i need to post a message _I HAVE A TROJAN HELP!!!! LOL

[beeza]

tried posting ... I cant ... I am but a lowly newbi ... LOL

beeza

[beeza]

Great ... this posting worked ... murphy is playing tricks on me ... rofl ... and now i am repling to myself ... tis a sad sad day

[LowWaterMark]

Hi beeza,

Are you really having a problem or are you just testing posting? If you are having a problem with an actual Trojan, can you post information regarding it in this forum:

http://www.wilderssecurity.com/index.php?board=30

Best Wishes,
LowWaterMark

Note: Already moved over from Test Forum - LWM"

[beeza]

i really do have a trojan.

IRC/Backdoor.Flood and IRC-Worm/Momma and i cant seem to sort it out ... I ran AVG and it "healed" two of the components but I have 4 left. All I know is it is a denial of service attacker (using me as the attacker) and I ran Agnitum's Tauscan but it did not see it. I need some input as to how to get rid of it. Please

beeza

[beeza]

HI,

here is some more information about my problem...

Norton AV caught the trojan, but could not repair or quaretine it. The file location did not exist when I did a search for it. So I ran AVG. It was able to 'heal' 2 out of the 6 files it found.

I ran a search for those files but couldn't find them ... SO ....
I did a google search and came up empty handed.

I ran Agnitums Tauscan it didn't even see the trojan!

I can't run anti trojan 5.5 ... I used up my free trial time from the last trojan I had (backdoor.dll) No need to tell me I know I am not doing something right ... LOL

My question is how do I delete those files?

Also ... I never use mIRC but I have trillian ... is there some way to exploit trillian that I am not aware of?

Any help would be appreciated,

Beeza

[LowWaterMark]

What happens when you run AVG again? Does it still identify any infected files as remaining on the system? Have you looked in the AVG Virus Vault to see if AVG moved the bad files there (that could be the reason why you can not find them)?

Did AVG give you all the file names involved? Can you post the names here? The ones it couldn't fix could very well have been locked because they were running on your system when AVG tried to clean them.

What version of Windows are you running? Have you checked for strange things running in memory (by looking at the task list by doing a Ctrl-Alt-Del)?

You may be able to find them some of them by going to: Start (menu) > "Run..." > msconfig > Startup (tab). If any of the items in there are the same as those files found by AVG, you can un-check them and reboot, which may prevent them from running and give you a better chance to kill them off.

[Paul Wilders]

Hi beeza,

Could you be more specific? Your are talking about to infections: has one been cleaned totally, and if so, which one?

In case of the momma worm: you can clean your system mannualy, using this description/manual:

www.f-secure.com/v-descs/fagled.shtml

Backdoor.Flood should be easily cleaned, using NAV. Perform a google search, and follow instructions.

What O/S is installed, and which firewall (if any)?

Finally, you might give Panda's free online scanner/cleaner a try. You'll find it on our free services page:

www.wilders.org/free_services.htm

Keep us posted.

regards.

paul

[beeza]

Hi,

Here are the answers to your questions.

I ran AVG twice. The first time it found six files. The second time it found four ... still infected. I ran AVG this morning with LAN off and modem unplugged. Still have four infected files.

In Task Manager I did find something suspicious .... Wexplorer.exe. I have never seen this before (the last time I had a trojan, it ran as wool.exe, thought you would be curious as to how I knew Wexplorer.exe was not supposed to be there ... cause I did a search on all processes and what they were for).

I run Windows 2000 Pro as my OS with NTFS instead of fat32.

I have the file names:

C:\WINNT\TEMP\LCUDK.EXE:\set.exe

C:\WINNT\TEMP\LCUDK.EXE:\wexplorer.exe

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\CONTENT.IE5\8LG0QJCS\games3(1).exe:\wexplorer.exe

C:\Documents and Stteings\ Default User\Local Settings\Temporary Internet Files\CONTENT.IE5\8LG0QJCS\games3(1).exe:\set.exe

This morning I search for the files again and voila there they were! My question become this ... these four files are now in the recycling bin the "LCUDK.EXE" I am being told is a system folder. Any potential problem by deleting it? Also once I empty the recyling bin is it truly gone?

Thanks for all the help,

Beeza

[LowWaterMark]

Since all the infected files were in temporary folder locations, that's a good sign that they can be deleted without a bad impact. Same with the "LCUDK.EXE:" folder - it may have been flagged by the trojan as a system folder, but it's in the C:\WINNT\TEMP\ directory, so it can be safely deleted.

I'd empty the recycle bin and then run a new full scan with AVG. After that, I'd go through the Panda online scanner that Paul referenced above. (It's a very good scanning tool.)

The results of these scans will help confirm that its all cleaned up.

