Jump to content


Photo

Trojan


  • Please log in to reply
5 replies to this topic

#1 shodan

shodan

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 May 2004 - 06:54 AM

Hi specialists, you helped me before, so ...
I got an e-mail from my provider mailing system department, saying that multiple client made complaints that they receive spam from me. They now suspect that i am infected with a "proxy relay trojan server" -what a beast !?-
They send me a zip file with some instructions, but i can't open it. In the mean time i was wondering if i could find some help here, but i also thought i could be helping making the anti spy prog's better by providing this info. I do have spybot running, and some other of the common programs which are stronly recommended by spywareinfo, and they are even updated on a regular basis. despite of that, i'm still infected, so i thought it might be an unknown variant??? maybe some programmers want to add this to there programs. so:
1) how can i remove it?
2) can i do something to help by sending any file from my pc or whatever. let me know and i'll try to do my part to help the commmunity.

thanks a lot
Shodan.

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 27 May 2004 - 10:57 AM

Although there is a slight chance that the email you received is genuine, it most likely is not.

You might want to contact your Internet Service Provider and have them confirm that this email did not originate with them.

If the body of the email reads like this, you've probably been scammed:

"Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions."

This is the way the Beagle virus is spread - if you tried to open the attached file then your machine has probably been infected with the W32.Beagle.MM worm.

Symantec has a removal tool for this worm - go to the following webpage to download the tool:

http://securityrespo...moval.tool.html

Follow their instructions for using it, ESPECIALLY the step that says:

If you are running Windows Me or XP, then disable System Restore.

After running their removal tool, you might want to go for an online virus scan at one of the following sites:

http://www.pandasoft...n_principal.htm
http://housecall.trendmicro.com/
http://www.bitdefend...can/licence.php

Finally, as a follow up, if you do not already have it, download HijackThis - put it in its own permanent folder - don't run it from the Desktop or a Temp folder.

Save the logfile, copy it and paste it as a reply into this thread for further review.

Edited by Fireflyer, 27 May 2004 - 12:46 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 shodan

shodan

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 28 May 2004 - 06:19 AM

Looks like you have direct acces to my mail :-)), yes indeed, thats exact what they wrote !!. Ok , i scanned the machine. No results. Here's my hijack log
******************************************************
Logfile of HijackThis v1.97.7
Scan saved at 13:16:09, on 28-05-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\RCSERV.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINNT\system32\NotifyPhoneBook.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\internat.exe
C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgmain.exe
C:\LOCALD~1\ZJORIS\PRIVAT~1\MESSEN~1\ymsgr_tray.exe
C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oraclebol.com;*.oracleoutsourcing.com;<local>
O1 - Hosts: 148.87.13.147 tropexp.oraclebol.com NAMEBROKER
O1 - Hosts: 165.198.209.27 europa
O1 - Hosts: 165.198.240.251 esbarx01
O1 - Hosts: 165.198.28.161 lgg1tinwis0001
O1 - Hosts: 165.198.28.182 beborx02
O1 - Hosts: 165.198.31.96 bebrux01
O1 - Hosts: 165.198.32.92 bezeex01
O1 - Hosts: 165.198.206.21 nlmaax01
O1 - Hosts: 165.198.184.92 troi3nfr
O1 - Hosts: 165.198.34.92 frherx01
O1 - Hosts: 165.198.35.92 esmurx01
O1 - Hosts: 165.198.36.92 ukleax01
O1 - Hosts: 165.198.37.94 ukboxx01
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\dlprotect.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SwdisUsrPCN.Meynen_Joris_wlgg1] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [SwdisUsrPCN.LGG1TINWUL3012] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\2\wdusrpcn.env"
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\LOCALD~1\ZJORIS\PRIVAT~1\MESSEN~1\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DesktopICON - https://www.mydevelo...DesktopICON.CAB
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

*****************************************
Thanks a lot for your help on this fireflyer

Best regards,
shodan

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 29 May 2004 - 10:44 AM

OK shodan, very good, now let's clarify some things.

1) Please confirm for me that you did run the Symantec removal tool for W32.Beagle.MM.

2) Originally you said you were infected, but you did not describe any problems. Were you just thinking that you had a problem because of what the fake email said? Are you actually having problems with your browser, and if so, what sort of problems are they?

3) You appear to have Norton Antivirus on your system. I was not aware of this when I suggested that you try an online scan. Two antivirus programs running at the same time can conflict and possibly compromise each others effectiveness. It's usually best to temporarily disable the installed antivirus program before running an online scan.

4) Your HijackThis log looks good with no obvious infections, however there are a couple of items that I am wondering about.

This entry in your HijackThis log may indicate a problem but it might also be a requirement of your Internet Service Provider. You might want to ask your ISP if this ProxyServer setting is from them:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

This next entry has been changed from its original setting and you can have HijackThis fix it.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

To do so, run another HijackThis scan and click the box in front of that line. Then close all other programs (including this browser window) and click Fix on HijackThis. Reboot your system afterwards.

5) You need to update your IE6 browser - Microsoft has released some critical updates for IE6 that plug some security holes. Go to Windows Update at http://v4.windowsupdate.microsoft.com/ and install all of the the critical updates they recommend.

6) Finally, you have a LOT of programs running on your system. Unless you use them all frequently, you could increase your system resources by setting some of them so they don't start at bootup. They would still be available for use from the Start Menu when you need them.

Take care of the above items, post another HIjackThis log and let me know if you are interested in any of the optional fixes to increase your system resources.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 shodan

shodan

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 01 June 2004 - 01:48 AM

Fireflyer, first of all, thanks for the clear explanations (even for someone who's not really into computers ) this is great.
To answer your questions.
*I did do something with the beagle thing I run one because i did not knew wether I had to do them all or not and I didn't really knew which one to chose so I picked the first one. Didn't saw any impact though. so wether I did it right??
*I don't really think i'm already infected. I tried to opened the attachment but I couldn't. I couldn't even save it on my hard disk to open it.
*I only have a corporate laptop, which I may use private also. I went to the online check and I start runnning it, but I didn't knew i would took so long, and I ended it. Not really knowing wether the IT dept. would see or check it and would ask me some questions. Therefore I did the complete scan with the nortan because I expect a large company to be up to date with the virus scan. I didn't found anything.
*About the hijack log, the proxy 8080 is some port they set into my machine, an di guess it is to make some prog's available. I'm not really fond of changing settings, specially because i don't really know anything about it. Also, the It dept. is very helpfull, but they do not support "private" things.
I hope this is clear to you.

Best regards,
Joris

#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 03 June 2004 - 01:13 PM

Joris,

Yes, thank you, you've been very clear.

It appears that you did escape being infected by the Beagle Worm.

Your HijackThis log looks good and is clean of any malware.

Since this is a work computer it is probably best to leave it as is, and not attempt to shut down any startup programs.

You still might want to mention to the IT department that the IE6.0 browser is in need of some critical security updates - I strongly recommend that these updates be done. They are available for download at http://v4.windowsupdate.microsoft.com/

Finally, always be suspicious of any email with attachments or links to click on, and always check them out before opening the attachments or clicking on the links.

I'm glad we could help ease your mind.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button