RetouchPRO

Go Back   RetouchPRO > Tools > Software
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Software Photoshop, Lightroom, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well.

Two days of hell ... trojan horse probs

Reply
 
Thread Tools
  #11  
Old 04-13-2006, 01:31 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
gary,

trust me, i thought about coming here and posting, but pride or sheer stubbornness at wanting to 'handle my own problems' i guess kept me from doing so. i like to think i can handle my own system. i cant, really; not all the time, but i always like to try first. but trust me, i did think about you in particular

here is a log of hjt as it currently stands. i made this immediately after running the restore point:

Logfile of HijackThis v1.97.7
Scan saved at 12:11:04 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe *inCD cd burning
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe *could be norton ghost or old norton anti virus
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe * also ghost or anti virus
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe * i forget at the moment, but i know this is ok.
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe * phone answering machine on the computer.
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe * virtual machine i installed
C:\Program Files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe * also virtual machine
C:\WINDOWS\system32\vmnat.exe *virtual machine
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe *virtual machine
C:\WINDOWS\system32\BRMFRSMG.EXE *brother printer
C:\Program Files\BroadJump\Client Foundation\CFD.exe * broadband
C:\WINDOWS\System32\hphmon05.exe *hewlett packard printer
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE * external harddrive ...usb type.
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe * abyss web server
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
P:\Program Files\Abyss Web Server\abyssws.exe *abyss
C:\WINDOWS\System32\HPZipm12.exe
J:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src");
*** normally, the former would have been mozilla, but during the validation process on microsoft, i tried to use netscape because mozilla wasnt working for this. and i.e. was so screwed up at the time i didnt want to ever try with that.
(C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll * voice activated speech/typing/computer control.
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\FlashGet\VERSIO~2\FlashGet\jccatch.dll * fast downloader
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm *the trial version of neo trace
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM) *really not needed.
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23

most all of this i understand. the ones i'm a bit unsure of are the smss, lsass in the running processes and the last line with the name server. if i kill that last one, i'll lose my internet connection, though.

craig

edit: hmmm, i better edit that a bit to show what some things are.

Last edited by Craig Walters; 04-13-2006 at 01:41 PM.
Reply With Quote top
  #12  
Old 04-13-2006, 01:38 PM
Ziaphra's Avatar
Ziaphra Ziaphra is offline
Senior Member
 
Join Date: Mar 2006
Posts: 439
Both the lsass and smss are ok...I know this from having to 'hijack this' my own computer some time ago.
Reply With Quote top
  #13  
Old 04-13-2006, 02:07 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
hehe, you guys have to understand here, that i didnt know it was a trojan to begin with. so, looking up 'zlob' was not an option. not at first, anyways. it wasnt till quite a ways into this process that i even found out it was zlob. what i first got was a 'NT logon' request by zone alarm and then this 'security' popup that i knew i hadnt installed; at least not on purpose. i then noticed a new icon on my desktop, the 'security' one.

this all occurred right before my weekly backup routine...the same day and when i first saw it i was about to leave for work. i was also getting a win patrol request. i ran hijack this and found nothing really odd to begin with. i tried to kill the new 'security' thing in my systray, but couldnt.

when i got home from work, with the computer running while i was away, i found more 'alerts' from win patrol stacked up and a popup ad on my desktop for some casino or something. that's when i got mad and knew for sure i was infected. i ran adaware and it came up blank. i deleted that 'name server' item in hijack this and promptly lost my internet lookup. i called my isp to see if there was an outage, thinking that that name server thing was a hijack and not needed.... lol. wasnt thinking straight at that point. they tried to help and i did some lookups on 'mssearchnet.exe' and told me it was definitely a trojan on the bad lists. after that things sort of get blurry. i ran a whole lot of checks and fixes and probably not in the right order. in all fairness to trend micro, i had already wiped out part of this thing, so their detection might have been dependent on those things i wiped and subsequently their detection couldnt see it to remove it. they did find about 24 other things, however, including about 20 java viruses which i hadnt even suspected were there and might have been there for a long time.

so, in my obstinate, prideful, pissed-off mood, i was probably hindering the helps that would have handled this. lol. go figure.

at any rate, it seems to be gone, or at least inactive/dormant. like i say, the restore point seemed to have killed any existing links to make the thing active and removed the registry entries that were keeping it alive.

i've, if nothing else, learned a bit more about where some of these things get hidden and what they use to run hidden startup stuff. i've also learned to alter my surfing practices a bit and to add more protection.

nancyj,
i like that teatimer idea. great idea. i have an api monitor program but never use it because it tends to be a system hog, but the teatimer sounds like just the right item. it's those things that get into the hidden start locations that kill you.

also, folks shld know that a lot of current viruses dont just load a virus, they also load a reloader. the reloader will restart the virus if you manage to kill it. these are often in the form of hidden .dll's (library files). so, you have to also find and kill the .dll.

and cj,
yes, mine was doing almost the exact same things. i couldnt live without Scotty! and now that i've killed the links/registry, i need to go back again and reinstall the new good old scotty. i'm still on version 5.x.x now that i used the restore point. and i need to re-install task catcher too.... and windows defender. lol. wiped out the good with the bad. kill em all and sort it out later

craig
Reply With Quote top
  #14  
Old 04-13-2006, 02:25 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
oh, and here's another idea for anyone that wants TRULY impervious protection while surfing.... vmware! this is a 100% foolproof method of NEVER getting infected...NEVER! (yeah, never say never and i'm sure it could be cracked, but ok).

vmware stands for virtual machine software. you may have seen me make mention of it in my hijackthis log posted above. vmware is a virtual machine within windows. it basically runs as a module inside of windows, but isnt windows. it is its own operating system operating as a sort of shell within windows.

for those that remember the days when you loaded the o/s from a floppy disk into the machine at startup, this is somewhat the same thing. when you start vmware it creates a new o/s within your o/s. in fact, it can create any o/s you want, if you have that module. so, you could run windows within windows, linux within windows, mac within windows (when they finish that module. it's not quite ready yet) and so on. it comes with browsers and modules and is currently free.

the way this works is, you run the vmware, run their browser within vmware and surf to your heart's content. you could pick up 50 trojans, worms, etc, etc and it wouldnt matter. once you kill the vmware module, EVERY PART OF I DISAPPEARS FOR GOOD! when you start a new vmware module it's like loading the o/s from a floppy again. it's completely new. so, you can 'never' get infected.

the way it was explained to me was, it creates a virtual harddrive when you load the vmware. this harddrive has an o/s on it. when you exit the module, the drive is wiped...gone....poof! so, no infection can remain.

you might wonder why you would need such a thing as vmware. i mean, it seems a bit much for anti-virus protection. and, it will slow your machine down a bit. you wont be playing any multiplayer shooters with it, trust me on that one but, it's not so slow that you cant surf in a fairly normal manner.

this technology came about from a need within updating and restoring systems. if a company is running 50 computers all using vmware and they all crashed, got infected or just plain quit for some reason, restoring these computers is a breeze. it's also highly transportable. make a copy of your vmware module at the corporate office and you can simply ship out copies to your remote locations and they simply pop them into their systems and they're running.

i dont really know a lot abotu it. my brother in law uses it and i found it interesting and downloaded and installed a version for surfing. and that's another thing. with these modules you can customize them for certain things. there is a windows module, a linux module, a basic surfing module and so on. so, if you had 20 employees on computers and didnt want them to be able to access the internet, you simply put modules on their machines that cant surf. simple.

it has more uses, i'm sure, and i've only installed it and used it once, so like i say, i really know little about it, but i do recall talking to my brother in law and that he recommended it as THE safest way to surf the web.

a google shld turn up what you need if you want to give it a shot. there is an official site and it shld turn up near the top of a google search.

oh, and one last thought on this... it might also make the perfect web server for your web pages. you make your base module, store a copy and always have that backup if something goes crazy on your server.

craig
Reply With Quote top
  #15  
Old 04-13-2006, 04:51 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Craig,

You are using an outdated version of HijackThis.

Please download the latest version from Here to a location on your computer where you can find it.

We recommend you create a New Folder C:\Hijack This

Before your first scan, we need to check the configuration.
  • Click on the Config button in the bottom right hand corner.
  • Now confirm the following are checked.
    • Make backups before fixing items.
    • Confirm fixing & ignoring of items (safe mode).
    • Include list of running processes in logfiles.
  • The other items should be unchecked.
  • Click the Back button to return to the Scan page.
Now run a scan, and send me a new log please.


Sorry about the "canned" speech, it's the easiest way to give you the info.

Your version of HJT does not scan all the areas that the newer version does, therefore vital info is missing.

Don't add any comments to the new log, as it causes problems for some of my semi-automated log checking. (I have a program that checks lines on your log against a database of "Good" lines that I've compiled, and marks them on your log). For the rest, I have access to a large database of valid and invalid processes, and rarely find any that I can't get info on. (I'll ask you about any I can't find).

