problem: no firewall installable!

Discussion in 'adware, spyware & hijack cleaning' started by Fraha, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi all,

    This system keeps getting targetted and I cannot get it clean.
    TrojanHunter found another trojan and i cleaned it.
    But it keeps coming back!

    Here's the HT log again....

    Logfile of HijackThis v1.97.7
    Scan saved at 21:48:05, on 23-3-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\tjspec.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Mixer.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\United Devices\UD.EXE
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66

    Also, it is not possible to install Norman firewall or MCafee firewall anymore.
    When installed all internet traffic is terminated.
    Any help is greatly appreciated

    Regards

    Frans
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Frans,

    Under what name did TrojanHunter flag this trojan?

    regards.

    paul
     
  3. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi Paul,

    I'm sorry but i could not find a logfile save option in the program and I'm rescanning now.

    I think it was something like win11 or winnt but I cannot find it anymore in the trojanlist.
    I'm going to boot now so perhaps the trojan is back then!

    Good idea?

    Frans
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Frans,

    Since you are in the middle of a rescan; no options left ;)

    Feel free to post a screen shot from the scan result if necessary.

    regards,

    paul
     
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Paul,

    latest scan gives only suspicious files:

    Found possible trojan file: C:\Documents and Settings\Ester van der Meer\Local Settings\Temp\WZZM54AD\Zooi.zip/syscfgx32.exe (Possible trojan downloader, SDBot)    (What's a possible trojan file?)
    C:\pagefile.sys Not scanned (in use by another application)
    Found possible trojan file: C:\WINNT\system32\bgdw.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\bgkdw.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\bgrwot.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\bins.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\cvfqzswz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\dfbfd.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\dnqbx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\efqsd.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\fasz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\feqot.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\fot.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\ftr.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\fyycqe.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Warning: Unable to unpack UPX-packed file C:\WINNT\system32\lasaa.exe    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\lasaa.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\msmonk32.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\msnsrv.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\qevex.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\qmanx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\rase.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\reg.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\sdks.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\sdz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\sfq.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\sks.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\syscfgx32.exe (Possible trojan downloader, SDBot, Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\tjspec.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\vdars.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\wuamgrd.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\xss.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\xvsnx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Found possible trojan file: C:\WINNT\system32\zss.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
    Error: Directory not found: D:\
    Error: Directory not found: E:\
    32 possible trojan files found
     
  6. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Paul, FYI

    the last entry, ZSS.EXE has been send to the address I found in the TrojanHunter program for analysis...

    Would you like a copy?

    Frans
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Frans,

    "possible trojan files" are a result from either a) the fact TrojanHunter is limited as for packagers; AsPack, UPX are examples. For that reason, those are flagged as they are b) possibly heuristics. Is this the same result you've got the first time?

    Anyway, it seems like we'll have to rely on your HJT result. No offense intended, but I'll leave that one up to our dedicated, knowledgeable specialists ;)

    regards.

    paul
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I can't find anything wrong in it.

    Regards,

    Pieter
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Now none of these are running according to the HJT log,except the dntus26.exe and this one which is unknownC:\WINNT\system32\tjspec.exefile but all are still in the computer in a dormant state and obviously something has removed their start up entries.

    from the HJT log:

    this one can be used as a downloader though in itself it's innocent and asd I can't see any other dameware programs on the computer i would suspect a hack
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    http://www.net-integration.net/zeroscripts/dntus26.html

    from th report
    C:\WINNT\system32\wuamgrd.exe is a version of agobot


    C:\Documents and Settings\Ester van der Meer\Local Settings\Temp\WZZM54AD\Zooi.zip/syscfgx32.exe is a backdoor sdbot known file

    C:\WINNT\system32\msnsrv.exe is a know sdbot file

    I would definitely get a second opinion with another trojan remover

    either do online scans from

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.anti-trojan.net/en/onlinecheck.aspx

    or in fact as well as

    try TDS I would strongly recommend downloading and running a specialised anti trojan

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt

    you can post a tDS scandump log to the tds forum, where experts in it's use will advise you
     
Thread Status:
Not open for further replies.