Results 1 to 7 of 7

Thread: Problems with possible virus - Trojanhunter

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    1

    Problems with possible virus - Trojanhunter

    I ran trojanhunter and found an open port, 2040 I believe, and then my computer stopped being responsive. I have NAV, Trojan Hunter, and AdAware. I noted many services.exe running and many in all capitals, if that makes a difference. As an aside I have tried updating TH but am unable to connect. Any info appreciated.

    Here is a copy of the Hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:34 AM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab

  2. #2
    oh, I,ll give u a very easy and effective method to resolve this problem:
    say :
    god help me, god help me ,oh~god,please ,help me
    p.s.
    I think u 'd better reship ur system and load Zonealarm and Norton...

  3. #3
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Right..it looked like a pretty clean log to me..port 2040 seems to be the default port for Inferno Uploader
    Here's a few things you can do...go to www.moosoft.com and download the latest version of The Cleaner
    If you'd like to know if there IS any activity from your port 2040,check your firewall logs.
    Assuming the worst case scenario..let's say you do have some process running on that port,go and download fport(It's a small tool that lets you trace a service on a port to the file running it,it's for Win NT/XP I believe) and kill the relevant process..btw guys..can this serve as an alternative solution to getting rid of a trojan?well,obviously not all the traces of it..but just narrowing it down somewhat?

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Hello davvfw900

    To answer a few of your questions. Having many services running will just use up some of your system resources. If your system is robust enough, you probably won't even notice the difference.

    There have been a few bits of malware going around that have been kicking the s**t out of Nav for some reason, so I would recommend running the following online scans. Run them both, and fix whatever they find.
    Go to PandaSoft’s Free Scan
    TrendMicro's online scan is here.

    Also, make sure ZoneAlarms isn't malfunctioning and blocking our update. Sometimes it doesn't play well with XP.

    Please put HijackThis in its own folder. It likes to make backups and it is best to keep them all in one place. Otherwise you will lose them when you flush your temp files.

    The only thing I see that needs to be fixed with HJT is:
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

    Make sure all windows and browsers are closed, or the fix won't stick. You may have to temporarily disable Nav in order for the fix to stick. I'm not sure what version of Nav you are running, but newer versions lock the browser from changes.

    If you are still having a trojan issue, give A-Squared a try. I count it as a must have piece of software.

    Good luck!

  5. #5
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    hi

    First of all Copy the hyjakthis.exe to a Perment Directory. And them post the log again.....This will allow backups to be made and saved By hijackthis in case something goes wrong. ....Don't remove anything Before you Move it to a permenet directory


    You have AD_Aware have you uodated it's reference File lately if not Update it.. The following entries seems out of order ....

    C:\WINDOWS\system32\dla\tfswshx.dll

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

    --Good Luck--

    [edit]

    Hey Something is very Wrong here My post was after therenegade . I Clicked the Edit button and edited it and when i Clicked teh "Save Changes" Button It said "Could Not Contact Antionlie ... Connection Failed " I tried a few times The same thing Now after 10 minutes i was again able to Open the site now i see is my post is after groovicus .... Spooky Isen't it and No i am not Drunk Really trust me i am not maybe i should post all this in opps a bug but i though no body would believe me .......... .... I am sure of what i am saying......It really hapned

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    well,obviously not all the traces of it..but just narrowing it down somewhat?
    Yes, mostly. Trojans show up in the running processes, and often will be called from the 04 entries. It's a very useful tool..even for more than just diagnosing malware.

    Take a peek at this one Securitywonks has gotten most of them. It has a little of everything.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    Good point Swordfish, in this case there was no complaint about the start page being hijacked, so I leave them alone.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Swordfish,

    I had a similar problem couldn't connect..........I tried both IE and Mozilla but still could not get to AO

    Some temporary internet glitch I suppose?

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •