempting to insert itself in my startup. I see that you have that. I denied it access, since I had not given it permission. In addition, I received warning that someone was trying to change my homepage. So I do not think this is a false positive. It may have begun with HP. As originally, I kept getting a popup that I could not get rid of. When I downloaded the update for HP with a patch, the popup ceased.From reading the Forums, I learned that this was part of a virus and could be removed with the patch. Webroot advised that I run it three consecutive times and to download latest definitiions. It took several days, but I am no longer receiving these warning messages. None of my other virus or spyware programs detected any of these problems. My old computer's (on the network) condition is proof of the pudding. In the advanced secion of Sophos under Maccess-A he says registry entries may be created under the following HKLM\SOFTWARE|Microsoft|Windows\Appinit_DLLs
