problem: no firewall installable!

Fraha · Mar 23, 2004

Hi all,

This system keeps getting targetted and I cannot get it clean.
TrojanHunter found another trojan and i cleaned it.
But it keeps coming back!

Here's the HT log again....

Logfile of HijackThis v1.97.7
Scan saved at 21:48:05, on 23-3-2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\tjspec.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Mixer.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_1396140.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66

Also, it is not possible to install Norman firewall or MCafee firewall anymore.
When installed all internet traffic is terminated.
Any help is greatly appreciated

Regards

Frans

Paul Wilders · Mar 23, 2004

Frans,

Under what name did TrojanHunter flag this trojan?

regards.

paul

Fraha · Mar 23, 2004

Hi Paul,

I'm sorry but i could not find a logfile save option in the program and I'm rescanning now.

I think it was something like win11 or winnt but I cannot find it anymore in the trojanlist.
I'm going to boot now so perhaps the trojan is back then!

Good idea?

Frans

Paul Wilders · Mar 23, 2004

Frans,

Since you are in the middle of a rescan; no options left

Feel free to post a screen shot from the scan result if necessary.

regards,

paul

Fraha · Mar 23, 2004

Paul,

latest scan gives only suspicious files:

Found possible trojan file: C:\Documents and Settings\Ester van der Meer\Local Settings\Temp\WZZM54AD\Zooi.zip/syscfgx32.exe (Possible trojan downloader, SDBot)    (What's a possible trojan file?)
C:\pagefile.sys Not scanned (in use by another application)
Found possible trojan file: C:\WINNT\system32\bgdw.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\bgkdw.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\bgrwot.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\bins.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\cvfqzswz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\dfbfd.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\dnqbx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\efqsd.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\fasz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\feqot.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\fot.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\ftr.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\fyycqe.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINNT\system32\lasaa.exe    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\lasaa.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\msmonk32.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\msnsrv.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\qevex.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\qmanx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\rase.exe (SDBot)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\reg.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\sdks.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\sdz.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\sfq.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\sks.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\syscfgx32.exe (Possible trojan downloader, SDBot, Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\tjspec.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\vdars.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\wuamgrd.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\xss.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\xvsnx.exe (Suspicious: UPX-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\zss.exe (Suspicious: ASPack-packed file in Windows System folder)    (What's a possible trojan file?)    (Submit for analysis...)    (Add to ignore list)
Error: Directory not found: D:\
Error: Directory not found: E:\
32 possible trojan files found

Fraha · Mar 23, 2004

Paul, FYI

the last entry, ZSS.EXE has been send to the address I found in the TrojanHunter program for analysis...

Would you like a copy?

Frans

Paul Wilders · Mar 23, 2004

Frans,

"possible trojan files" are a result from either a) the fact TrojanHunter is limited as for packagers; AsPack, UPX are examples. For that reason, those are flagged as they are b) possibly heuristics. Is this the same result you've got the first time?

Anyway, it seems like we'll have to rely on your HJT result. No offense intended, but I'll leave that one up to our dedicated, knowledgeable specialists

regards.

paul

Pieter_Arntz · Mar 24, 2004

quoting: Paul Wilders link=board=17;threadid=25520;start=0#msg148687 date=1080078222]
Anyway, it seems like we'll have to rely on your HJT result.
Click to expand...

I can't find anything wrong in it.

Regards,

Pieter

dvk01 · Mar 24, 2004

Now none of these are running according to the HJT log,except the dntus26.exe and this one which is unknownC:\WINNT\system32\tjspec.exefile but all are still in the computer in a dormant state and obviously something has removed their start up entries.

from the HJT log:

this one can be used as a downloader though in itself it's innocent and asd I can't see any other dameware programs on the computer i would suspect a hack
C:\WINNT\SYSTEM32\DNTUS26.EXE
http://www.net-integration.net/zeroscripts/dntus26.html

from th report
C:\WINNT\system32\wuamgrd.exe is a version of agobot

C:\Documents and Settings\Ester van der Meer\Local Settings\Temp\WZZM54AD\Zooi.zip/syscfgx32.exe is a backdoor sdbot known file

C:\WINNT\system32\msnsrv.exe is a know sdbot file

I would definitely get a second opinion with another trojan remover

either do online scans from

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.anti-trojan.net/en/onlinecheck.aspx

or in fact as well as

try TDS I would strongly recommend downloading and running a specialised anti trojan

the antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt

you can post a tDS scandump log to the tds forum, where experts in it's use will advise you

Log in or Sign up

problem: no firewall installable!

Fraha Registered Member

Paul Wilders Administrator

Fraha Registered Member

Paul Wilders Administrator

Fraha Registered Member

Fraha Registered Member

Paul Wilders Administrator

Pieter_Arntz Spyware Veteran

dvk01 Global Moderator

Log in or Sign up

problem: no firewall installable!

Fraha Registered Member

Paul Wilders Administrator

Fraha Registered Member

Paul Wilders Administrator

Fraha Registered Member

Fraha Registered Member

Paul Wilders Administrator

Pieter_Arntz Spyware Veteran

dvk01 Global Moderator

Useful Searches