i need to post a message _I HAVE A TROJAN HELP!!!! LOL

Discussion in 'malware problems & news' started by beeza, Oct 15, 2002.

Thread Status:
Not open for further replies.
  1. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    tried posting ... I cant ... I am but a lowly newbi ... LOL

    beeza
     
  2. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    Great ... this posting worked ... murphy is playing tricks on me ... rofl ... and now i am repling to myself ... tis a sad sad day :'(
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi beeza,

    Are you really having a problem or are you just testing posting? If you are having a problem with an actual Trojan, can you post information regarding it in this forum:

    http://www.wilderssecurity.com/index.php?board=30

    Best Wishes,
    LowWaterMark

    Note: Already moved over from Test Forum - LWM"
     
  4. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    i really do have a trojan.

    IRC/Backdoor.Flood and IRC-Worm/Momma and i cant seem to sort it out ... I ran AVG and it "healed" two of the components but I have 4 left. All I know is it is a denial of service attacker (using me as the attacker) and I ran Agnitum's Tauscan but it did not see it. I need some input as to how to get rid of it. Please

    beeza
     
  5. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    HI,

    here is some more information about my problem...

    Norton AV caught the trojan, but could not repair or quaretine it. The file location did not exist when I did a search for it. So I ran AVG. It was able to 'heal' 2 out of the 6 files it found.

    I ran a search for those files but couldn't find them ... SO ....
    I did a google search and came up empty handed.

    I ran Agnitums Tauscan it didn't even see the trojan!

    I can't run anti trojan 5.5 ... I used up my free trial time from the last trojan I had (backdoor.dll) No need to tell me I know I am not doing something right ... LOL

    My question is how do I delete those files?

    Also ... I never use mIRC but I have trillian ... is there some way to exploit trillian that I am not aware of?

    Any help would be appreciated,

    Beeza
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    What happens when you run AVG again? Does it still identify any infected files as remaining on the system? Have you looked in the AVG Virus Vault to see if AVG moved the bad files there (that could be the reason why you can not find them)?

    Did AVG give you all the file names involved? Can you post the names here? The ones it couldn't fix could very well have been locked because they were running on your system when AVG tried to clean them.

    What version of Windows are you running? Have you checked for strange things running in memory (by looking at the task list by doing a Ctrl-Alt-Del)?

    You may be able to find them some of them by going to: Start (menu) > "Run..." > msconfig > Startup (tab). If any of the items in there are the same as those files found by AVG, you can un-check them and reboot, which may prevent them from running and give you a better chance to kill them off.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi beeza,

    Could you be more specific? Your are talking about to infections: has one been cleaned totally, and if so, which one?

    In case of the momma worm: you can clean your system mannualy, using this description/manual:

    www.f-secure.com/v-descs/fagled.shtml

    Backdoor.Flood should be easily cleaned, using NAV. Perform a google search, and follow instructions.

    What O/S is installed, and which firewall (if any)?

    Finally, you might give Panda's free online scanner/cleaner a try. You'll find it on our free services page:

    www.wilders.org/free_services.htm

    Keep us posted.

    regards.

    paul
     
  8. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    Hi,

    Here are the answers to your questions.

    I ran AVG twice. The first time it found six files. The second time it found four ... still infected. I ran AVG this morning with LAN off and modem unplugged. Still have four infected files.

    In Task Manager I did find something suspicious .... Wexplorer.exe. I have never seen this before (the last time I had a trojan, it ran as wool.exe, thought you would be curious as to how I knew Wexplorer.exe was not supposed to be there ... cause I did a search on all processes and what they were for).

    I run Windows 2000 Pro as my OS with NTFS instead of fat32.

    I have the file names:

    C:\WINNT\TEMP\LCUDK.EXE:\set.exe

    C:\WINNT\TEMP\LCUDK.EXE:\wexplorer.exe

    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\CONTENT.IE5\8LG0QJCS\games3(1).exe:\wexplorer.exe

    C:\Documents and Stteings\ Default User\Local Settings\Temporary Internet Files\CONTENT.IE5\8LG0QJCS\games3(1).exe:\set.exe

    This morning I search for the files again and voila there they were! My question become this ... these four files are now in the recycling bin the "LCUDK.EXE" I am being told is a system folder. Any potential problem by deleting it? Also once I empty the recyling bin is it truly gone?

    Thanks for all the help,

    Beeza
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Since all the infected files were in temporary folder locations, that's a good sign that they can be deleted without a bad impact. Same with the "LCUDK.EXE:" folder - it may have been flagged by the trojan as a system folder, but it's in the C:\WINNT\TEMP\ directory, so it can be safely deleted.

    I'd empty the recycle bin and then run a new full scan with AVG. After that, I'd go through the Panda online scanner that Paul referenced above. (It's a very good scanning tool.)

    The results of these scans will help confirm that its all cleaned up.

    If you haven't checked msconfig yet, check that for Startup links to any of these bad programs. If they're in there, but you've deleted the files, you may see some warning messages about not being able to find them at bootup.

    It's great you were able to get them to the Recycle Bin. You appear to have gotten a head of this one. :)

    Best Wishes,
    LowWaterMark
     
  10. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    HI,

    Well .... I got rid of two of the files. Still have two ... sigh

    I dont know what I am doing wrong but I cant do a search for C:\Documents and Settings\Default User .... I am frustrated and annoyed!!!!!! I get a alert telling me the syntax is wrong .... (I am currently banging my head on the table in frustration).

    I am going to try Panda and PCCillian and will aprise you of the results.

    Thanks for all the help,

    Beeza
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi,

    If no joy, please do this:

    Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

    Unpack, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and please post the contents here.

    That will gives us some insight on what's happening on your machine.
     
  12. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    Hi,

    First off ran panda scanner ... tried several times and I kept getting a Windows Service Pack installtion window. So couldn't do the scan. I tried PCCillin ... it didn't find anything.

    As a side note ... the file path that Norton gave me was C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tnpE\tmp.ini and another program (brain feezed I cant think of the name now... LOL) gave the file path as WINNT\n0tepad.exe !!! ... I did a search for both ... came up with nada ...

    Here is the start up list that you requested:

    StartupList report, 16-Oct-02, 5:53:25 PM
    StartupList version: 1.34.0
    Started from : C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.EXE
    Detected: Windows 2000 (WinNT 5.00.2195)
    Detected: Internet Explorer v5.00 (5.00.2920.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\WINNT\loadqm.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Trillian\trillian.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    HorngTech4D = C:\PROGRA~1\MOUSES~1\bally4d.exe
    NewsUpd = C:\Program Files\Creative\News\NewsUpd.EXE /q

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Download Program Files:

    [sys Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\CONFLICT.1\PCPitStop.dll
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [{2B323CD9-50E3-11D3-9466-00A0C9700498}]
    CODEBASE = http://cs7.chat.sc5.yahoo.com/v43/yacscom.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [DiskHealth Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\diskhealth.dll
    CODEBASE = http://www.pcpitstop.com/pcpitstop/diskhealth.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetuplim.exe

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [NSUpdateLiteCtrl Class]
    InProcServer32 = C:\WINNT\System32\nsupdate.dll
    CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

    --------------------------------------------------
    End of report, 6,030 bytes
    Report generated in 1.853 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    Hope that helps ... I will try again to find those two pesky files.

    Thanks for all the help

    Beeza

    PS Bonzi Buddy was not my idea ... LOL ... it is gone now
     
  13. Gladiator

    Gladiator Guest

    You think you have 2 infected files or you know that you have 2 infected files for sure ?

    Sorry, but the startup list seems to be ok.
    Most of this is soundblaster creative specific stuff.

    Gladiator
     
  14. controler

    controler Guest

    First of all, what Norton doesn't repair it will Quarantine, UNLESS you have changed the default setting to not quarantine them. Second a plan start find will not find files in your content IE or Your hidden files.
    Why hasn't anybody recommended TDS-3 ? Third, doesn't anybody
    check their registry RUN keys manualy anymore?
    yes , it is nice to have a program like filechecker to verify important
    program files have not been changed but I am not sure Filechecker monitors registry keys, does it? All startup registry keys should always be monitored ;) Of course since all trojans only start on reboot, if you nerver have to reboot , your good to go LOL
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    About the List, I can only agree with my learned colleagues.

    No virus or trojan activity to be seen at all.

    On a side note, I'd just uncheck NewsUpd in Msconfig/Startup, and remove the following two items from your Windows\Downloaded Program Files Folder:

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = htp://images.bonzi.com/freebuddy/wd/bbsetuplim.exe

    NSUpdateLiteCtrl Class]
    InProcServer32 = C:\WINNT\System32\nsupdate.dll
    CODEBASE = http://204.177.92.201/quickdl/proclaim/NSupd9x.cab

    BTW, you were referring to this file in your Temp directory.

    FYI, anything in < your drive>:\Documents and Settings\< user name>\Local Settings\Temp, can and should be nuked on a regular basis anyway, preferably after a reboot, when none of the files will likely be in use by Windows.

    Cheers,
     
  16. beeza

    beeza Registered Member

    Joined:
    Oct 14, 2002
    Posts:
    8
    Location:
    online
    HI,

    yes there is something there (i found the files and moved to the recyling bin - I got asked if I wanted to move system files to the new location - I freaked [still a newbi] and out them back !!!!! I am kicking myself for doing that in hindsight)... it isn't doing anything anymore ... thankfully. I appreciate ALL the help and advice I have been given. I just cant seem to get access to those two files. I will in time. or I will reformat :rolleyes:

    BTW - I could NOT run Panda's online scanner when I did so, Windows wanted to reinstall windows service pack. I tried several times to scan but no success (I got the same installation prompt) I agree about getting a anti trojan program ... and I will look into one asap.

    As to Norton ... I tried to quarentine it, but was unable to do so and I did not alter the program. I did a straight installation and left the program at default settings. When I had the other trojan Norton would not quarentine that one either!

    As to the registry .... I don't think I am capable - yet - of altering anything I would find there. But I like the suggestion I am just too wet behind the ears to do that just yet.

    Thanks for all your help and quick response to my queries, I really appreciate it.

    Beeza

    PS - one of things I noticed about this trojan which i found interesting was when I booted the computer a mIRC bar would show in the task bar for about 10 seconds - in the bar it said mIRC annex - it is now gone - i think when I got rid of the wexplorer.exe files that went with it, cause I dont see it anymore.

    thanks again
     
Loading...
Thread Status:
Not open for further replies.