Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » HJT Log..... Downloader.Trojan
Search Topic:
Uniqs:
121		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
A super trojan? »
« Infektion Group/Chessmaster Link  
AuthorAll Replies

assquesme

join:2003-07-06
Matthews, NC

HJT Log..... Downloader.Trojan

Ok...My problem is I have a teen age son.Anyway I seen to have lost one of my local disk.

I ran NAV 04 updated,Trojan hunter updated,Ad-Aware updated. I also scaned with McAfee and F-Secure which this site provided links to.Then I dl and updated CWShredder & Spybot S&D. Nothing but some cookies files were infected

Logfile of HijackThis v1.98.0
Scan saved at 11:05:26 PM, on 7/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\McAfee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Tri-Peaks by pogo - »peaks.pogo.com/applet/peaks/peak···sets.cab
O16 - DPF: Yahoo! Gin - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - »aud4.sports.sc5.yahoo.com/java/y···10_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - »download.mcafee.com/molbin/share···sctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/173dc026488c18d294···E601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - »www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - »support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - »pak02.pictures.aol.com/ygp/aol/p···.2.5.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - »autos.msn.com/components/ocx/ext···side.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - »www.gamespot.com/KDX22/download/kdx.cab

Thanks for the help in advance:D
to forum · permalink · · 2004-07-13 23:12:46 · Reply to this


Sparrow
Crystal Sky
Premium
join:2002-12-03
Varna, BG

 Hi assquesme See Profile,

Which scan picked up the Downloader.Trojan? Was it Spybot? Your log looks clean, but someone else may see something that I don't.

I'm not sure if it matters, but check in C:\Program Files\Internet Explorer\iexplore.exe. I'm not quite sure why you have two iexplore.exe files.
--
Security Forum FAQs ..♥.. AV Complaints? ..♥.. Raj karega Khalsa! ..♥.. Starfire "5 in 4"
to forum · permalink · · 2004-07-13 23:33:33 · Reply to this

assquesme

join:2003-07-06
Matthews, NC

Click for full size
It was Norton AV . Here is what the disk looks like
to forum · permalink · · 2004-07-13 23:39:22 · Reply to this

assquesme

join:2003-07-06
Matthews, NC		 Could this be an internal problem with my pc?
to forum · permalink · · 2004-07-13 23:43:55 · Reply to this


Sparrow
Crystal Sky
Premium
join:2002-12-03
Varna, BG

1 edit		 I am just curious if you have two iexplore.exe files in your C drive in C:\Program Files\Internet Explorer\iexplore.exe. (Right click Start > Explore > Local Disk [C:] > Program Files > Internet Explorer.)

Are both files the same size? Same versions? Same install date? Nothing else appears to be amiss. I don't ever recall seeing two instances of IE in the Program Files, but it is probably nothing.

Edit: A dear friend just refreshed my tired ole mind, that you just have two windows open, thus the two IExplore.exe running. On a better day, I would have caught that!

You're okay - I'm not tonight. Sorry for any confusion.
--
Security Forum FAQs ..♥.. AV Complaints? ..♥.. Raj karega Khalsa! ..♥.. Starfire "5 in 4"
to forum · permalink · · 2004-07-13 23:52:35 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to assquesme
Your downloader trojan may have been Gator which is one of the entries below (or a leftover component of it since the other cleaners probably got most of it).

Scan with only HijackThis open (keep IE closed) and checkmark these items, then press *fix checked*

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/173dc026488c18d29402/net..

Reboot your PC and delete this entire folder (if found)

C:\Program Files\Common Files\CMEII (This is Gator)
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/
to forum · permalink · · 2004-07-14 12:35:32 · Reply to this

assquesme

join:2003-07-06
Matthews, NC		 Thanks Jane
to forum · permalink · · 2004-07-14 19:45:22 · Reply to this
Forums » Up and Running » Security » SecurityA super trojan? »
« Infektion Group/Chessmaster Link  

Sunday, 05-Jul 15:15:48 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9.5 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [146] Biden Unveils Broadband Stimulus
· [95] AT&T: 65,000 SMS Sent Per SECOND
· [95] Fourth Of July Open Thread
· [92] Compuserve Classic Says Goodnight
· [85] Obama Using NSA, AT&T For New Snooping Project
· [83] Thomas To Appeal Huge RIAA Fines
· [71] iPhone 3GS Already Jailbroken
· [67] Verizon: Cut Your Landline To Save Money
· [61] Cable Carriers Miss Tru2Way Deadline
· [60] The Pirate Bay Gets Sold
Most people now reading
· TekSavvy Down (EDIT: Now back online) [TekSavvy]
· 55 bugs in new Firefox 3.5: users are posting complaints [Security]
· Another CFL (compact fluorescent light) question [General Questions]
· Google Voice Now Allows You To Change Your Number [VOIP Tech Chat]
· 6 firetrucks at 151 [TekSavvy]
· NSA plans massive, 65MW, $2bn data center in Utah [Security]
· wasp problemb [Home Repair & Improvement]
· [ Classes] DK best DPS spec [World of Warcraft]
· [ Professions] Northrend Herbalism and Mining Tracks [World of Warcraft]
· Single-link MLPPP on Windows with Virtualbox (instructions) [TekSavvy]