-
February 13th, 2006, 03:24 PM
#1
a-squared hijack analysis
Hi, I am now very confused and need a little specific help here.
I just did a scan with the above mentioned thing, and it came out with some stuff. I don't know how to locate and fix the problems though, and a-squared is not clear on how to do this.
here is an example it says I should fix:
$statusbad$ X Tweak UI RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup Added by the SUBWOOFER TROJAN! Note - the real Tweak UI entry for this is "rundll32.exe tweakui.cpl, tweakmeup"
But where the **** is it, and how do I deal with it?
I had a look in the regestry and could not find it there. All I know is that it is a command. Incidentally, it has found 6 other errors that is claims are the result of trojans or viruses. And I thought I was clean here, as I can't find anything in a hijack this log to fix.
Is this real, or am I being hoodwinked, I kinda liked a-squared free, and thought this seemed like a usefull tool, though the hijack one maybe requires a little more experience. Time to jump in the deep end.....
Unfortunately no log is produced with this scan, so it is hard for me to post, hence I just posted this one error for the moment.
I think once I know what is going on here, I should be able to fix the other things...I hope
Any help would be appreciated.
A slightly Twisted Frond today
Sarcasm is a way of life
-
February 13th, 2006, 03:34 PM
#2
It gets worse, it says this :
Port: 1025 TCP
Path: C:\WINNT\system32\ (Process ID: 828)
NetSpy, Maverick's Matrix, RemoteStorm
Is also a problem, but what do I do with this, I run Zone Alarm, surely that should keep this sort of thing out, no?
Yours with a big flat bit developing on the front of my head, and my house starting to fall down.
Jonny WallBanger
Sarcasm is a way of life
-
February 13th, 2006, 03:42 PM
#3
If I read your post correctly you said you alread ran HijackThis? Is it the latest version? If so, you can post it's log here and we will take a look at it..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 13th, 2006, 03:56 PM
#4
Howdy.
From what you've already stated, i'd be placing money on the fact that you've pwned your own computer and gave accesse to whom ever mistakenly.
I'd be thinking that even if you did get most of the scum from the computer, it would never really be clean. So you'd be better of backing up those important documents and doing a fresh -install.
cheers
front2back
-
February 13th, 2006, 03:58 PM
#5
Hi, here is the URL to the report a-squared HiJackFree Analysis made of my laptop,
http://www.hijackfree.com/analyze/?i...9-fbd004c1494a
and here is the Hijack this log I just did
Logfile of HijackThis v1.99.1
Scan saved at 14:49:48, on 13/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\a-squared\a2guard.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\MemTurbo\MemTurbo.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\administrator\desktop\new folder\regprot.exe /start
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123785948731
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/acces...d/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
Thanks
Sarcasm is a way of life
-
February 13th, 2006, 04:24 PM
#6
I couldn't find anything out of the ordinary.. But don't take my word for it
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 13th, 2006, 05:02 PM
#7
If you look into your running processes Ctrl+Alt+Delete and check to see if you have scheduler.exe if so then yeah you have the SUBWOOFER Trojan, it's a backdoor, here is an article by Symantec on how to identify the files and remove.
Trojan Removal
Otherwise as was mentioned, your log doesn't really show any abnormalities, I would recommend you manage your startups, by using Startup Control Panel
I would let HJT fix this line R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
Also if your interested in CLSID's B8BE5E93-A60C-4D26-A2DC-220313175592 then go to
CastleCops paste the CLSID into it's search function and it will most times tell you if the item is legit or if you should get rid of it.
What is a CLSID?
A Class ID (CLSID) is a 128 bit (large) number that represents a unique id for a software application or application component. Typically they are displayed like this "{AE7AB96B-FF5E-4dce-801E-14DF2C4CD681}".
You can think of a CLSID as a "social security number" for a piece of software, or a software component.
What are they used for?
CLSIDs are used by Windows to identify software components without having to know their "name". They can also be used by software applications to identify a computer, file or other item.
Where do they come from?
Microsoft provides a utility (program) called GUIDGEN.EXE that generates these numbers. They are generated by using the current time, network adapter address (if present) and other items in your computer so that no two numbers will ever be the same.
Files
1.Keep your Windows updated
2.Keep the patterns/definitions for Avast up to date
3.Keep Spybot S & D updated
4.Get Adaware SE keep it upto date
5. Get Spywareblaster keep it up to date
6.I would recommend a router even if there is only one PC
7.Down to user pref, but you don't really need Regprot, Zone Alarm (is becoming buggy)or Winpatrol (I used to but after awhile it became a real pest)
Just my 0.02 cents worth
Edit: you can use this list Processes to check your other processes
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
February 13th, 2006, 05:11 PM
#8
I recommend to disabale "O23 - Service: TrueVector Internet Monitor" for a while.
disable, NOT remove, reboot computer after that. then update avast and use Boot-Time scanner.
Look in avast Menu for "Shechedule Boot-Time Scan..."
Not forget to enable "O23 - Service: TrueVector Internet Monitor".
-
February 13th, 2006, 07:09 PM
#9
Do NOT disable "TrueVector Internet Monitor" as that's a ZoneAlarm component.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
February 13th, 2006, 07:45 PM
#10
Flumps, what does all that stuff on the a-squared log mean then?
http://www.hijackfree.com/analyze/?...49-fbd004c1494a
I am up to date with everything as far as I am aware. I have to admit, I would rather learn about stuff to clear it all out than do a fresh install, as I have this running nicely at the moment, and I have had bad experiences with fresh installs in the past.
can anyone tell me how to deal with even just one of these, are the regestry entries that can be edited or deleted, or are they files that I can get rid of?
I'm starting to feel like part of a fern
Sarcasm is a way of life
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|