Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojans: AIM, Backdoor, Apropop, HuntBar [RESOLVED]


  • This topic is locked This topic is locked

#46
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
And it warns you about sites being added to your Trusted Zone?

Can you post a HijackThis log (made in normal mode)

Regards,
  • 0

Advertisements


#47
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
It informs me of a Web Browser Configuration change and then says URL Zone Change and when I click for more information it gives me the site adresses. It then gives me the option of denying them access or just saying OK.

Here's my log (NOT from safe mode :tazz: )

Logfile of HijackThis v1.99.1
Scan saved at 4:13:57 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Documents and Settings\Molly\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Molly"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WinMPG Video Convert 5.5 - {DD978772-B08B-4461-83FE-DACCA5F70524} - C:\PROGRA~1\WINMPG~1\winMPGQTr.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#48
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I should also mention that these warnings happen in groups. I'm either constantly receiving them, or the polar opposite- everything seems perfectly fine.
  • 0

#49
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Me thinks I got the picture. Did you just install SpywareBlaster or IE-Spyad?

In that case you can allow the changes. SpywareBlaster adds a bunch of sites to the Restricted Zone. So they won't be able to hijack you when you accidentily land there.

Regards,
  • 0

#50
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Nope, I've had Spyware Blaster installed for about a week now. In addition, Spyware Guard has been running the same amount of time and is always disabling certain options or closing itself...even when I fix it it'll go back to not all options being checked.
  • 0

#51
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I'd like you to install ProcessGuard, free version available here: http://www.diamondcs...p?page=download
Instructions: http://www.commontol...g3.html#details

Let me know if you need any help and make sure every decision is a thought out one.

I want to rule out something hidden like a rootkit is trying to take over your system.
Well used, Process-Guard will stop those.

Regards,
  • 0

#52
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Pieter:

Sorry for the huge delay. I'm about to get started on this.
  • 0

#53
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
No problem. Take your time. It's not an easy program.
I'll check back later.

Regards,
  • 0

#54
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Awesome. Thanks!
  • 0

#55
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Alright, I'm totally lost. It's in "Learning Mode" and when I unclick that it starts asking me if I want to allow certain things access. Some things on the list I recognize, while others I've enver seen. This, of course, doesn't necessarily mean they're malicious. I'm looking through the Beginners part of the Help file, but I'm not sure how how enable protection without knowing what to allow.

How would we go about looking to see if it is a rootkit taking over the system?
  • 0

Advertisements


#56
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Allow only what you recognize.

You did have a look at Andreas' site ?

A lot of things that need to be allowed are listed there.
Let me know if you have any questions.

Regards,
  • 0

#57
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
May have run myself into a bit of a problem...

Yesterday I read that site and I allowed only what I recognized. This morning I went to turn the computer on and it came up with a screen early on in the startup process. It said that Windows needed to check File System on Drive C:/. A few things came up on the screen (Molly@go was listed...this concerned me becuase of that whole "go.com" cookie I keep seeing) and it displayed the percentage completed. When it finished it brought me to the normal login screen. However, when I click my name like normal, it automatically says logging out and doesn't let me get to my desktop. I figure I must have blocked something in Process Guard necesary for proper startup. I tried to boot into safe mode to edit the list in Process Guard, but everything is grayed out.

The only thing I could think of doing was going into Add/Delete Programs in Safe mode and getting rid of Process Guard. I didn't do it though becuase with my golden touch I probably would have messed it up more. What do you recommend?
  • 0

#58
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Run Process Guard's uninstall utility. You can see this from the Start Menu -> Process Guard -> Uninstall.
To verify the removal, make sure procguard.sys does not exist in (c:\windows\system32\drivers) directory, and that procguard.dll and pguard.dat are not in your system32 directory (c:\windows\system32). If they still exist delete them.
Reboot your machine and Process Guard should now be removed.

In the meantime I have found a relatively simple program (maybe too simple, but we'll see) to find rootkits.

http://greatis.com/unhackme/

Let me know if it finds anything.

Regards,
  • 0

#59
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
You saved me again! Process Guard is now gone and I was able to startup normally.

Upon initial launch UnHackMe produced a blue screen and I had to restart. I relaunched the program and clicked "Check Me Now" and almost immediately received the message "That's all right! There is no trojan found" Maybe it is too simple.

Are there any other tools to detect rootkits that you know of? As much as I don't know what I'm talking about, the description I read about rootkits seems to be spot on.
  • 0

#60
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I did a search here for rootkit to see what others have done to take care of this problem. It looks as though "Ewido" picks them up if they're on the system. Is this something I can install or is it an anti-viruslike program that would interfere with McAfee?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP