Page 1 of 2 12 LastLast
Results 1 to 15 of 24

Thread: attn Lynch and Curio... help please!

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506

    attn Lynch and Curio... help please!

    hey guys

    this just really sucks

    I am using nod32 for a while and I have the microsoft beta spyware scanner installed and the darn thing scan everynight at 2am and never finds anything. so today I am thinking about microsoft relaxing the rules for spyware so I go hmm.....

    i go download a fresh copy of ad-aware and begin to scan.

    Nod starts to go crazy after a while.

    Code:
    7/12/2005 6:23:30 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\3FCD9F\NVClientInstallTrial.exe Win32/Spy.NetVizor application	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:07:13 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\26017C\morphine.exe Win32/Morphine.2_7 Virtool	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:07:03 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\9DDF7\src\driver\driver.sys Win32/HacDef.073.B trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:06:51 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\4568E\bdcli100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:06:47 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\4568E\rdrbs100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:06:39 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\4568E\hxdef100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:00:58 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\4568E\hxdef100.2.ini Win32/HacDef trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 6:00:23 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\AAWTMP\C47915890\40BC0A\aah.exe a variant of Win32/TrojanDownloader.INService trojan quarantined - deleted XXXXXX-B0B5B185C\XXXXXX	Event occurred on a new file created by the application: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe. The file was moved to quarantine. You may close this window.
    ad-aware only found 12 cookies and 2 bho's and removed those.

    So i'm like WTF?

    So I go and get a copy of trojanhunter and ask it to scan my computer

    It scans my computer and nod32 goes mental and gives me this,

    Code:
    Time	Module Object	Name Threat	Action User	Information
    7/12/2005 8:56:32 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\NVClientInstallTrial.exe Win32/Spy.NetVizor application	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:56:17 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\setup.exe	multiple infiltrations	quarantined - deleted XXXXXX-B0B5B185C\XXXXXX	Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:56:09 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\setup.exe Win32/Adware.Beginto.A application	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:56:02 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\ssmgr.exe	probably unknown NewHeur_PE virus	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:49 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\FILE.VBS Win32/Gedza.A worm	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:37 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\Client.exe Win32/VB.ABU trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:31 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\builder.exe Win32/VB.ABU trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:26 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\morphine.exe Win32/Morphine.2_7 Virtool	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:24 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\driver.sys Win32/HacDef.073.B trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:20 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\bdcli100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:16 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\rdrbs100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:12 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\hxdef100.exe Win32/HacDef.084 trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:55:07 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\hxdef100.2.ini Win32/HacDef trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window. 
    7/12/2005 8:54:57 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\aah.exe	a variant of Win32/TrojanDownloader.INService trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window.
    7/12/2005 6:38:41 AM	AMON file C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\aah.exe	a variant of Win32/TrojanDownloader.INService trojan	quarantined - deleted	XXXXXX-B0B5B185C\XXXXXX Event occurred on a new file created by the application: C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe. The file was moved to quarantine. You may close this window.
    Now i'm really worried.... what is going on here and how did this get into my computer?

    I go and run unhackme and it says no threat detected

    I grab a fresh copy of rootkit revealer and the dam thing won't run and crashes shortly after clicking the file.

    so am i infected?

    did nod32 prevent the files from running?

    they are in my temp folder. they must have been run... what put them there?

    sigh

    any help?
    ------------------------------------------------------------



  2. #2
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    sorry Egghad I don't run adaware nor Trojan hunter so I don't know. I do use NOD32 but with Counterspy/Prevx/ProcessGuard and resident - and TDS-3 or Ewido as on demand. Try turning AMON off while running those programs to see if they catch anything. Maybe NOD32 is reporting what they catch or maybe they are just files created to "immunize" or they are just definitions that aren't coded - not coded but (I can't think of the word - just woke up)

  3. #3
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Oh dear the presence of hacker defender (says 0.84 is 1.0) in your temp folder can't be a good thing, you need to find if it is actually installed on your PC - rootkit revealer will do that download it from www.sysinternals.com. Morphine is a code converter which messes around with executables to make them undetected by AV scanners - again if you didn't put it there yourself then that don't look good either.

    The fact that Nod32 recognised them immediately is a good thing - it may suggest they didn't get installed but run a full scan anyway. I take it you put the XXXs in the home path or do you have a phantom user?

    I have a whole kit of stuff which will detect rootkits and modifications but go with NOD32 and RKR first they should at least give some indication of malpractices.
    I'm using Windows 7 - you got a problem with that?

  4. #4
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    From now on, I hit files with NOD32 before I open them - or the new DR WEB plugin before downloading.
    Last edited by lynchknot; July 12th, 2005 at 17:48 PM.

  5. #5
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    thanks guys

    rootkit revealer crashes so i cannot use that

    system task monitor shows only normal things.

    It appears to be that ad-0aware triggered the detections from scanning my files. I am now starting to think that ad-aware put them there while unzipping and scanning. I most likely have some viruses for study purposes in some of my folders. I am alarmed that they were in my temp folder so i dunno.

    i am scanning with panda and will do a full file scan with nod32
    if it points to files in a directory that i am aware of then it will be ok.

    but rootkit revealer crasjhing makes me nervous.

    past learning reveals that many trojans will crash programs they consider a threat...

    i will keep you updated
    any other programs you guys can suggest to detect memory running trojans will be very helpful

    cheers!

    oh..
    the xxxxxx's are intentional
    Last edited by egghead; July 12th, 2005 at 18:15 PM.
    ------------------------------------------------------------



  6. #6
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    I thought Rootkit revealer was supposed to change it's executable name each time to avoid detection from rootkits.

    Try FRISK - http://sourceforge.net/projects/frisk


    Just unzip the file and double click on the frisk.bat file.
    Give an "allow once" permission for the files on the firewall.

    When the check up is finished, choose the hard drive "c", and answer "yes" to the question "are you sure...".

    Then take a look at the html report which is located in "C" (it's named with the date and the OEM-number).
    And just double-click on the "Detect Rootkits" reports

    This is a normal Frisk report for my machine:

    *SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
    -------------------------------------------------------------------------------
    *WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
    -------------------------------------------------------------------------------
    -Trying to detect hxdef with TCP data..Unable to load tcp.dll
    -Searching for hxdef hooks............ ( Found: 0 running rootkits)
    -Searching for other rootkits......... ( Found: 0 running rootkits)
    Another one to try is http://www.security.org.sg/code/kproccheck.html
    Last edited by lynchknot; July 12th, 2005 at 18:34 PM.

  7. #7
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    thanks lynch

    getting closer now

    i ran panda and it pointed out the folders I thought as well as a couple i was previously unasware of

    not sre why rootkit revealer won't run

    trying frisk now

    will post my results

    thanks again
    ------------------------------------------------------------



  8. #8
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    here is what frisk found


    Code:
    . .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
    Rootkit Detector  Profesional 2004
    Programmed by Andres Tarasco Acuna
    Copyright (c) 2004 -  3wdesign Security 
    Url: http://www.3wdesign.es 
    
    
    -Gathering Service  list Information... ( Found: 289 services )
    -Gathering process List  Information... ( Found: 45 process )
    -Searching for Hidden process Handles. (  Found: 0 Hidden Process )
    -Checking Visible  Process.............
    c:\windows\system32\mspmspsv.exe
    c:\windows\system32\wwsecure.exe
    c:\windows\system32\smss.exe
    c:\windows\system32\csrss.exe
    c:\windows\system32\winlogon.exe
    c:\windows\system32\services.exe
    c:\windows\system32\lsass.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\program  files\sygate\spf\smc.exe
    c:\program files\du  meter\dumeter.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\program  files\d-tools\daemon.exe
    c:\program  files\asus\probe\asusprob.exe
    c:\windows\system32\spoolsv.exe
    c:\program  files\java\jre1.5.0_01\bin\jusched.exe
    c:\windows\system32\alg.exe
    c:\windows\system32\wbem\wmiprvse.exe
    c:\program  files\eset\nod32kui.exe
    c:\program files\mozilla  firefox\firefox.exe
    c:\program files\microsoft  antispyware\gcasserv.exe
    c:\windows\explorer.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\cthelper.exe
    c:\windows\system32\wdfmgr.exe
    c:\program  files\microsoft  antispyware\gcasdtserv.exe
    c:\windows\system32\notepad.exe
    c:\program  files\webroot\washer\wwdisp.exe
    c:\program  files\creative\mediasource\remotecontrol\rcman.exe
    c:\windows\system32\wuauclt.exe
    c:\documents  and settings\renew\my  documents\unzipped\frisk_1_0_rc1\frisk\perl\bin\perl.exe
    c:\program  files\unhackme\hackmon.exe
    c:\documents and settings\xxxxxx\my  documents\unzipped\frisk_1_0_rc1\frisk\frisk\plugins\rkdetector.exe
    c:\program  files\mozilla firefox\firefox.exe
    c:\program  files\eset\nod32krn.exe
    c:\program files\msn  messenger\msnmsgr.exe
    c:\windows\system32\cmd.exe
    c:\program  files\explorerxp\explorerxp.exe
    c:\program files\internet  explorer\iexplore.exe
    c:\program files\mozilla  firefox\firefox.exe
    -Searching again for Hidden Services.. 
    -Gathering  Service list Information... ( Found: 0 Hidden Services)
    -Searching for wrong  Service Paths.... ( Found: 0 wrong Services )
    -Searching for Rootkit  Modules........  
    -------------------------------------------------------------------------------
    *SUSPICIOUS  MODULE!! c:\program files\trojanhunter  4.2\thsec.dll
    -------------------------------------------------------------------------------
    *WARNING!  MODULE c:\windows\system32\oleaut32.dll SEEMS TO BE  HOOKED
    -------------------------------------------------------------------------------
    *WARNING!  MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE  HOOKED
    -------------------------------------------------------------------------------
    *WARNING!  MODULE c:\windows\system32\ole32.dll SEEMS TO BE  HOOKED
    -------------------------------------------------------------------------------
    -Trying  to detect hxdef with TCP data..Unable to load tcp.dll
    -Searching for hxdef  hooks............ ( Found: 0 running rootkits)
    -Searching for other  rootkits......... ( Found: 0 running rootkits)
    anything to be worried about?

    ------------------------------------------------------------



  9. #9
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    It didn't find any hxdf or other hooks. There are a lot of legit programs that create "Global Hooks" It appears that NOD32 caught them all before they had a chance to infect your system.

  10. #10
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I don't like the look of it especially if RKR crashes. RKD is toilet you can safely ignore it's output or just make up your own - you will be just as close. There is a program called Vice which will detect much stuff and another called FHS, nuff said.
    I'm using Windows 7 - you got a problem with that?

  11. #11
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    I get a hive dump error using RKD so there........ Reading results of RKD is hard but I think we are looking for an executable with a date discrepancy coupled with a mismatch between Windows API and raw hive data.

    For guys having weird discreptancies with rootkit revealer, I recommend you do the following

    1) Disconnect from the net
    2) Turn off all your programs , as well as nonessenital services
    3) Run rootkit revealer.

    A lot of mismatches appear because 'stuff' is happening at the same time, rootkit revealer is comparing .

    This is espically so for security software.
    Last edited by lynchknot; July 12th, 2005 at 21:10 PM.

  12. #12
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Nice one.
    I'm using Windows 7 - you got a problem with that?

  13. #13
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    attn Lynch and Curio... help please!
    - I sure must know how to BS a lot (and I'm not even aware of it) because I don't know Diddley in comparison to Curio and my computer history only dates back to March 2002 (key punching AT/XT does not count). I even get PM's and e-mails requesting help. One thing I do - do, is I'm always willing to search something that I remember seeing that's similar to the request for help.
    Last edited by lynchknot; July 12th, 2005 at 21:35 PM.

  14. #14
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    thanks for your help guys

    al scanning showing me as clean enough to eat so I think a format this weekend should calm my nerves.

    never had rootkit revealer crash on starting before so i dunno

    i don'thave proccess gaurd or anything

    i use sygate and microsoft beta and nod32

    now i got trojan hunter, unhackme, webroot spysweeper, ad-aware, spybot, nod32, window washer lol

    i don't need these programs

    format format format

    hahaha
    ------------------------------------------------------------



  15. #15
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    Why don't you have any imaging software. Reformatting is so....archaic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •