Is your cpu safe?

[DR STRANGELOVE]

Run an online antivirus check from at least one of the following sites

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

 

[Penguinfan]

Good post Dr. IMO Housecall is the better of the three.

Penguinfan

 

[DR STRANGELOVE]

Symantec site works great as well...

once a week I perform a scan of my cpu with Ad-aware V6.0 and spybot, but yet some trojans are not removed. For example I did a scan today with both programs and nothing was found.

I then went to the symantec website posted in the above post and 1 trojan was found in
C:\WINDOWS\msiexec.exe is infected with Trojan dropper

But when I did a log using HIJACK THIS program, I was able to identify it and have it removed. Spybot and Ad-aware couldn't resolve the trojan issue.
I for one am sure that many of you if not ALL of you have some form of spyware on your cpu that is not able to be removed via SPYBOT and AD-AWARE. Hijack this resolves this issue.



Its called HIJACK THIS

http://www.merijn.org/

Here is the program... http://mjc1.com/mirror/hjt/

http://www.merijn.org/htlogtutorial.html (Tutorial)


another great site with links

http://forums.techguy.org/t110854/s.html

 

[Penguinfan]

Looks like I have something to do this evening after all.

Penguinfan

 

[DR STRANGELOVE]

I'll be posting more info later tonight on the steps required to perform a log of HIJACK THIS.
It is pretty straight forward...

 

[KMA]

An F.Y.I. Dr. Strangelove


I'd suggest you always check with http://www.cnet.com/ when looking into software (or other technology) matters.

Their article is here:

http://download.com.com/3000-2144-10227352.html

Summary??? A popular program with an 81% approval rating, with this rather ominous note:

Note: HijackThis does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

 

[DR STRANGELOVE]

very true KMA, just as you suggested one should not do anything (remove files) until told by someone with knowledge of what they're doing (I removed my file(s) only when told what to remove by one of the forums tech consultants)

helponthe.net

KMA: alias fliime

 

[TORONTO-VIGILANTE]

http://housecall.trendmicro.com/

thanks ANT, trying it out now.

 

[SixFive]

ok, I did the housecall thing, and I came up with 5 different viruses

BKDR_SINIT.A
TROJ_MUSS.A (4 times)

The problem is that the first "can't be accessed" and the other 4 are "non cleanable". I was afraid to just delete them, but is that ok? Thanks.

 

[DR STRANGELOVE]

65,

did you perform a scan with ad-aware 6.0 and spybot?

do that first, if you don't have the programs you can download them from here...

spybot: http://tomcoyote.org/SPYBOT/index1.php

ad-aware: http://majorgeeks.com/download.php?det=506
scroll down and near teh bottom on the right hand side you should see DOWNLOAD FROM: BTN and an american flag, click there.

do a scan with each and then post results

 

[DR STRANGELOVE]

65:

follow each step closely and then post your results on here (copy and paste)

go to: http://mjc1.com/mirror/hjt/

then click on HIJACK THIS (green light flashing beside it)
then click on save, then when it is done downloading, open it, then click on the program HIJACK THIS.
then click on scan....DO NOT TOUCH OR CLICK ON ANYTHING EXCEPT clicking on "SAVE LOG".
then click on save (saving log file)
then a box should pop up copy and paste it here.... I will then take a look and see what's on your cpu (viruses, worms, trojans spyware etc etc)
Then if needed, I'll have a professional techie look at it.

cheers


Here is a copy of mineLogfile of HijackThis v1.97.7
Scan saved at 2:59:37 PM, on 16.12.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\webshots.scr
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anthony\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.madjacksports.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [AceUtils] "C:\Program Files\Ace Utilities\au.exe" /ebh
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3E956630-EA58-4614-A66D-7A624B1B67A4} (RHSIUpdates.ctlUpdates294857) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/99...W/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.5943402778
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.microsoft.com/typography/clearadj.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


clean as it can be, no spyware, trojans, etc!

 

[Penguinfan]

Just so I know for sure, what is a registry key?

 

[TORONTO-VIGILANTE]

no viruses for me.... yay!!!

now, if i can only figure out why my IE browser is a bit screwy....

 

[KMA]

Registry Keys is the directory for your computer to know where all your files and programs are located.


If you don't know, DO NOT MESS WITH IT. You'll end up being sorry!!!!

 

[KMA]

http://www.mvps.org/word/FAQs/Customization/DataKeySettings.htm

 

[KMA]

Make note of the offending programs location(s), boot into "safe mode", delete them, Then reboot. Please doo NOT attempt to edit the Registry if you are not exactly sure of what you are doing.

 

[KMA]

TROJ_MUSS.A is here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MUSS.A

 

[KMA]

BKDR_SINIT.A



http://securityresponse.symantec.com/avcenter/venc/data/pf/backdoor.sinit.html



Good Luck!!!

 

[Penguinfan]

Thanks a ton KMA.

Again Dr, great thread.

Penguinfan

 

[DR STRANGELOVE]

kma is correct and I said said earlier, copy and paste your log onto here, and I'll post it at another forum where a tech will help as to what should be removed..