Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan downloader and other malware [RESOLVED]

Started by marketa , Sep 12 2006 10:02 PM

This topic is locked

#16
marketa

Posted 14 September 2006 - 12:43 PM

Member

Topic Starter
Member
20 posts

I installed a new firewall today (SPF), disabled the MS one. Right away after restarting and trying to go online I got these 2 messages...no idea what they mean :whistling:

:

Generic Host Process for Win32 services (svchost.exe) is trying to broadcast to [239.255.255.250] using remote port 1900 (SSDP - Simple Service Discovery Protocol).

NDIS User mode I/O Driver (ndisuio.sys) has received a Broadcast packet from the remote machine [73.50.252.1].

A while later, after the firewall blocked some traffic itself, I got a message: port scan attack is logged - somebody is scanning your computer...and then the mention of the UDP ports and where they have been scanned from. What does that mean? :help:

Thanks in advance. :blink:

Edited by marketa, 14 September 2006 - 02:03 PM.

#17
loophole

Posted 14 September 2006 - 06:07 PM

Malware Expert

Retired Staff
9,798 posts

Those first two messages are normal, actually you will find that the last one is to The first 2 are microsoft processes. The last is a port scan looking for vulnerabilities. Usually from China. You will get these a couple times a day, Nothing to worry about because you are protected.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

How is everything running?

#18
marketa

Posted 14 September 2006 - 06:26 PM

Member

Topic Starter
Member
20 posts

It seems OK; slow at times, but OK, the pop-ups are definitely down. A while ago, AVG found downloader.obfuskated, ewido found just tracking cookies, nothing else.

And I did all the above.

Edited by marketa, 14 September 2006 - 06:26 PM.

#19
marketa

Posted 14 September 2006 - 06:33 PM

Member

Topic Starter
Member
20 posts

Just out of curiousity, how do I recognize safe from not so safe when firewall asks me what do I want to do? I was trying to find the answer online, but no luck.

#20
loophole

Posted 14 September 2006 - 06:44 PM

Malware Expert

Retired Staff
9,798 posts

You are still getting popups?

Generally most things are ok. Anything that updates will ask for permission. The imprtant thing is to check the box that says, dont ask again or something similar. This way it won't ask anymore,and after a day or so you shouldn't have it asking anymore. I'm trying to explain but I'm stumbling all over myself, I will try to find a link for you :whistling:

#21
marketa

Posted 14 September 2006 - 07:18 PM

Member

Topic Starter
Member
20 posts

I only got pop ups in the morning, and just a few. I'm not getting them now.

Does it mean the comupter should be relatively safe now? Even for banking, etc.? Don't want to lose any more money. :whistling:

How come another downloader was found a while ago? Or does it mean that it's OK for it to be in the computer, but the firewall will not let it do anything? I'm just lost. :blink:

Can I ask you what the "unwanted tools" that Panda Scan found meant?

BTW, don't worry about the safe/non-safe things I asked about....I'll look it up on the net.

One more thing, what does this mean?
Application Hijacking has been detected
The application: C:\Program Files\TrojanHunter 4.6\THGuard.exe try to launch another application: C:\Program Files\TrojanHunter 4.6\Tools\LiveUpdate\LiveUpdate.exe to go to remote host www.misec.net

Why does the TrojanHunter come up in the firewall?

Edited by marketa, 14 September 2006 - 07:29 PM.

#22
loophole

Posted 14 September 2006 - 07:36 PM

Malware Expert

Retired Staff
9,798 posts

How come another downloader was found a while ago?

What found it and where was it located?

Can I ask you what the "unwanted tools" that Panda Scan found meant?

You can ask anything you want :whistling:

Some are just leftover registry entries, we are going to remove them soon, They arent doing anything, just leftovers. The others are part of the smitfraud fix we used, It can be bad if in the wrong hands. Deleting the smitfix folder will remove those

Or does it mean that it's OK for it to be in the computer, but the firewall will not let it do anything?

No, Thats not exactly what a firewall does, I will give you a link to read about firewalls in a few :blink:

Does it mean the comupter should be relatively safe now? Even for banking, etc.?

