HELP: Computer hacked... possibly to act as a xdcc bot

Discussion in 'malware problems & news' started by marcuri, May 12, 2005.

Thread Status:
Not open for further replies.
  1. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    Let me first preface this with saying that i do understand alot about computers, and i'm the type of person in the family that people go to when they have computer problems. I've had extensive experience with spyware removal/trojen removal/ect. for a long time and I've always been good with computers.

    That said... onto the problem.

    I've been suspecting something has been wrong with my computer (specifically my laptop i've used at college) for quite some time. Everytime i've shutdown for the last couple of months i would have this program called sample which must be closed through clicking "end task" everytime i shut down. It never came up in a file search, and never was shown in task manager. So i always assumed it was part of a program i was running or something along those lines. I'm not even sure (at this time at least) if this file is related to the current situation that i have.

    Well as it turns out i've apperently been hacked... not sure how recently this has occured but i realized it when NOD32 came up and mentioned that in C:\WINDOWS\system32\mui\721w\cache there was a file called lsass.exe (still not sure if its spelled with an l or an i but my guess is a capital I to make it seem like a system process in task manager). NOD 32 said it was quarantined and was to be deleted on the next restart. I did that and all seemed well. To make sure it was deleted i went to the directory it had listed as where it was found. However as it turns out when i browsed to that folder (in C:\WINDOWS\system32\mui\721w\) the folder cache didn't show up even though show hidden folders was turned on. So i manually typed in \cache hit enter and next thing i know i'm face to face with what looks like a bunch of files and a folder, one file looked like it had the Serv-U icon on it and it was listed as FTP Serv-U Daemon.

    Heres a list of the files in the directory:

    Directory of C:\WINDOWS\system32\mui\721w\cache

    01/22/2005 02:25 PM 6,656 cygcrypt-0.dll
    01/22/2005 02:25 PM 1,140,617 cygwin1.dll
    10/27/2004 11:20 PM 213 d0
    05/12/2005 03:01 PM 0 directory.txt
    05/12/2005 03:01 PM 248 directorylist.txt
    11/05/2004 09:25 AM 847,872 libeay32.dll
    05/12/2005 02:24 PM 2,443 lsass.ocx
    01/30/2005 12:06 AM 902 s0
    05/12/2005 02:35 PM 1,416 ServUDaemon.ini
    05/12/2005 02:35 PM 614 ServUStartUpLog.txt
    07/08/2004 09:53 AM 1,043,968 spoolsv.exe
    09/16/2000 01:30 PM 63,488 srunner.exe
    05/12/2005 02:31 PM 3,559 system.lg
    05/12/2005 02:33 PM 268 system.state
    05/12/2005 02:30 PM 268 system.state~
    05/12/2005 02:33 PM 214 system.xdcc
    05/12/2005 02:30 PM 207 system.xdcc~
    05/12/2005 02:24 PM <DIR> ul
    dir ul has no files in it.

    What surprises me is the creation date.. today... and very recently as well.

    I highlighted and had nod 32 scan all the files at which point it detected now that:
    C:\WINDOWS\system32\mui\721w\cache\spoolsv.exe - Win32/ServU-Daemon Application

    and that it was in memory and nothing could be done to delete it.

    What makes me believe that this infiltration might've been done before today is that i've been having some probably with what i think was spoolsv.exe taking up alot of memory a couple weeks back .
    EDIT: i was wrong.. the file i was thinking of is svchost.exe and i noticed one of the many instances running was around 21mb... end tasking it works however as soon as i do i loose my windows xp theme and xp starts to look alot like win 2k. Not sure if this helps at all.

    What it looks like (judgeing by whats in the serudaemon.ini file) is that i was hacked mostly due to the fact that i was on a .edu connection at the time (home from college now) and just looking over the .ini files in the directory that i was hacked to be a xdcc bot on an irc network... and also that the ftp program now allowed whoever has the login and password to the ftp to upload whatever they want to it.

    Contents of ServUDaemon.ini:
    [GLOBAL]
    Version=5.1.0.0
    ProcessID=1228

    [DOMAINS]
    Domain1=0.0.0.0||2004|r00t3d|1|0|0

    [Domain1]
    User1=nutz87|1|0
    User2=upload|1|0
    User3=leech|1|0
    SignOn=c:\WINDOWS\system32\mui\721w\cache\s0
    DirChangeMesFile=c:\WINDOWS\system32\mui\721w\cache\d0
    DirChangeMesFile2=c:\WINDOWS\system32\mui\721w\cache\d0
    SocketRcvBuffer=65534
    SocketSndBuffer=65534


    Password=uy52A999AA9936D3737AEC77C76900B43E
    HomeDir=c:\
    TimeOut=600
    Maintenance=System
    Access1=C:\|RWAMELCDP
    Access2=D:\|RWAMELCDP
    Access3=E:\|RWAMELCDP
    Access4=F:\|RWAMELCDP
    Access5=G:\|RWAMELCDP
    Access6=H:\|RWAMELCDP
    Access7=I:\|RWAMELCDP
    Access8=J:\|RWAMELCDP
    Access9=K:\|RWAMELCDP
    Access10=L:\|RWAMELCDP
    Access11=M:\|RWAMELCDP
    Access12=N:\|RWAMELCDP
    Access13=O:\|RWAMELCDP
    Access14=P:\|RWAMELCDP
    Access15=Q:\|RWAMELCDP
    Access16=R:\|RWAMELCDP
    Access17=S:\|RWAMELCDP
    Access18=T:\|RWAMELCDP
    Access19=U:\|RWAMELCDP
    Access20=V:\|RWAMELCDP
    Access21=W:\|RWAMELCDP
    Access23=X:\|RWAMELCDP
    Access24=Y:\|RWAMELCDP
    Access25=Z:\|RWAMELCDP


    Password=gd79FBB6854962875DA4562E35BD604856
    HomeDir=c:\WINDOWS\system32\mui\721w\cache\ul
    RelPaths=1
    TimeOut=180
    Access1=c:\WINDOWS\system32\mui\721w\cache\ul|WALCP


    Password=zpB7067C16FF9AEFE4FA70A7F5C72C2254
    HomeDir=c:\WINDOWS\system32\mui\721w\cache\ul
    RelPaths=1
    TimeOut=180
    Access1=c:\WINDOWS\system32\mui\721w\cache\ul|RALP


    Also other files i found that have intresting contents:
    d0 (no extention):
    ====================================
    Current Bandwidth............: %Serverkbps KB/s
    Average Bandwidth............: %ServerAvg KB/s
    Free Disk Space..............: %DFree KB
    ====================================

    Apperently a script that tells you when you login to the ftp whoever hacked my system setup that tells you info one might use to determine how much they can upload on my computer.

    Also, s0 (no extention) has some similar info on it, with more info on my ip ect all in script form.

    Most intresting though is system.xdcc which has some damning evidence that shows who did this:

    ** 0 packs ** 2 of 2 slots open, Min: 10.0KB/s
    ** Bandwidth Usage ** Current: 0.0KB/s,
    ** To request a file, type "/msg [REMOVED SO I CAN FIGURE OUT WHAT IRC CHANNEL DID THIS] xdcc send #x" **
    Total Offered: 0.0 MB Total Transferred: 0.00 MB


    Anyway long story short I know what it is but i have no idea how to get rid of all of this and how (if i can) log some even more incriminateing evidence so i can inform authorities about it and hopefully something is done (doubtful).

    My guess on removal is something along on the lines of how one would remove VX2 but i want some other opinions on it first.

    I also want to make sure this isn't the only access they have to my system, and any advice on how to figure that out would be very helpful.

    Currently the only protection i have is through nod32 which is my primary scanner and runs all the time, and norton corporate edition (i think) as my backup scanner(was provided by my university).

    Thanks a ton for reading all that (if you got through it all) and any advice and help that you might have for me.

    -matt
     
    Last edited: May 13, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hmm, I am not sure which infection this is, maybe the experts can but I will recommend that you follow the cleaning instructions here: https://www.wilderssecurity.com/showthread.php?t=50662

    Please note that we do not do HiJackThis analysis but links to sites that do are in the cleaning thread.

    Thanks & good luck. Pilli :)
     
  3. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    thanks.. don't think i need to do a hijack this scan though... its definately not malware.

    it seems to be a custom type of hack that is pretty common on irc networks so they can setup bots to put files on and then send those files out to other people... i actually do remember it happening to my friend once but thats because he was running an ftp server (g3 i think it was but since its been renamed to bulletproof ftp server) and it had some well known security hole that was often exploited. he reformated to fix his problem.... i'm hopeing to avoid that.
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    marcuri, i've cleaned this kind of infection many times. it is malware, most antiviruses detect the files. this hack consists of several files. usually thers an app to kill security software, an app to hide files/windows, a backdoor server ( usually iroffer, sometimes radmin ) and the ftp server. often those are started as services via srvany.exe or firedaemon.exe. very often theres an sd/r/spy/my/poe/for/ago-bot worm too

    try tds-3 follow these instructions:


    Download the trial version of TDS-3 anti trojan from here:
    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
    Install it, but do not launch it yet

    Update it: right click the link below, select "save as"
    http://www.diamondcs.com.au/tds/radius.td3

    Save it to the directory where you installed TDS-3, overwriting the previous radius.td3 if prompted.

    Then launch tds-3. In the top bar of TDS window click System Testing> Full System Scan.
    Detections will appear in the lower pane of TDS window. right click the list> select delete! Delete everything labelled positive identification

    i'd like to see your hijackthis log if its ok with Pilli ?
     
  5. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    alright cool.. after looking over it all it seems more and more like a script kiddy over someone hacking me for possible personal info like i first thought (guess i was fearing the worst). i have seen this before but i think the virus scanner fixed it or i just reformated and i didn't have to deal with it.

    i'll run a hijack this scan and get back to you on the results via a PM so that way it won't be an issue.... i doubt much will come up though because i run spy bot fairly frequently and have giant anti-spyware (the micrsoft anti-spyware beta) running all the time... plus i use firefox.

    either way i appreciate your help

    -matt
     
    Last edited: May 12, 2005
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    When the Announcement was written concerning Wilders no longer allowing unsolicited HJT logs from being posted....a note was added that allows You to request an HJT log :D

    You....fit that description without a doubt [​IMG]

    marcuri can post the HJT log in this thread....or PM you as was mentioned....ya'lls choice :ninja:
     
  7. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    my problem right now is not removing it (well not my main problem).. but its more finding out how i got it installed on my computer in the first place. i have this feeling its another deep underlying infection that i haven't found yet cause i couldn't imagine how i could've possible have gotten infected without the person having access to my system to begin with (yea and i ruled out anyone going on my computer in my dorm and installing it... thats very unlikely).

    i could be wrong though.. we'll see as soon as i update to the latest version of nod32 (the beta) and do a full system scan with everything checked.

    i'm going to include the hijack this log even though i already pmed it to illukka just so if anyone else wants to help out they can take a look. plus it might help someone doing a google search on file names (to remove a similar virus) to have some of the processes listed

    Logfile of HijackThis v1.99.1
    Scan saved at 7:06:25 PM, on 5/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    c:\windows\system32\srunner.exe
    C:\WINDOWS\system32\mui\721w\cache\srunner.exe
    C:\WINDOWS\System32\inetsvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\mui\721w\cache\srunner.exe
    C:\WINDOWS\System32\mui\721w\cache\spoolsv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Matt1\Desktop\ndntenst.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUMENTS AND SETTINGS\MATT1\DESKTOP\HijackThis.exe

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Startup: BJ Status Monitor Canon PIXMA iP1500.lnk = C:\Documents and Settings\Matt1\cnmss Canon PIXMA iP1500 (Local).exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Matt1\Application Data\Mozilla\Firefox\Profiles\default.ci0\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
    O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Matt1\Application Data\Mozilla\Firefox\Profiles\default.ci0\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: Inet Service (inetsvc) - Unknown owner - c:\windows\system32\srunner.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Local Security Authority Service (lsass) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Microsoft Printer Spooler Service (ssv) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
     
  8. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    it found some file that seems related to the infection but wasn't positively identified (in bold) so lettme know what you think so i can figure out weither or not to delete it:


    Trojan Client\EditServer found: Netcat.a (Utility)
    File: c:\windows\system32\inetsvc.exe

    EDIT: This file turned out to be spyware which i think was unrelated to the infection.

    Heres a full list of what TDS found, those marked "positive identification" were removed:

    Scan Control Dumped @ 19:41:44 12-05-05
    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\srunner.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\mui\721w\cache\srunner.exe

    Trojan Client\EditServer found: Netcat.a (Utility)
    File: c:\windows\system32\inetsvc.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\mui\721w\cache\srunner.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\srunner.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\mui\721w\cache\srunner.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\mui\721w\cache\srunner.exe

    Positive identification: Hidden32 Trojan Tool
    File: c:\windows\system32\h.exe

    Trojan Client\EditServer found: Netcat.a (Utility)
    File: c:\windows\system32\inetsvc.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\srunner.exe

    Positive identification: Riskware.Tool.SRunner
    File: c:\windows\system32\mui\721w\cache\srunner.exe
     
    Last edited: May 13, 2005
  9. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    figured it all out (ie how to clean it all) and also found out how i had all that stuff installed in the first place. i guess i've gotten too reliant on virus scanners to pick up everything and i didn't even look at the extention of the file.... turned out to be a .exe instead of what it was suppose to be.

    what i found surprising though is that the old version of nod32 (not beta) only picked up 1 file... and that was after it was extracted and already running in my memory. in the compressed file there were about 3 other files that weren't even detected(they were however by TDS-3). submitted some files to nod32 cause the beta version wanted me to... hopefully it'll pick them up alot better now once they add them to the definitions and maybe some good will come out of all this.

    thanks for your help.

    -matt
     
    Last edited: May 13, 2005
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey matt,

    Would you mind sharing with us more of what you found Please. We do not take lightly the posting of HJT logs when one has been requested by a specially titled forum expert....if for no other reason than it allows us to find items that may be new in regards to badware.

    Regards,
    Bubba
     
  11. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i'll copy here the fix instructions:

    open a command prompt( click start> run >type in cmd and hit enter)
    into the command prompt window type sc stop ssv
    and hit enter

    then type sc delete ssv
    and hit enter

    reboot

    i want you to go to this forum:
    http://www.thespykiller.co.uk/forum/index.php?board=1.0
    no need to register.
    start a new topic called for illukka from wilders
    upload these files (attach):
    C:\WINDOWS\System32\mui\721w\cache\spoolsv.exe
    C:\WINDOWS\system32\mui\721w\cache\srunner.exe


    then you can delete the files

    reboot and post a new log
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The antiviruses won't detect those 2 files because there doesn't seem to be any viral code in them
    they are just instructions to connect to various servers to download other rubbish and adverts or so it seems, but they are being sent on to all tyhe AV comapnies etc

    Or more probably one contains a list of servers that the other files in the package were set to attack and possibly be part of a DDOS attack
     
  13. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    files were posted so you could look over them

    what i ended up doing after i deleted all files that were positively identified by TDS-3 was deleteing the entire directory C:\WINDOWS\System32\mui\721w\ through a cmd prompt, as follows:

    start > run > type: cmd > hit enter

    type cd C:\WINDOWS\System32\mui\ (or folder containing infected files here)

    type del 721w

    before you do that make sure there aren't any other files that might be important(more than likely there won't be)... i choose a directory up from the \cache\ folder just to make sure that any files hidden within the cache folder would be removed.

    and that seemed to get rid of most everything else left over...

    [if you have a similar infection don't follow these insuctions, instead see 3 paragraphs down in red]
    There were some left over services entries for the files once i deleted them, i simply followed the instuctions found here:
    http://www.tech-recipes.com/windows_installation_tips504.html

    looked for the names of the services in device manager, made sure they weren't legit services (unknown authors seem to give this away), and deleted them. specifically in my case they were:

    O23 - Service: Microsoft Printer Spooler Service (ssv) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
    O23 - Service: Inet Service (inetsvc) - Unknown owner - c:\windows\system32\srunner.exe
    O23 - Service: Local Security Authority Service (lsass) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe

    If you have a similar infection follow a different method, such as illukka's method posted above. but just needs to repeated 2 more times with lsass and inetsvc everywhere it says "ssv" (or substitute the names of the services involved in your perticular infection), for example:
    open a command promptclick start> run >type in cmd and hit enter)
    into the command prompt window type sc stop lsass
    and hit enter

    then type sc delete lsass

    then repeat with inetsvc in place of lsass...


    my method is ok (i think) but i had already deleted and stopped the services through TDS's trojen scanner.

    AGAIN: If anyone else has this infection follow illukka's method.

    I'll post the clean hijack this log as soon as i run a rootkit scanner to make sure i don't have any "residual" files left over... the computer seems like its clean though.
     
    Last edited: May 13, 2005
  14. Veng

    Veng Guest

  15. Veng

    Veng Guest

    Just to clarify, the "Ending Program - SAMPLE" hang that occurs on Laptops, primarilly Dells with Intel wireless etc, and usually occurs twice when shutting down, is the behaviour of a badly coded ProSet program.

    To stop it happening I did:

    1. If that still does not solve the problem and you have Windows XP/2003, try setting the “Wireless Zero Configuration” service to Disabled.

    and

    2. If that still does not solve the problem, then try renaming the C:WindowsSystem32ZCfgSvc.exe file to ZCfgSvc.exe.old as ZCFGSVC is seemingly not necessary for the part of the ProSET utilities which enable you to connect to your wireless network.
     
  16. marcuri

    marcuri Registered Member

    Joined:
    May 12, 2005
    Posts:
    14
    thanks for the advice on how to get rid of it.

    i did have a trojen though, but that sample program made me believe i had it for longer than i really did.... damn that thing is a POS program.
     
Loading...
Thread Status:
Not open for further replies.