Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help i have trojan horse collected.5.L [RESOLVED]


  • This topic is locked This topic is locked

#241
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Yes. That's a nice dilemma.

When you allow the Command Prompt more malware gets downloaded.
A firewall would be nice

Let's see if we can get a batch to do the job.

Please try this:
Copy the code below into notepad and save it as tasks.bat
Set Filetype to "All files"
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running" >tasks.txt
start notepad tasks.txt

Start the file by doubleclicking tasks.bat
That will open a file called tasks.txt. Post the content of that file.

If this doesn't work I'll ask someone more knowledgeable to write us one.

Regards,

Pieter
  • 0

Advertisements


#242
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hi there
you wouldnt believe it it carried out the actions but the tasklist is blank not a secric of information to be had
Cheers
  • 0

#243
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
:tazz: :)

Can you repeat the action, but for this batfile:

Tasklist /FI "PID eq 652" >tasks.txt
start notepad tasks.txt

  • 0

#244
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again you wont believe this but another blank txt file is created sorry i am not being much help
  • 0

#245
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Not your fault. Don't worry about that. :tazz:

It's just me stabbing at the problem from different angles, trying to make it go away.

Using tasklist will not do us much good it seems.

Can you see if this new program tells us something new:
http://www.resplende...om/hookanalyzer

Don't act on the results please. Just let me know what files are found.
To give you an example, ProcessGuard will also show up in that list.

Regards,
  • 0

#246
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hi there it found 19 kernal hooks all linking back to process guard did you want me to post them all, and how to i copy and paste out of rootkit hook analyzer
thanks for your help
  • 0

#247
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
No. All I needed was the names of the Files listed in the Module column.

If they all pointed to procguard.sys then that is OK.

Not sure if I asked this before but are you using a firewall of any kind?

Regards,
  • 0

#248
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hello yes all the 19 files in module link to process guard i am running standard xp firewall
cheers
  • 0

#249
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
How do you feel about installing a more easy to configure firewall?

There are free options like Sygate, Kerio and ZoneAlarm if you do not want to spend any money on one.

The Windows firewall can be disabled once we have ionstalled one.
In your case I think it would be handy to have a application based firewall rather then a portblocker (like the Windows firewall) since it will give us more control over what we let go in and out.

Some background information:
http://www.dslreport.....onal Firewall
http://www.wilders.org/firewalls.htm

Regards,
  • 0

#250
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
will do when i am back at the computer late tommorow
Cheers
  • 0

Advertisements


#251
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello i had a copy of zone alarm have installed it and have it up and running where to from here
thanks for your help
  • 0

#252
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Hi Doug,

Sorry it took me so long to get back to you.
Have had some problems lately.

Now in your ZoneAlarm Control Panel, see if you can find "program control". Click on it
Now you would see list of programs displayed . In that check if you trust each and every one of the programs listed there.

Please post a new ProcessGuard log and any programs you have questions about.

Regards,
  • 0

#253
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello i have been away too here is the pg log ---Process Guard Log Started---
Thu 15 - 19:05:13 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Thu 15 - 19:05:13 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgcheckdb ]
Thu 15 - 19:05:13 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Thu 15 - 19:05:13 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1572]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Thu 15 - 19:05:14 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Thu 15 - 19:05:14 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgautocheck ]
Thu 15 - 19:05:15 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Thu 15 - 19:05:15 [EXECUTION] "c:\program files\zone labs\zonealarm\zlclient.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\zone labs\zonealarm\zlclient.exe" ]
Thu 15 - 19:05:16 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" autoupdateevent ]
Thu 15 - 19:05:16 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Thu 15 - 19:05:17 [EXECUTION] "c:\windows\system32\zonelabs\vsmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\zonelabs\vsmon.exe -service ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\grisoft\avg free\avginet.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\grisoft\avgfre~1\avgamsvr.exe" [1220]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avginet.exe" /sched=5 ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Thu 15 - 19:05:19 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1852]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Thu 15 - 19:05:19 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Thu 15 - 19:05:23 [EXECUTION] "c:\windows\system32\imapi.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\services.exe" [492]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Thu 15 - 19:05:45 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [1808]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\faus3270.dll" rnathshutdown ]
Thu 15 - 19:05:46 [EXECUTION] "c:\program files\common files\real\update_ob\realsched.exe" was blocked from running
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [1808]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realsched.exe" ]
Thu 15 - 19:06:00 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Thu 15 - 19:06:19 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgdialupobserver ]
Thu 15 - 19:06:19 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" upgradedialupobserver ]
Thu 15 - 19:06:20 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\faus3270.dll" rnathshutdown ]
Thu 15 - 19:06:25 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgaureport ]
Thu 15 - 19:09:09 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realevent.exe" [556]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgaureport ]
Thu 15 - 19:15:45 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\rnms3270.dll" rnmsgautocheck ]
Thu 15 - 19:15:46 [EXECUTION] "c:\program files\common files\real\update_ob\realevent.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\real\update_ob\realsched.exe" [1520]
[EXECUTION] Commandline - [ "c:\program files\common files\real\update_ob\realevent.exe" "c:\program files\common files\real\update_ob\upgr3270.dll" autoupdateevent ]
Thu 15 - 19:19:07 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1024]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program files\processguard\logs\pglog_12_2005.txt ]
not to sure what i am doing in zone alarm yet will keep looking
cheers
  • 0

#254
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Looks good sofar. The main thing is to keep an eye out for untrusted apps first.

We can concentrate on limiting other applications to what is needed later on.

If you see one of our old "friends" active, please post a PG log for the relevant period.

Regards,
  • 0

#255
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
I found another method to look inside the suspected instance of svchost.exe

Download http://www.diamondcs...onsoletools.zip

Unzip the content of that file into this folder: C:\console (you will probably need to create it)

Then click Start > Run > cmd > OK

In the command prompt use these commands:

cd\
cd console
procs -m:652


Now there should be a list of modules in your command prompt.

Copy that list into your next post.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP