Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Downloader Generic AOK


  • Please log in to reply

#16
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Are the hits incoming or outgoing?
  • 0

Advertisements


#17
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thatman has been helping me - this is his specialty.

He said

the firewall setting my be the problem. You will need to contact your ISP and ask what you will need to allow traffic in and out from your  firewall. Your firewall my also be blocking his 127.0.01 loopback


I hope that helps. :tazz:
  • 0

#18
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Good Afternoon,

The hits are coming in and out.

It's true that I have my firewall set pretty tight. Nothing gets in or out without my say so. If I don't recognize it or can't ID it as OK through a google search, it gets a resounding NO! That's why I know about this stuff coming in and out constantly and why I'm so puzzled by it. ;)

OK, I will try calling my ISP. As if. The customer service reps they have can barely speak English. I believe they have have outsourced to Puerto Rico. It's a struggle just to get my point across to them. :) Speak v e r y s l o w l y and ENUNCIATE. :tazz: sigh...

B
  • 0

#19
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Good Evening,

Well, of all the sillines! :tazz: The 192...# is my modem's local # w/SBC and they don't care whether my firewall blocks it or not. I'd like to figure out how to get it to stop but not enough to dicker with someone I can barely hear or understand. I'll futz around with it on my own. It's enough of a relief that I don't have to worry about it. whew... ;)

Thanks so much for your help!

B
  • 0

#20
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello,

More in the ongoing saga... please see
my first post

Last night I realized I had no sound so I went poking around in my control panel to find out what was up and discovered that not only did I NOT have any sound devices listed, I had no keyboard, no mouse, and no network connection. Furthermore my device manager list was not populated and my hardware add function was not working.

Somewhere in the midst of making all of these discoveries, my AVG came on-board and alerted me to a trojan which I quarantined and removed. I then ran a Panda scan and found two other files one of which were identified as the AOK trojan and the other as suspicious.

I disinfected the AOK and had a look at the suspicious one but I can't decide if it's OK or not. I had Trojan Hunter scan it and it seems to think it's ok so I'm presuming it is since it's supposed to be a TH file. However, today I had four more trojan files pop up in AVG scans which I've cleaned out.

I tried a system restore earlier this morning but could only go back to the point I discovered this mess so that was of no help at all. I've rebooted several times, BTW, so there must be something somewhere. My CD-Rom is still reading CDs; none of my media players are working properly but they are trying to. So, is there anything I can do here besides reload windows once again? (Why does that make me want to whine? ;) )

Oh, and I think I finally tracked down the source of my infections. Maybe... Something I read last night made me go hmmmm.... I finally googled the other IP# that was asking for all the first *outgoing* packets of information earlier this morning and discovered they *weren't* going to my bigserver ISP as I had assumed from the whois but are apparently going *through* a proxy server. sheesh... :tazz: I've firewalled that IP# off and nothing else has popped up since.

I've done everything recommended in your pre-HJT log but the Ewido scan. Unfortunately, my trial period for that has run out.

B

Panda Scan:


Incident Status Location

Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Logfile of HijackThis v1.99.1
Scan saved at 2:26:42 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121958353218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#21
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Processviewer.exe is a part of TrojanHunter. Panda recognizes a part of it and warns you. You can leave that.
  • 0

#22
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
'Evening Coach,

Thanks so much for taking up the cause again. Glad to hear that my assumptions about that suspicious file were correct.

Thanks,
B
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I think you're OK. Just stay on top of it. :tazz:
  • 0

#24
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thanks,

I did some more research and a little experimenting. That IP addy I mentioned (which on closer inspection actually seems to be a site set up explicitly for hackers)seems to be connected to my yahoo browser functions somehow. Whenever the browser sends out a ping or echo request that addy and maybe others disguised as yahoo follow close behind. So I dis-installed all the yahoo browser stuff and suddenly my firewall quits flashing red. Wheee! :tazz:

B

New HJT in case that changed anything you need to know:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:10 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121958353218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#25
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I think you're OK, but give me the ISP address that is trying to get in or get ut. which one is it?
  • 0

Advertisements


#26
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Good evening,

The IP address is 66.218.73.254 and the URL it took me to is:
MY-PROXY.COM. Interesting place.

It attempts to send outgoing ICMP protocols, application C:\WINDOWS\system32\ntoskrnl.exe from local port 0 every 60 seconds or so if I deny the first one.

edited to add: BTW, when I uninstalled the yahoo browser stuff I got an ICMP request to send out a rundll.exe file to an unknown IP#. I don't know if that has any significance or not but from what I'm reading from my googling I figured it was worth throwing into the mix. Just to spice things up a bit. :tazz:


Thanks,
B

Edited by BairbreJ, 10 August 2005 - 07:58 PM.

  • 0

#27
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am going to have thatman take a look at this and respond to you. This is his specialty. I will be following his progress. :tazz:

BTW: 66.218.73.254 is registered to yahoo.

Edited by coachwife6, 10 August 2005 - 09:05 PM.

  • 0

#28
BairbreJ

BairbreJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Afternoon Coach,

The battle continues. Today we have Trojan-dropper.win32.paradrop.a playing with igfxtray.exe files. It was discovered by Windows Security. (I'm having them do a scan twice a day)

Unfortunately, they won't remove it without some cash. I'm trying to get someone else to recognize this bugger and zap it but no luck so far. I'd have a go at it myself but I'm a bit afraid I'd muck up something important. :tazz:

It's beyond me how this stuff gets in past my firewall. I just don't get it... ;)

Thanks for your help,

B
  • 0

#29
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
thatman has been looking at your log and will help you.
  • 0

#30
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi BairbreJ

1) In the bottom right side of the desktop I would like you to double on your firewall icon.

2) When the window opens please select Applications.

3) In this new windows you with see a list of files and program,
Right click on a icon this will highlight the icon now we need to click on the Advanced box at the bottom of the widow
you are working on.
There you will see four box's that have a check mark into them.
In this picture you can see that the application is for my Panda Anti-Virus.The access for this is set to Allow
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.
Now do the same for all the panda items in the list.

Please highlight LSA Shell (Export Version). The access for this is set to Allow
Now click on Advanced
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Please highlight Generic Host Process for Win32 Services. The access for this is set to Allow
Now click on Advanced
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Please highlight NDIS User mode I/O Driver
This one is the main server it will be grayed out
No action needed.

Please highlight NT Kernel & system. The access for this is set to Block
Now click on Advanced
Box one = Act as Client uncheck this box.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Please highlight Outlook Express. The access for this is set to Allow
Now click on Advanced
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Please hightlight Internet Explorer. The access for this is set to Allow
Now click on Advanced
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Firefox The access for this is set to Allow
Now click on Advanced
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box
Now close that box.

Now for items not covered. The access for this is set to Ask
This you need to do for each item
Box one = Act as Client leave this box checked.
Box two = Act as Server uncheck this box
Box three = Allow during Screensaver mode uncheck this box
Box four = Allow ICMP traffic uncheck this box

Do not let any software or system file Act as a Server.

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP