TROJ_REVOP.A - Please Help with Hijack Log!

Discussion in 'adware, spyware & hijack cleaning' started by Yelraf, Apr 17, 2004.

Thread Status:
Not open for further replies.
  1. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Hi, guys. My pc was recently bombarded with with spyware and ad executables after TRJO_REVOP.A managed to sneak through popup stoppers and Norton. It downloaded itself via a popup and flooded my computer with rubbish. Ad-aware appears to have cleaned up most of the garbage although something still tries to download ("Avenue A, Inc."), leading me to believe that one of the trojans processes is still on my pc. Here's what I'm currently using:

    - Stop-the-Pop-Up
    - Free Surfer mk II
    - SpywareBlaster
    - Bazooka
    - AVG 6.0
    - Spybot
    - Ad-aware

    Could you please help me out and check out the following Hijack log just to be sure I've rid my computer of any remnants? Thanks!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:15:08 PM, on 4/17/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
    C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\stisvc.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Free Surfer\fs20.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
    C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Documents and Settings\David\Desktop\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\WK\INTERN~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [RunDLL34] C:\WINDOWS\FONTS\font2\syscnfg.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.smartraveler.com/bos/camera.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{430083C0-FC21-4CEE-A1C6-684B87093218}: NameServer = 151.203.0.85 151.203.0.84
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    before doing any of the steps I said to do please find this folder
    C:\WINDOWS\FONTS\font2
    zip it up & send it to me submit@thespykiller.co.uk so we can see exactly which trojan has infected you


    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\RunServices: [RunDLL34] C:\WINDOWS\FONTS\font2\syscnfg.exe
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.smartraveler.com/bos/camera.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tuk...0.20/tukati.cab


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\FONTS\font2\syscnfg.exe and any other .exe files in that folder in fact please delete the font2 subfolder it is all bad and is normally a backdoor trojan that can take over the system so

    then
    Reboot normally &

    I would strongly recommend downloading and running a specialised anti trojan

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  3. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Hi, dvk01. I just sent you an email with the zipped font2 folder. Anything you may suggest would be very helpful. Thanks again for your quick and effective response! :)

    Yelraf
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    at a quick glance it looks like a new mirc backdoor trojan
    it's on it's way to several developers to pull apart

    nothing I've got is flagging it at the moment, but if it was in that location on your computer it is definitely bad

    provided you have deleted the font2 folder it should be ok, but there is an installer in the folder, that hopefully hasn't installed any files anywhere else

    please post a new hijackthis log and the report from tds

    Edit:

    Just got this from Kapersky online scan
    font2.zip Archive: ZIP
    font2.zip/font2/index.html Ok
    font2.zip/font2/iostream.exe Archive: Astrum
    font2.zip/font2/iostream.exe/data0001 Packed: UPX
    font2.zip/font2/iostream.exe/data0001 Ok
    font2.zip/font2/iostream.exe/data0002 Packed: UPX
    font2.zip/font2/iostream.exe/data0002 Ok
    font2.zip/font2/iostream.exe/data0003 Packed: UPX
    font2.zip/font2/iostream.exe/data0003 Ok
    font2.zip/font2/iostream.exe/data0004 Packed: UPX
    font2.zip/font2/iostream.exe/data0004 Ok
    font2.zip/font2/iostream.exe/data0005 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0006 Packed: UPX
    font2.zip/font2/iostream.exe/data0006 Ok
    font2.zip/font2/iostream.exe/data0007 Ok
    font2.zip/font2/iostream.exe/data0008 Ok
    font2.zip/font2/iostream.exe/data0009 Infected: Trojan.BAT.DelVbs
    font2.zip/font2/iostream.exe/data0010 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0011 Packed: UPX
    font2.zip/font2/iostream.exe/data0011 Ok
    font2.zip/font2/iostream.exe/data0012 Ok
    font2.zip/font2/iostream.exe/data0013 Infected: Backdoor.IRC.Flood.v
    font2.zip/font2/iostream.exe/data0014 Infected: Worm.Win32.Randon.r
    font2.zip/font2/iostream.exe/data0015 Ok
    font2.zip/font2/iostream.exe/data0016 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0017 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0018 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0019 Infected: Backdoor.IRC.Cloner
    font2.zip/font2/iostream.exe/data0020 Ok
    font2.zip/font2/iostream.exe/data0021 Ok
    font2.zip/font2/iostream.exe/data0022 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0023 Ok
    font2.zip/font2/iostream.exe/data0024 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0025 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0026 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0027 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0028 Infected: IRC-Worm.Jumpin
    font2.zip/font2/iostream.exe/data0029 Ok
    font2.zip/font2/moo.dll Packed: UPX
    font2.zip/font2/moo.dll Ok
    font2.zip/font2/myownservers.dll Ok
    font2.zip/font2/odl.ocx Ok
    font2.zip/font2/remote.ini Ok
    font2.zip/font2/restarter.exe Packed: UPX
    font2.zip/font2/restarter.exe Ok
    font2.zip/font2/rldmrc.ocx Infected: IRC-Worm.Jumpin
    font2.zip/font2/rm.exe Ok
    font2.zip/font2/stdlib.exe Packed: UPX
    font2.zip/font2/stdlib.exe Ok
     
    Last edited: Apr 20, 2004
  5. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Wow, thanks. I'll obtain a log from Hijack and a TDS report. I haven't deleted the font2 folder and it's contents yet. Shall I delete them now or wait until after I run the logs?

