Imon deactivated.

Discussion in 'NOD32 version 2 Forum' started by couldbe, Sep 17, 2004.

Thread Status:
Not open for further replies.
  1. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Hi again.
    I have a persistant hacker problem. I'm at my wits end trying to exclude it from my computer.
    Frequently of late it is able to turn imon off and I get more than one netsky email when it succeeds otherwise i get one netsky each night.
    I don't seem to be able to keep it out so iam wondering ...is there something i can do to shift or hide my password or protect it some how.

    I take it that i have been keylogged but i have tried so many things to stop it that i have decided to start a fresh small drive and restore it from an image somewhere else. this will be a nuisance. has anybody got any other ideas. I run ME and i pass the stealth tests at grc and pcflank
    have spybot running to protect settings. usually scans clean now.
    Spyware blaster has been run.

    Nod32 scans clean. as do other online av scans.

    have forwarded recent downloader files to samples for inclusion. :'( *puppy* o_O :blink:

    Thanks for any interest in advance

    Couldbe
     
  2. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    oops have Sygate Personal Firewall Pro running

    Couldbe :rolleyes: :oops:
     
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
  4. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    It could be that someone has your email and if infected with netsky. So it may not be that your hacked.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just to be sure your system is clean, can you please follow the instructions found in post number 2 here

    Let us know how you go...

    Cheers :D
     
  6. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Hi and Thanks,

    I downloaded TDS-3, installed it and the updated database.

    found NetSky d twice at

    c:\windows\temporary internet files\content,ie5\ax47yda5\your_details.vpif and at ditto .v00pif

    while i deleted the two messages last night they were in my outlook express deleted folder. Nod32 located the messades so i deleted them altogether. than ran nod32. It did not locate the two files mentioned above.

    Are files in content.ie5 active or are they waiting to be executed. I have zipped both files but have not removed them at this stage,.. help!!! o_O

    again thanks for your interest

    Couldbe :mad:
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you try what I suggested in post number 5 of this thread?

    When you run a scan with Nod32 in SAFE MODE, does it come up clean?

    Cheers :D
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you use Outlook Express 5, please download & install OE 6 SP1 which has the IFRAME exploit and other bugs fixed. Also, start Windows in Safe mode, run the on-demand scanner, select the runtime packers, advanced heuristics and potentially dangerous applications options, click the Extensions button and select all files to scan. Finally, click the Clean button. If a virus is found and cannot be cleaned (coz it contains only of the viral code), choose to delete it when prompted for an action.
     
  9. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Hi Blackspear marcos et al
    I've done the safemode bit and nod found a klez in unopened mail (this mornings) so i deleted it and emptied deleted folder then ran nod again and it found nothing.
    I've installed ZA and it detected Sygate, messenger, outlook express, and ie.
    Sygate detected ZA.
    Ewido appears to be for nt systems onlyo_O??did i get it wrong somehow?
    ZA reported an extrordinary number of attempts on ports 135 445 and 4662 with others interspersed. Sygate pro should have had all ports stealthed and i frequently tried full and random and also selected port probes with grc which reported every port i tested stealthed.

    blackspear.. was following your post and stopped at ewidoo_O??

    mmmmm port probes have abated....

    couldbe
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Couldbe, forget Ewido it was Developed for Windows 2000 and XP, and keep going, this process should fairly well confirm that your system is clean...

    Let us know how you go...

    Cheers :D
     
  11. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Marcos
    have ie 6 serv 1and it's oe
     
  12. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    hi
    All scans now saying clean.
    had to delete esset folder then let uninstall fix its list (becoming a habit)
    I've been able access net with messenger but not IE OE and had to fix dial up adapter. ZA true vector, imon and Sygate failed to load until adapter removed and replaced.
    will post hijack this log and see what transpires.
    Thanks everyone
    This || far from finding a baseball bat.
    Couldbe
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you also send that HJT log to support@nod32.com with a link to this post.

    Eventually we'll get you sorted out...

    Cheers :D
     
  14. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    Blackspear
    thanks for everything and i will do that as well
    again thanks
    much appreciated
    Couldbe
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure, please keep us in the loop as to your progress...

    Cheers :D
     
  16. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    hi everyone,
    Thanks for all the help.
    I've haven't had any trouble at all fingers crossed since i posted here.

    best of all my nightly infected email has stopped coming :D

    interestingly after i posted on another security forum that there was a continual data stream from my daughter's computer and that i was going to run tds3 on it yesterday, when i got here the stream had already stopped.. the power of suggestion...

    anyway thanks and appreciation to all
    couldbe
     
  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Glad to see your system is back to normal and now I think it is time to ask why NOD missed Netsky.D in the first place? It has been in the definitions since 3/1/04(1642) and was supposedly picked up with AH as soon as it was released. what gives? Did you have NOD setup as Blackspear's sticky suggests? If not what settings did you use? NOD should have caught this a long time ago.
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see that you had a result, now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.


    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  19. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    hi flyrfan blackspear
    before i started to try harder to get to the bottom of all this i discovered there were 3 trojan downloaders on my system. I had already forwarded them to eset.
    frequently i would be online through my service provider but unable to browse.
    i'd have to delete and reinstall the dialup network adapter to be able to browse again. later i would find imon deactivated.
    it was a while before i realised that imon and features of firewalls deactivated because of whatever happened associated with the failure of dialup adapter.

    yes imon had been alerting me to infected mail for quite some time. I had had over 20 alerts per night at one time.after then i recieved one per night. on the nights i discovered imon deactivated before collecting mail i would get two or three infected mail.
    often i would suddenly realise that there was strange mail in my inbox and check and find imon deactivated.
    it's been a long learning curve.
    i cant think why nod did not find those files. I don't think netsky was active on my computer because amon would have found it. olso i ran many online scans from house call and rav as well as nod. I don't think they could have been there long.

    I've forgotten the settings i was using but there were only 1 perhaps 2 options not checked

    the online scans often detected the renamed filed in my deleted box as i would forget to delete the deleted

    Also nod would detect some problem files being loaded to my comp from some download sites. if i deleted them then i could not download so I renamed them and quarantined them to allow the downloads.

    thanks black spear i will look into those links too

    couldbe
     
  20. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    by the way

    Using Ad aware and spybot together.

    did anyone work out that spybot detects an alexa related registery item..
    spybot fixes the problem by loading a false but safe alexa registery entry.

    along comes ad aware. finds an alexa related entry and then deletes it if you check it.

    along comes windows hey my alexa entry is missing.. damn... and puts it back so that you can restart the cycle again.....

    don't fix the registery entry with ad aware just with spybot......

    couldbe
     
  21. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
    hi everyone
    again thanks for your help.
    Today i disvovered a folder C:quarrantine.
    in it i found the two files
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\S4TSR.EXE
    the two files have been removed from their paths and renamed.
    I noticed the S4TSR file listed on a lot of hijac logs and it seems that it is not required. perhaps they were linked to my troubles. they are two of the files requested by Esset
    couldbe
     
  22. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Are you using Zone Alarm and Sygate both in active mode? Most people recommend not using two firewalls at the same time so as not to cause conflict. It might be better to use either ZA or Sygate, but not both.
    If you cannot run ewido, you can run A² Squared, which is quite a good anti-tojan, malware scanner. It workss with Win9x. To download the free version go here:

    http://www.emsisoft.com/en/software/download/

    I hope this helps.
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Be careful in regards to Quarantine, Nod32 does NOT isolate the file, as in the meaning of the word Quarantine, Nod32 only "copies" the file into an encrypted format so it can be further analyzed by Eset should they request it.


    Thanks for keeping us in the loop, it is appreciated, as we all learn this way :D

    You may not be aware but there is a tutorial on tweaking up Nod32 here: https://www.wilderssecurity.com/showthread.php?t=37509

    Hope this helps...

    Cheers :D
     
  24. couldbe

    couldbe Registered Member

    Joined:
    Dec 22, 2003
    Posts:
    34
Thread Status:
Not open for further replies.