Probably but I want you to do the below first

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#23
marketa

Posted 14 September 2006 - 07:52 PM

Member

Topic Starter
Member
20 posts

AVG found it, it was Downloader.Obfuskated in: C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP127\A0020664.exe

I'm now going to do the next step.

Thank you! :whistling:

#24
marketa

Posted 14 September 2006 - 08:02 PM

Member

Topic Starter
Member
20 posts

Here goes:

Owner - 06-09-14 21:00:50.98 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Owner.Gateway\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-14 to 2006-09-14 ))))))))))))))))))))))))))))))))))

2006-09-14 13:20 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-14 20:48 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-14 13:20 -------- d-------- C:\Program Files\Sygate
2006-09-14 12:01 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-14 11:59 -------- d-------- C:\Program Files\Internet Explorer
2006-09-14 11:58 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-13 22:45 -------- d-------- C:\Program Files\backups
2006-09-13 22:38 7524 --a------ C:\Program Files\hijackthis.log
2006-09-12 22:45 8665 --a------ C:\Program Files\hijackthis.2.txt
2006-09-12 22:39 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\TrojanHunter
2006-09-12 22:05 8986 --a------ C:\Program Files\hijackthis.1.txt
2006-09-12 21:50 218112 --a------ C:\Program Files\HijackThis.exe
2006-09-12 08:43 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\SampleView
2006-09-11 11:43 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\AdobeUM
2006-09-10 12:34 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\Sun
2006-09-06 18:33 -------- d-------- C:\Program Files\PopCap Games
2006-09-06 18:30 -------- d-------- C:\Program Files\TryMedia
2006-09-04 20:04 -------- d-------- C:\Program Files\Microsoft Works
2006-09-04 20:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-04 13:50 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-04 13:50 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-09-04 13:50 -------- d-------- C:\Program Files\Common Files
2006-09-04 13:49 -------- d-------- C:\Program Files\Microsoft.NET
2006-09-04 13:49 -------- d-------- C:\Program Files\Microsoft Office
2006-09-04 13:49 -------- d-------- C:\Program Files\Common Files\System
2006-09-02 11:02 -------- d-------- C:\Program Files\ICQLite
2006-09-02 11:02 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\ICQLite
2006-09-02 11:01 -------- d-------- C:\Program Files\ICQToolbar
2006-08-28 18:56 4182 --a------ C:\Documents and Settings\Owner.Gateway\Application Data\wklnhst.dat
2006-08-27 21:19 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\Adobe
2006-08-22 19:26 -------- d-------- C:\Program Files\Google
2006-08-21 21:20 -------- d-------- C:\Program Files\Java
2006-08-21 21:20 -------- d-------- C:\Documents and Settings\Owner.Gateway\Application Data\Google
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-07 08:36 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-07 08:36 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 07:44 -------- d-------- C:\Program Files\BigFix
2006-06-23 09:28 5512704 --------- C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47616 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454144 --------- C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-06-23 09:28 223744 --a------ C:\WINDOWS\system32\webcheck.dll
2006-06-23 09:28 179200 --------- C:\WINDOWS\system32\ieui.dll
2006-06-23 09:28 155648 --a------ C:\WINDOWS\system32\msls31.dll
2006-06-23 05:41 172544 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:40 78848 --a------ C:\WINDOWS\system32\ieencode.dll
2006-06-23 05:40 40960 --a------ C:\WINDOWS\system32\url.dll
2006-06-23 05:39 99328 --a------ C:\WINDOWS\system32\occache.dll
2006-06-23 05:39 39424 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-06-23 05:37 14336 --a------ C:\WINDOWS\system32\corpol.dll
2006-06-23 05:34 81920 --a------ C:\WINDOWS\system32\admparse.dll
2006-06-23 05:34 50688 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-06-23 05:34 372736 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-06-23 05:34 228864 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-06-23 05:34 167936 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-06-23 05:33 54272 --a------ C:\WINDOWS\system32\iesetup.dll
2006-06-23 05:33 41984 --a------ C:\WINDOWS\system32\iernonce.dll
2006-06-23 05:33 121856 --a------ C:\WINDOWS\system32\advpack.dll
2006-06-23 05:30 11776 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55296 --------- C:\WINDOWS\system32\icardie.dll
2006-06-23 05:29 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-06-23 05:27 251392 --------- C:\WINDOWS\system32\iertutil.dll
2006-06-23 05:26 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-06-23 04:46 377856 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-06-23 04:45 48640 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-06-23 04:41 172032 --a------ C:\WINDOWS\system32\ieakui.dll
2006-06-22 00:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 00:06 1435648 --a------ C:\WINDOWS\system32\query.dll
2006-06-19 15:18 23552 --------- C:\WINDOWS\system32\idndl.dll
2006-06-19 15:18 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-06-19 15:18 20480 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-15 16:55 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 16:55 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 16:55 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 16:55 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-14 12:49 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Thu 09/14/2006 21:01:27.87
ComboFix.txt

#25
loophole

Posted 14 September 2006 - 08:04 PM

Malware Expert

Retired Staff
9,798 posts

That is in the system resore folder. Its harmless unless you perform a system restore. Dont worry we will clear those in our last step

One more thing, what does this mean?
Application Hijacking has been detected
The application: C:\Program Files\TrojanHunter 4.6\THGuard.exe try to launch another application: C:\Program Files\TrojanHunter 4.6\Tools\LiveUpdate\LiveUpdate.exe to go to remote host www.misec.net

Why does the TrojanHunter come up in the firewall?

Sorry I missed this. This is trojan hunter going to check for updates, notice the file C:\Program Files\TrojanHunter 4.6\Tools\LiveUpdate\LiveUpdate.exe....You should allow this

That Combo log looks fine I think you are good to go,shall we continue to the final steps?

Edited by loophole, 14 September 2006 - 08:07 PM.

#26
marketa

Posted 14 September 2006 - 08:17 PM

Member

Topic Starter
Member
20 posts

I'm ready. :whistling:

The only reason why I was worried about the Trojan thing is that I didn't remember the firewall asking me...doing too many things at one time I guess. :blink:

Edited by marketa, 14 September 2006 - 08:19 PM.

#27
loophole

Posted 14 September 2006 - 08:33 PM

Malware Expert

Retired Staff
9,798 posts

OK then

Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as Fix.reg Change the SAVE AS TYPE to ALL FILES and save it on your Desktop.

REGEDIT4

[-hkey_current_user\software\tbon] 

[-hkey_classes_root\clsid\{3646C2BD-3554-49CA-8125-44DEEFB881DE}]

after saving as instructed above, please close notepad. You will now have a file on your desktop called Fix.reg , Please double click it and say yes to merge it with the registry.

We have a couple of last steps to perform and then you're all set.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

You obviously dont need a firewall but feel free to check out some of these programs
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

#28
marketa

Posted 14 September 2006 - 09:06 PM

Member

Topic Starter
Member
20 posts

Thanks a bunch! You're an angel!!! :whistling:

I would like to make a donation. I have to open up a Pay Pal Account first; I have heard the worst about Pay Pal (securitywise)...but I'm assuming it's not that bad?

And one last question: Is it safe to run Ewido and one of the other spyware protection (SpywareBlaster/SpywareGuard/IESpy-Ad) together? Or is it 2 completely different things and can have both?

Thanks again!!!!

#29
loophole

Posted 14 September 2006 - 09:29 PM

Malware Expert

Retired Staff
9,798 posts

And one last question: Is it safe to run Ewido and one of the other spyware protection (SpywareBlaster/SpywareGuard/IESpy-Ad) together? Or is it 2 completely different things and can have both?

Those are safe together, The general rule I use is 1-1-1-1- 1antivirus 1 firewall 1 anti-malware 1 prevention :whistling:

Oh and PayPal isn't really unsafe. I've never had a problem.

Edited by loophole, 14 September 2006 - 09:32 PM.