Security Basics mailing list archives
Re: Idiot_self+trojans+administrative privs = Disaster
From: Bob Jones <lists () pavlodarproductions com>
Date: Wed, 06 Dec 2006 10:19:29 -0600
Zach,What I do in cases like this (and its been quite a few times over the last couple of years) is to get a good command line virus scanner (I use McAfee's), put it on a flash drive, and boot the machine from a WinPE CD. Once the machine is at the command prompt, I empty all the temp folders for all user profiles and in windows (usually by rmdir /s temp, mkdir temp), as well as the temporary internet files/content.ie5 folders (again, delete it and recreate it).
Once the trash cleanup is complete, then I run the virus scanner against the C: drive. Make sure you use the command options to clean any bugs it finds, use heuristic analysis, traverse all sub-folders, and if available, scan for potentiall unwanted programs/spyware (mcafee only I think), and dump a log/report file to the flash drive. Now grab a cup of coffee and/or watch a show as a full scan on the C: drive will likely take an hour or more.
Once you have scanned/cleaned up any virii and bugs, boot back into windows, run Ad-Aware, spybot, and a trial version of Spysweeper (make sure they are up-to-date first). Let them clean up any crap. Follow this up with running autoruns from sysinternals.com (look for anything suspicious -- not related to any programs or hardware on your PC) and delete the entries. Pay attention to anything found in appinit_dll and winlogon notifications -- basically, I delete anything that is not a MS entry. You can change the user you are scanning from the menu, so running it once is enough -- with the spyware cleaners you need to run them under all profiles.
As far as the HijackThis log goes, I find the ccleaner and all windows\ehome suspicious, only because I have never run into them in the past -- but they might be legit.
At this point, you should be in pretty good shape -- good/clean enough to at least backup your data to usb drive prior to a format/reinstall.
Drop me a line directly if you have any questions. Bob Jones wymerzp () sbu edu wrote:
I noticed that my OS (WinXP Media Center Ed. SP2) was acting extrodinarily buggy and throwing several different errors. I had used bittorent and Limewire while running as Administrator (I know,I know, I don't need a lecture of how stupid this was... I was a moron). I wasn't being my usual careful self because I'm going to wipe my comp and install linux. And a new version of WinXP.Anyway, I have a Trojan that I can't seem to get rid of: Trojan.Popuper.Downloader. This is the result of a Scan by Spyware DoctorScan Results: (edited to just show location)C:\Program Files\BitTorrent\uninstall.exe C:\Program Files\CCleaner\uninst.exeC:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP233\A0427654.exeI attempted to access the C:\System Volume Information... file but it would not allow me to access this; I attepted this because it seemed to continue to instantiate itself after removal and reboot. I was considering running as System permissions to manually uninstall the restore loction, but didn't want to give the Trojan any more power (Administrator is bad enough). On the third time of removing and rebooting the infection is no longer being picked up by Spyware Doctor... My question that I pose to the online community is this: Do you think the infection is actually gone? It seemed to continue to instantiate itself each time, and then suddenly dissapeared. Here is my HijackThis! scan:Logfile of HijackThis v1.99.1 Scan saved at 3:32:46 PM, on 12/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\SPYWAR~1\swdoctor.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe C:\WINDOWS\ehome\RMSvc.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Connect 2\wmccds.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\alg.exe C:\Program Files\CCleaner\ccleaner.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM95\aim.exe C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mpfplus/en-us/mpfplus7/default.asp?affid=370-9 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [Eraser] C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159142629587 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MSHOME O17 - HKLM\Software\..\Telephony: DomainName = MSHOME O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MSHOME O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = MSHOME O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe" -service -install (file missing) O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe Any help will be greatly appreciated. Thanks to all who will respond! Peace, Zach
--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Idiot_self+trojans+administrative privs = Disaster wymerzp (Dec 04)
- RE: Idiot_self+trojans+administrative privs = Disaster Murda Mcloud (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Ansgar -59cobalt- Wiechers (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Bob Jones (Dec 06)
- RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
- RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
- <Possible follow-ups>
- Re: Idiot_self+trojans+administrative privs = Disaster mrigor (Dec 06)