Do I have a trojan or a worm?

Discussion in 'malware problems & news' started by Larry G, Nov 6, 2003.

Thread Status:
Not open for further replies.
  1. Larry G

    Larry G Registered Member

    Joined:
    Nov 6, 2003
    Posts:
    2
    Hi,

    I've been running Outpost Firewall and have noticed a barrage of hits. Literally about two every two minutes. They are coming from ISPs in Michigan and Kentucky, particularly (www.wk.net) out of Kentucky. A few are coming from my ISP, and one even traced to a security website, Brimark.com out of Minnesota.
    :mad:

    If I stay online for an hour, I can get up to 100 firewall hits: port scans, connection requests, echo requests, etc., on ports such as ICMP, UDP, TCP, etc. Is this at all in the normal range for attacks on home computers?

    I have run numerous virus scans. On one scan, it found 16: win32/spreder and win32/hantaner, so I deleted those.

    Ad-Aware turned up nothing except the usual tracking cookie files, so I deleted those. The latest scan found something called CoolWebSearch, which was posting info32.exe messages, so I deleted that.

    AVG found one called java/byteverify, so I healed that. On the Swatit program, it found something called Latinus v1, or something, which is apparently a backdoor and keylogger. This was on an MP3 encoder file, which instilled great confidence that a software provider could have a virus included with its software.

    So, I deleted that. Yet, I'm still getting these strange firewall hits and I don't know why.

    Who and what kind of people and/or machines are behind them (or tend to be behind them). What is their purpose?

    I run my machine with the firewall most of the time, but a friend decided to check her e-mail on my machine and wasn't running the firewall. When I booted, my home page had changed, and my OE (Outlook Ex) settings were altered. I suspect this was the Coolwebsearch hijack. It was set to clearsearch.cc.

    A weeks ago, my PC was telling me it couldn't find the operating system (Windows 9:cool: and my hard drive was sounding like a dead duck. After numerous scan disks, it all came back and I haven't had a problem since. Now, I suspect some kind of boot sector virus, but don't know as I'm a bit of a novice when it comes to things like this.

    All in all, I'm feeling frustrated and a bit paranoid about the whole thing, and would appreciate any advice on getting this nuisance gone from my system.

    Would Spybot help? Does it catch what the latest Ad-Aware doesn't? I have the latest updates from Ad-Aware and AVG.

    I'd install Norton, but it has crashed my system so many times, I'd almost rather tolerate the viri out there. ;-)

    Thanks in advance for any advice,
    Larry
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Larry G,

    CWS uses many filenames and different hijacks.
    Please download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
    to see if there are more present.

    Then please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. Larry G

    Larry G Registered Member

    Joined:
    Nov 6, 2003
    Posts:
    2
    Thanks Peter. :)

    Okay, here's the log:

    Logfile of HijackThis v1.95.0
    Scan saved at 3:38:29 AM, on 11/06/2003
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SA3DSRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\TRACKER SOFTWARE\PDF-XCHANGE 3\PDFSAVER\PDFSAVER3.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOWNLOAD FILES\HIJACK THIS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c99&s=searchbar&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.netscape.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\055qfde8.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\055qfde8.slt\prefs.js)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SZGMTDGQT] C:\WINDOWS\SZGMTDGQT.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [1A:Stardock TrayMonitor] "C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
    O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [pdfSaver3] C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WakeUp! Alarm Clock.lnk = C:\Program Files\EJ innovations\WakeUp! Alarm Clock\wakeup.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
    O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
    O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
    O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
    O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html
    O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O8 - Extra context menu item: Download using Offline &Explorer - file://C:\PROGRAM FILES\OFFLINE EXPLORER PRO\Add_UrlO.htm
    O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\PROGRAM FILES\OFFLINE EXPLORER PRO\Add_AllO.htm
    O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Organise-notes (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37787.7687847222

    --

    Larry
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Larry G,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [SZGMTDGQT] C:\WINDOWS\SZGMTDGQT.exe
    O8 - Extra context menu item: Download with Go!Zilla - file://C:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O15 - Trusted Zone: http://free.aol.com <= unless you put it there yourself for a reason
    O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarterchild/websetup.cab

    Then reboot and keep us posted,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.