Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Worried!

Started by decallieres , May 03 2005 02:25 PM

  • Please log in to reply

#1
decallieres
Posted 03 May 2005 - 02:25 PM

decallieres

    New Member

  • Member
  • Pip
  • 4 posts
I have AVG7, Ad Aware pro and Zone labs firewall running, so I thought I was well protected. However, still managed to get virus(es).

First I knew was a pop up window from AVG saying it had found a virus. It was located in local settings\Temporary Internet Files\ContentIE5\GXEBOXYR\vbs[1].htm AVG called it VBS/Psyme, though Symantec call it Trunlow

I ran avg7, but it still took 3 goes to get rid of it (admittedly, I forgot to do it in safe mode). I also noticed 3 changes to the windows registry (which I thought Ad aware pro prevented?). The following were changed :
windows\system32\user32.dll, shell32.dll, ntoskrnl.exe

I started in safe mode and AVG found another Trojan, this time « Startpage.21.AL » which it deleted.

So, I think I’ve got rid of it, but my Zone Alarm firewall keeps blocking incoming attacks from 192.168.2.1. and so I decided to deny web access to anything that I didn’t recognise. I’m, now getting Zone Alarm blocking “Generic Host Process for Win32 Services could not accept a UDP Port 1900 connection from 192.168.2.1 because internet servers are blocked.” Also, I’m still getting messages that Zone Alarm keeps blocking access from 192.168.2.1 (TCP Port 1042 – TCP Flag:s)

I’m worried that I’ve still got an infection on my pc and that changes have been made to the registry.

So I have lots of questions (sorry to be a pain!):
1: How do I get rid of it and
2: how do I stop it happening again?
3: Can I set IE to atomically reject any .vbs sites? Or should I change to Firefox which I understand is better for security?
4: Can I “freeze” the registry so that no changes can be made without my knowledge.
5: Do these registry checking software really work and how do I know if a site is offering this sort of software is legit? I'm a bit paranoid about downloading .exe files!
Your help would be much appreciated.
  • 0

Advertisements

#2
Metallica
Posted 15 May 2005 - 01:03 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
First of all release the network traffic in ZoneAlarm.

The 192.168 range is for private networks, so I think your are blocking acces for other computers in the network to yours and/or vice versa.

There are lots of tools to protect you. Start by following the link in my signature.

Since you are looking for a program to stop scripts with and I have no links to any of these on my site, I would advise to look at:
http://www.analogx.c...tem/sdefend.htm
or (more elaborate but not freeware):
http://wormguard.diamondcs.com.au/

Regards,
  • 0

#3
decallieres
Posted 15 May 2005 - 03:58 PM

decallieres

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply.
With reard to the 198.168 range that Zone Alarm is blocking, I was concerned about this as I don't have a network, just me and the internet. Is it still safe to allow the traffic?

Since I posted my original request, I have downloaded and run ewido security, Spybot (which found spyware that Adaware Pro missed), CW Shredder etc.

I will have a look at the link you posted but in the meantime, could you have a quick look at my logs and to make sure that I really have got rid of all the malware.

Many thanks, you run a great site. Here's my log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:38:15, 15/05/2005
+ Report-Checksum: F758E9E

+ Date of database: 15/05/2005
+ Version of scan engine: v3.0

+ Duration: 30 min
+ Scanned Files: 79934
+ Speed: 43.98 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End


Hijack this report :
Logfile of HijackThis v1.99.1
Scan saved at 17:43:11, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Anti Virus Tools\security suite\ewidoctrl.exe
C:\Anti Virus Tools\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Anti Virus Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.ingdirect.co.uk
O15 - Trusted Zone: http://www.natwest.com
O15 - Trusted Zone: http://www.yahoo.ca
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Anti Virus Tools\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Anti Virus Tools\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
Metallica
Posted 16 May 2005 - 04:01 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Some external modems are set up with the IP of a server in a network.

Can you describe for me as exact as possible how you physically connect to the internet?

Regards,
  • 0

#5
decallieres
Posted 16 May 2005 - 05:28 PM

decallieres

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I have a DSL (3MB I think) connection from Sympatico (Bell Canada).
The "modem" is a speedstream 5200 Ethernet/usb ADSL modem. I connect using the ethernet cable.

Does everything else look OK?
I remember seeing a link to download some registry checking software. Is this a good thing and if so, how often should I run it.

I've downloaded script defender as you suggested, as well as ewido, spybot etc and nothing else has been picked up, so I'm hoping I'm clean now?

Finally, a big THANK YOU. I really appreciate your time & help.
  • 0

#6
Metallica
Posted 17 May 2005 - 01:11 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Allow the traffic for the 198.168 block

I am very weary of registry cleaners, sincce they can cause havoc on a system when used without doublechecking them.

Make sure it is always set to make backups and only use when you are experiencing problems or slowdowns.

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP