-
June 1st, 2004, 03:33 PM
#1
Junior Member
Problems with possible virus - Trojanhunter
I ran trojanhunter and found an open port, 2040 I believe, and then my computer stopped being responsive. I have NAV, Trojan Hunter, and AdAware. I noted many services.exe running and many in all capitals, if that makes a difference. As an aside I have tried updating TH but am unable to connect. Any info appreciated.
Here is a copy of the Hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 10:27:34 AM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
-
June 1st, 2004, 04:53 PM
#2
oh, I,ll give u a very easy and effective method to resolve this problem:
say :
god help me, god help me ,oh~god,please ,help me
p.s.
I think u 'd better reship ur system and load Zonealarm and Norton...
-
June 1st, 2004, 04:57 PM
#3
Right..it looked like a pretty clean log to me..port 2040 seems to be the default port for Inferno Uploader
Here's a few things you can do...go to www.moosoft.com and download the latest version of The Cleaner
If you'd like to know if there IS any activity from your port 2040,check your firewall logs.
Assuming the worst case scenario..let's say you do have some process running on that port,go and download fport(It's a small tool that lets you trace a service on a port to the file running it,it's for Win NT/XP I believe) and kill the relevant process..btw guys..can this serve as an alternative solution to getting rid of a trojan?well,obviously not all the traces of it..but just narrowing it down somewhat?
-
June 1st, 2004, 04:59 PM
#4
Hello davvfw900
To answer a few of your questions. Having many services running will just use up some of your system resources. If your system is robust enough, you probably won't even notice the difference.
There have been a few bits of malware going around that have been kicking the s**t out of Nav for some reason, so I would recommend running the following online scans. Run them both, and fix whatever they find.
Go to PandaSoft’s Free Scan
TrendMicro's online scan is here.
Also, make sure ZoneAlarms isn't malfunctioning and blocking our update. Sometimes it doesn't play well with XP.
Please put HijackThis in its own folder. It likes to make backups and it is best to keep them all in one place. Otherwise you will lose them when you flush your temp files.
The only thing I see that needs to be fixed with HJT is:
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
Make sure all windows and browsers are closed, or the fix won't stick. You may have to temporarily disable Nav in order for the fix to stick. I'm not sure what version of Nav you are running, but newer versions lock the browser from changes.
If you are still having a trojan issue, give A-Squared a try. I count it as a must have piece of software.
Good luck!
-
June 1st, 2004, 05:04 PM
#5
hi
First of all Copy the hyjakthis.exe to a Perment Directory. And them post the log again.....This will allow backups to be made and saved By hijackthis in case something goes wrong. ....Don't remove anything Before you Move it to a permenet directory
You have AD_Aware have you uodated it's reference File lately if not Update it.. The following entries seems out of order ....
C:\WINDOWS\system32\dla\tfswshx.dll
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
--Good Luck--
[edit]
Hey Something is very Wrong here My post was after therenegade . I Clicked the Edit button and edited it and when i Clicked teh "Save Changes" Button It said "Could Not Contact Antionlie ... Connection Failed " I tried a few times The same thing Now after 10 minutes i was again able to Open the site now i see is my post is after groovicus .... Spooky Isen't it and No i am not Drunk Really trust me i am not maybe i should post all this in opps a bug but i though no body would believe me .......... .... I am sure of what i am saying......It really hapned
-
June 1st, 2004, 05:45 PM
#6
well,obviously not all the traces of it..but just narrowing it down somewhat?
Yes, mostly. Trojans show up in the running processes, and often will be called from the 04 entries. It's a very useful tool..even for more than just diagnosing malware.
Take a peek at this one Securitywonks has gotten most of them. It has a little of everything.
Good point Swordfish, in this case there was no complaint about the start page being hijacked, so I leave them alone.
-
June 1st, 2004, 05:58 PM
#7
Hi Swordfish,
I had a similar problem couldn't connect..........I tried both IE and Mozilla but still could not get to AO
Some temporary internet glitch I suppose?
Cheers
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|