If you haven't checked msconfig yet, check that for Startup links to any of these bad programs. If they're in there, but you've deleted the files, you may see some warning messages about not being able to find them at bootup.

It's great you were able to get them to the Recycle Bin. You appear to have gotten a head of this one.

Best Wishes,
LowWaterMark

[beeza]

HI,

Well .... I got rid of two of the files. Still have two ... sigh

I dont know what I am doing wrong but I cant do a search for C:\Documents and Settings\Default User .... I am frustrated and annoyed!!!!!! I get a alert telling me the syntax is wrong .... (I am currently banging my head on the table in frustration).

I am going to try Panda and PCCillian and will aprise you of the results.

Thanks for all the help,

Beeza

[TonyKlein]

Hi,

If no joy, please do this:

Go to http://www.spywareinfo.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Unpack, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here.

That will gives us some insight on what's happening on your machine.

[beeza]

Hi,

First off ran panda scanner ... tried several times and I kept getting a Windows Service Pack installtion window. So couldn't do the scan. I tried PCCillin ... it didn't find anything.

As a side note ... the file path that Norton gave me was C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tnpE\tmp.ini and another program (brain feezed I cant think of the name now... LOL) gave the file path as WINNT\n0tepad.exe !!! ... I did a search for both ... came up with nada ...

Here is the start up list that you requested:

StartupList report, 16-Oct-02, 5:53:25 PM
StartupList version: 1.34.0
Started from : C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
HorngTech4D = C:\PROGRA~1\MOUSES~1\bally4d.exe
NewsUpd = C:\Program Files\Creative\News\NewsUpd.EXE /q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[sys Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CONFLICT.1\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{2B323CD9-50E3-11D3-9466-00A0C9700498}]
CODEBASE = http://cs7.chat.sc5.yahoo.com/v43/yacscom.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[DiskHealth Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\diskhealth.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/diskhealth.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetuplim.exe

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINNT\System32\nsupdate.dll
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

--------------------------------------------------
End of report, 6,030 bytes
Report generated in 1.853 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hope that helps ... I will try again to find those two pesky files.

Thanks for all the help

Beeza

PS Bonzi Buddy was not my idea ... LOL ... it is gone now

You think you have 2 infected files or you know that you have 2 infected files for sure ?

Sorry, but the startup list seems to be ok.
Most of this is soundblaster creative specific stuff.

Gladiator

[controler]

First of all, what Norton doesn't repair it will Quarantine, UNLESS you have changed the default setting to not quarantine them. Second a plan start find will not find files in your content IE or Your hidden files.
Why hasn't anybody recommended TDS-3 ? Third, doesn't anybody
check their registry RUN keys manualy anymore?
yes , it is nice to have a program like filechecker to verify important
program files have not been changed but I am not sure Filechecker monitors registry keys, does it? All startup registry keys should always be monitored Of course since all trojans only start on reboot, if you nerver have to reboot , your good to go LOL

[TonyKlein]

About the List, I can only agree with my learned colleagues.

No virus or trojan activity to be seen at all.

On a side note, I'd just uncheck NewsUpd in Msconfig/Startup, and remove the following two items from your Windows\Downloaded Program Files Folder:

[{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
CODEBASE = htp://images.bonzi.com/freebuddy/wd/bbsetuplim.exe

NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINNT\System32\nsupdate.dll
CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

BTW, you were referring to this file in your Temp directory.

FYI, anything in < your drive>:\Documents and Settings\< user name>\Local Settings\Temp, can and should be nuked on a regular basis anyway, preferably after a reboot, when none of the files will likely be in use by Windows.

Cheers,

[beeza]

HI,

yes there is something there (i found the files and moved to the recyling bin - I got asked if I wanted to move system files to the new location - I freaked [still a newbi] and out them back !!!!! I am kicking myself for doing that in hindsight)... it isn't doing anything anymore ... thankfully. I appreciate ALL the help and advice I have been given. I just cant seem to get access to those two files. I will in time. or I will reformat

BTW - I could NOT run Panda's online scanner when I did so, Windows wanted to reinstall windows service pack. I tried several times to scan but no success (I got the same installation prompt) I agree about getting a anti trojan program ... and I will look into one asap.

As to Norton ... I tried to quarentine it, but was unable to do so and I did not alter the program. I did a straight installation and left the program at default settings. When I had the other trojan Norton would not quarentine that one either!

As to the registry .... I don't think I am capable - yet - of altering anything I would find there. But I like the suggestion I am just too wet behind the ears to do that just yet.

Thanks for all your help and quick response to my queries, I really appreciate it.

Beeza

PS - one of things I noticed about this trojan which i found interesting was when I booted the computer a mIRC bar would show in the task bar for about 10 seconds - in the bar it said mIRC annex - it is now gone - i think when I got rid of the wexplorer.exe files that went with it, cause I dont see it anymore.

thanks again