    Many thanks,
    Yelraf
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    delete the fonts 2 folder 1st then do the scans
    you might need to be in safe mode to delete the folder
     
  7. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Okay, I deleted the font2 folder and performed the scans. I couldn't believe what TDS found:

    Scan Control Dumped @ 22:31:01 20-04-04
    Positive identification: Adware.Apropos.b
    File: c:\sys_ai_client_loader.exe

    Positive identification (in archive): DDoS.RAT.GT Bot Dropper.IO
    File: iostream.exe (In c:\documents and settings\david\desktop\font2.zip)

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5944 bytes
    File: c:\my documents\my pictures\030316-1100-46.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8296 bytes
    File: c:\my documents\my pictures\2004 acura tl.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6428 bytes
    File: c:\my documents\my pictures\43880015.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4692 bytes
    File: c:\my documents\my pictures\blckmrno.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 11412 bytes
    File: c:\my documents\my pictures\cg1_patriots.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4984 bytes
    File: c:\my documents\my pictures\chase.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9560 bytes
    File: c:\my documents\my pictures\employee_outhouse.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6224 bytes
    File: c:\my documents\my pictures\grande baroque.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4844 bytes
    File: c:\my documents\my pictures\jerry.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9700 bytes
    File: c:\my documents\my pictures\michaelangelo.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6892 bytes
    File: c:\my documents\my pictures\outhouse.gif:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9924 bytes
    File: c:\my documents\my pictures\outhousebarn.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
    File: c:\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3908 bytes
    File: c:\my documents\my pictures\silver palace zoom.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7888 bytes
    File: c:\my documents\my pictures\silver palace.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4800 bytes
    File: c:\my documents\my pictures\silvmrno.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6696 bytes
    File: c:\my documents\my pictures\suzi_shower7.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 10736 bytes
    File: c:\my documents\my pictures\ts3_cinderella_4_lg.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8072 bytes
    File: c:\my documents\my pictures\urquell.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7636 bytes
    File: c:\my documents\my pictures\wicked pissah1.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3916 bytes
    File: c:\my documents\my pictures\wp.jpg:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3248 bytes
    File: c:\my documents\my pictures\microsoft clip organizer\sy00307_.wmf:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3272 bytes
    File: c:\my documents\my pictures\microsoft clip organizer\sy00309_.wmf:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5096 bytes
    File: c:\my documents\my pictures\microsoft clip organizer\sy01124_.wmf:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5304 bytes
    File: c:\my documents\my pictures\microsoft clip organizer\sy01126_.wmf:q30lsldxjoudresxaaaqpcawxc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7756 bytes
    File: c:\my pictures\miscellaneous\uncle ricky.jpg:q30lsldxjoudresxaaaqpcawxc

    Positive identification: DDoS.RAT.GT Bot Dropper.IO
    File: c:\windows\system32\iostream.exe

    Here is my updated Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:34:37 PM, on 4/20/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
    C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\system32\stisvc.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Free Surfer\fs20.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
    C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Documents and Settings\David\Desktop\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\WK\INTERN~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{430083C0-FC21-4CEE-A1C6-684B87093218}: NameServer = 151.203.0.85 151.203.0.84

    On a side not, the first folder on my C: drive is called:

    C:\$VAULT$.AVG
    00000001.FIL
    00000002.FIL
    00000003.FIL
    00000004.FIL
    00000005.FIL

    The .FIL extensions are the hidden files inside the folder. I wasn't sure if this was a anything to add but wanted to bring it up just in case.

    Let me know if there's anything else I can do!

    Regards,
    Yelraf
     
  8. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Dvk01, false alarm on the $VAULT$ folder. That's just part of my AVG Antivirus...
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    ignore all the ntfs ads entries they are OK

    but let TDS FIX

    Positive identification: Adware.Apropos.b
    File: c:\sys_ai_client_loader.exe

    Positive identification (in archive): DDoS.RAT.GT Bot Dropper.IO
    File: iostream.exe (In c:\documents and settings\david\desktop\font2.zip)

    Positive identification: DDoS.RAT.GT Bot Dropper.IO
    File: c:\windows\system32\iostream.exe


    then make sure you delete the font2.zip from the desktop and empty recycle bin afterwards
     
  10. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    Okay. Being unfamiliar with TDS-3, how do I fix the 3 problems I have with it? Is there are particular function that will clean these items for me?
    Thanks...
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    run the tds scan again unless it is still open with the items showing, and when the items appear in the bottom window, right click the bad ones and select delete
     
  12. Yelraf

    Yelraf Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    7
    It's as simple as a right-click and delete, huh? Great, I'll give that a shot tonight. Lastly, should I be concerned at all with the Alternate Data Streams or are they essentially harmless and non-threatening?

    Thanks for all your help. I really do appreciate it!
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Nothing to wory about normally with alternate data streams when they are in a jpg or other picture file. It's just the way that woindows and XP in particular carries some additional information

    the Alternate Data Streams you need to investigate are those attached to any .exe file or any file that can be run like a dll
     
Thread Status:
Not open for further replies.