Last edited by Gary Richardson; 04-13-2006 at 05:04 PM.
Reply With Quote top
  #16  
Old 04-13-2006, 05:13 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
gary,

thanks.

new log:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:30 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
P:\Program Files\Abyss Web Server\abyssws.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\HijackThis-1-99-1\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

craig
Reply With Quote top
  #17  
Old 04-13-2006, 05:14 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Just as an item of info Craig, with regard to VM.

Microsoft researchers have put forward a proof of concept proposal, where a VM system is used as a "Rootkit" to hide malicious activity.

Essentially the attacker downloads a VM onto your computer, and your OS will then unbeknown to you, run inside this VM.

Because of this, any AV scans will not show anything wrong with your system, (as they will be scanning your OS, and not the VM) and yet the attacker will have full access to the contents of your computer.

They haven't explained how this would be introduced to your box, but the concept is frightening.
Reply With Quote top
  #18  
Old 04-13-2006, 05:18 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
gary,

yes, that is frightening. however, my VERY little understanding of vmware says this is very unlikely, if not nearly impossible. of course the key word there is 'nearly'. and i honestly dont know. the 'hooks' between the vm module and your 'real' o/s are pretty slim, the way i understand it currently, so i dont know. i would think the vm module would have a hard time reading or interfacing with your true o/s. but, it's software, so i suppose it's possible.

the whole 'rootkit' thing is pretty scary by all by itself.

craig
Reply With Quote top
  #19  
Old 04-13-2006, 05:50 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
OK Craig,

Gone through your HJT log, and it looks clear.

I assume Bell South are your ISP. (if not let me know).

Noticed you have both AVG and Norton/Symantec on your box, if you're running both it could cause conflicts. Best to disable the real time scanners on one of them, and use it as an on-demand scanner only.

Also found Zone Alarm in your Running processes, but I don't find the services to suggest you're using it as your firewall (I presume you're using Norton/Symantec). Is this a remnant from an old install, if so might be worth removing it. (Just remove the Zone Alarms folder in Program Files).

If you wish to check whether your other Restore Points have been infected, try running Kaspersky's online scan, this is a very thorough scan, and will show up any infected files (including those in System Restore). It's a scan only, and doesn't clear any infections.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Sorry, another "canned" speech.

If your RPs are infected, you need to clean them out. (sorry, yet another "canned")

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
  • Reboot.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check *Turn off System Restore*.
    • Click Apply, and then click OK.
  • NOTE: only do this ONCE, NOTon a regular basis

Last edited by Gary Richardson; 04-13-2006 at 06:07 PM.
Reply With Quote top
  #20  
Old 04-13-2006, 10:15 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
gary,

thanks!

yes, bellsouth. and that actually makes me feel better. that tells me you looked up that name server and it was correct.

no, dont have norton antivirus any more. so, those are leftovers. do have ghost.

zone alarm firewall = all systems active. so, not sure what you want there.

re the other restore points, this one i just restored to only goes back to shortly before i knew i was infected. also, it was a 'checkpoint' and not the original set rp. so, if things came up clean, i'm not going to worry about it and will keep it. but thanks for that.

now, one thing i do have a question on that has never really been answered is, on the restore points, are these like iso's? i mean, i was told once that these arent really iso's in the true sense of it being a complete image file. and, i was also under the impression that restoring wouldnt destroy EVERYTHING after the rp, but it seems to have done so. all those programs i downloaded to fix this mess are now gone from my hdd's. no trace at all. in fact, i was under the impression that by using the checkpoint that it was like an updated version of your last rp and that it would only wipe things back to the checkpoint and not the original rp, but this doesnt seem to be so. there are other things missin from my files, like all the filtermeister filters i got or made a while back. thankfully, on those, i had copied them the software forum and could simply copy them back, but other things are missing as well that would have been installed before the checkpoint but after the rp.

ok, i think i just answered my own questions. it would seem to be the checkpoint doesnt really do much of anything. but it just links back to the original rp and the orignal is what gets used in the restore. that kinda sucks. what's the point of the checkpoint if it doesnt update anything?

oh wait, i just found some of things i thought were missing. ok, now i'm confusing myself. what does the checkpoint do? and what, if anything, is the difference from restoring to the original rp versus the checkpoint?

craig
Reply With Quote top
Reply

  RetouchPRO > Tools > Software


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chuckle for the day (jokes/humourous tales here please) jeaniesa Salon 391 11-26-2006 02:33 AM


All times are GMT -6. The time now is 11:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved