a-squared hijack analysis
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: a-squared hijack analysis

  1. #1
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238

    a-squared hijack analysis

    Hi, I am now very confused and need a little specific help here.

    I just did a scan with the above mentioned thing, and it came out with some stuff. I don't know how to locate and fix the problems though, and a-squared is not clear on how to do this.

    here is an example it says I should fix:

    $statusbad$ X Tweak UI RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup Added by the SUBWOOFER TROJAN! Note - the real Tweak UI entry for this is "rundll32.exe tweakui.cpl, tweakmeup"

    But where the **** is it, and how do I deal with it?
    I had a look in the regestry and could not find it there. All I know is that it is a command. Incidentally, it has found 6 other errors that is claims are the result of trojans or viruses. And I thought I was clean here, as I can't find anything in a hijack this log to fix.

    Is this real, or am I being hoodwinked, I kinda liked a-squared free, and thought this seemed like a usefull tool, though the hijack one maybe requires a little more experience. Time to jump in the deep end.....

    Unfortunately no log is produced with this scan, so it is hard for me to post, hence I just posted this one error for the moment.

    I think once I know what is going on here, I should be able to fix the other things...I hope

    Any help would be appreciated.


    A slightly Twisted Frond today
    Sarcasm is a way of life

  2. #2
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238
    It gets worse, it says this :

    Port: 1025 TCP
    Path: C:\WINNT\system32\ (Process ID: 828)
    NetSpy, Maverick's Matrix, RemoteStorm

    Is also a problem, but what do I do with this, I run Zone Alarm, surely that should keep this sort of thing out, no?

    Yours with a big flat bit developing on the front of my head, and my house starting to fall down.

    Jonny WallBanger
    Sarcasm is a way of life

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    If I read your post correctly you said you alread ran HijackThis? Is it the latest version? If so, you can post it's log here and we will take a look at it..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Howdy.

    From what you've already stated, i'd be placing money on the fact that you've pwned your own computer and gave accesse to whom ever mistakenly.

    I'd be thinking that even if you did get most of the scum from the computer, it would never really be clean. So you'd be better of backing up those important documents and doing a fresh -install.

    cheers
    front2back

  5. #5
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238
    Hi, here is the URL to the report a-squared HiJackFree Analysis made of my laptop,
    http://www.hijackfree.com/analyze/?i...9-fbd004c1494a

    and here is the Hijack this log I just did

    Logfile of HijackThis v1.99.1
    Scan saved at 14:49:48, on 13/02/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\cisvc.exe
    C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\CFGSAFE\AUTOCHK.EXE
    C:\Program Files\MemTurbo\MemTurbo.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [RegProt] c:\documents and settings\administrator\desktop\new folder\regprot.exe /start
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123785948731
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

    Thanks
    Sarcasm is a way of life

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I couldn't find anything out of the ordinary.. But don't take my word for it
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    If you look into your running processes Ctrl+Alt+Delete and check to see if you have scheduler.exe if so then yeah you have the SUBWOOFER Trojan, it's a backdoor, here is an article by Symantec on how to identify the files and remove.

    Trojan Removal

    Otherwise as was mentioned, your log doesn't really show any abnormalities, I would recommend you manage your startups, by using Startup Control Panel


    I would let HJT fix this line R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

    Also if your interested in CLSID's B8BE5E93-A60C-4D26-A2DC-220313175592 then go to
    CastleCops paste the CLSID into it's search function and it will most times tell you if the item is legit or if you should get rid of it.
    What is a CLSID?
    A Class ID (CLSID) is a 128 bit (large) number that represents a unique id for a software application or application component. Typically they are displayed like this "{AE7AB96B-FF5E-4dce-801E-14DF2C4CD681}".

    You can think of a CLSID as a "social security number" for a piece of software, or a software component.

    What are they used for?
    CLSIDs are used by Windows to identify software components without having to know their "name". They can also be used by software applications to identify a computer, file or other item.

    Where do they come from?
    Microsoft provides a utility (program) called GUIDGEN.EXE that generates these numbers. They are generated by using the current time, network adapter address (if present) and other items in your computer so that no two numbers will ever be the same.
    Files



    1.Keep your Windows updated
    2.Keep the patterns/definitions for Avast up to date
    3.Keep Spybot S & D updated
    4.Get Adaware SE keep it upto date
    5. Get Spywareblaster keep it up to date
    6.I would recommend a router even if there is only one PC
    7.Down to user pref, but you don't really need Regprot, Zone Alarm (is becoming buggy)or Winpatrol (I used to but after awhile it became a real pest)

    Just my 0.02 cents worth

    Edit: you can use this list Processes to check your other processes
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  8. #8
    Junior Member
    Join Date
    Jan 2006
    Posts
    28
    I recommend to disabale "O23 - Service: TrueVector Internet Monitor" for a while.
    disable, NOT remove, reboot computer after that. then update avast and use Boot-Time scanner.
    Look in avast Menu for "Shechedule Boot-Time Scan..."
    Not forget to enable "O23 - Service: TrueVector Internet Monitor".
    never know

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Do NOT disable "TrueVector Internet Monitor" as that's a ZoneAlarm component.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  10. #10
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238
    Flumps, what does all that stuff on the a-squared log mean then?

    http://www.hijackfree.com/analyze/?...49-fbd004c1494a


    I am up to date with everything as far as I am aware. I have to admit, I would rather learn about stuff to clear it all out than do a fresh install, as I have this running nicely at the moment, and I have had bad experiences with fresh installs in the past.

    can anyone tell me how to deal with even just one of these, are the regestry entries that can be edited or deleted, or are they files that I can get rid of?



    I'm starting to feel like part of a fern
    Sarcasm is a way of life

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides