• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
shodan

Trojan

6 posts in this topic

Hi specialists, you helped me before, so ...

I got an e-mail from my provider mailing system department, saying that multiple client made complaints that they receive spam from me. They now suspect that i am infected with a "proxy relay trojan server" -what a beast !?-

They send me a zip file with some instructions, but i can't open it. In the mean time i was wondering if i could find some help here, but i also thought i could be helping making the anti spy prog's better by providing this info. I do have spybot running, and some other of the common programs which are stronly recommended by spywareinfo, and they are even updated on a regular basis. despite of that, i'm still infected, so i thought it might be an unknown variant??? maybe some programmers want to add this to there programs. so:

1) how can i remove it?

2) can i do something to help by sending any file from my pc or whatever. let me know and i'll try to do my part to help the commmunity.

 

thanks a lot

Shodan.

Share this post


Link to post
Share on other sites

Although there is a slight chance that the email you received is genuine, it most likely is not.

 

You might want to contact your Internet Service Provider and have them confirm that this email did not originate with them.

 

If the body of the email reads like this, you've probably been scammed:

 

"Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions."

 

This is the way the Beagle virus is spread - if you tried to open the attached file then your machine has probably been infected with the W32.Beagle.MM worm.

 

Symantec has a removal tool for this worm - go to the following webpage to download the tool:

 

http://securityresponse.symantec.com/avcen...moval.tool.html

 

Follow their instructions for using it, ESPECIALLY the step that says:

 

If you are running Windows Me or XP, then disable System Restore.

 

After running their removal tool, you might want to go for an online virus scan at one of the following sites:

 

http://www.pandasoftware.com/activescan/co...n_principal.htm

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan/licence.php

 

Finally, as a follow up, if you do not already have it, download HijackThis - put it in its own permanent folder - don't run it from the Desktop or a Temp folder.

 

Save the logfile, copy it and paste it as a reply into this thread for further review.

Edited by Fireflyer

Share this post


Link to post
Share on other sites

Looks like you have direct acces to my mail :-)), yes indeed, thats exact what they wrote !!. Ok , i scanned the machine. No results. Here's my hijack log

******************************************************

Logfile of HijackThis v1.97.7

Scan saved at 13:16:09, on 28-05-04

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\RCSERV.EXE

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\pctspk.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Dell\AccessDirect\DadTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\NavNT\vptray.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\WINNT\system32\NotifyPhoneBook.exe

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINNT\system32\internat.exe

C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgmain.exe

C:\LOCALD~1\ZJORIS\PRIVAT~1\MESSEN~1\ymsgr_tray.exe

C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgbhp.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.nl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oraclebol.com;*.oracleoutsourcing.com;<local>

O1 - Hosts: 148.87.13.147 tropexp.oraclebol.com NAMEBROKER

O1 - Hosts: 165.198.209.27 europa

O1 - Hosts: 165.198.240.251 esbarx01

O1 - Hosts: 165.198.28.161 lgg1tinwis0001

O1 - Hosts: 165.198.28.182 beborx02

O1 - Hosts: 165.198.31.96 bebrux01

O1 - Hosts: 165.198.32.92 bezeex01

O1 - Hosts: 165.198.206.21 nlmaax01

O1 - Hosts: 165.198.184.92 troi3nfr

O1 - Hosts: 165.198.34.92 frherx01

O1 - Hosts: 165.198.35.92 esmurx01

O1 - Hosts: 165.198.36.92 ukleax01

O1 - Hosts: 165.198.37.94 ukboxx01

O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\dlprotect.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r

O4 - HKLM\..\Run: [swdisUsrPCN.Meynen_Joris_wlgg1] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x

O4 - HKLM\..\Run: [swdisUsrPCN.LGG1TINWUL3012] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\2\wdusrpcn.env"

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\LOCALD~1\ZJORIS\PRIVAT~1\MESSEN~1\ypager.exe -quiet

O4 - Startup: SpywareGuard.lnk = C:\Local Data\Zjoris\Private_Program_files\ANTISPY-TOOLS\Spywareguard\SpywareGuard\sgmain.exe

O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Free Surfer (HKLM)

O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: DesktopICON - https://www.mydevelopnet.com/desktop_icon/DesktopICON.CAB

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

*****************************************

Thanks a lot for your help on this fireflyer

 

Best regards,

shodan

Share this post


Link to post
Share on other sites

OK shodan, very good, now let's clarify some things.

 

1) Please confirm for me that you did run the Symantec removal tool for W32.Beagle.MM.

 

2) Originally you said you were infected, but you did not describe any problems. Were you just thinking that you had a problem because of what the fake email said? Are you actually having problems with your browser, and if so, what sort of problems are they?

 

3) You appear to have Norton Antivirus on your system. I was not aware of this when I suggested that you try an online scan. Two antivirus programs running at the same time can conflict and possibly compromise each others effectiveness. It's usually best to temporarily disable the installed antivirus program before running an online scan.

 

4) Your HijackThis log looks good with no obvious infections, however there are a couple of items that I am wondering about.

 

This entry in your HijackThis log may indicate a problem but it might also be a requirement of your Internet Service Provider. You might want to ask your ISP if this ProxyServer setting is from them:

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

 

This next entry has been changed from its original setting and you can have HijackThis fix it.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

 

To do so, run another HijackThis scan and click the box in front of that line. Then close all other programs (including this browser window) and click Fix on HijackThis. Reboot your system afterwards.

 

5) You need to update your IE6 browser - Microsoft has released some critical updates for IE6 that plug some security holes. Go to Windows Update at http://v4.windowsupdate.microsoft.com/ and install all of the the critical updates they recommend.

 

6) Finally, you have a LOT of programs running on your system. Unless you use them all frequently, you could increase your system resources by setting some of them so they don't start at bootup. They would still be available for use from the Start Menu when you need them.

 

Take care of the above items, post another HIjackThis log and let me know if you are interested in any of the optional fixes to increase your system resources.

Share this post


Link to post
Share on other sites

Fireflyer, first of all, thanks for the clear explanations (even for someone who's not really into computers ) this is great.

To answer your questions.

*I did do something with the beagle thing I run one because i did not knew wether I had to do them all or not and I didn't really knew which one to chose so I picked the first one. Didn't saw any impact though. so wether I did it right??

*I don't really think i'm already infected. I tried to opened the attachment but I couldn't. I couldn't even save it on my hard disk to open it.

*I only have a corporate laptop, which I may use private also. I went to the online check and I start runnning it, but I didn't knew i would took so long, and I ended it. Not really knowing wether the IT dept. would see or check it and would ask me some questions. Therefore I did the complete scan with the nortan because I expect a large company to be up to date with the virus scan. I didn't found anything.

*About the hijack log, the proxy 8080 is some port they set into my machine, an di guess it is to make some prog's available. I'm not really fond of changing settings, specially because i don't really know anything about it. Also, the It dept. is very helpfull, but they do not support "private" things.

I hope this is clear to you.

 

Best regards,

Joris

Share this post


Link to post
Share on other sites

Joris,

 

Yes, thank you, you've been very clear.

 

It appears that you did escape being infected by the Beagle Worm.

 

Your HijackThis log looks good and is clean of any malware.

 

Since this is a work computer it is probably best to leave it as is, and not attempt to shut down any startup programs.

 

You still might want to mention to the IT department that the IE6.0 browser is in need of some critical security updates - I strongly recommend that these updates be done. They are available for download at http://v4.windowsupdate.microsoft.com/

 

Finally, always be suspicious of any email with attachments or links to click on, and always check them out before opening the attachments or clicking on the links.

 

I'm glad we could help ease your mind.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0