Old 13th December 2005, 13:29   #1
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
Here we go again

Well, here we go again. My sister's managed to get the computer they use infected with a trojan (conhook i believe). Can't connect to the internet, so I am having to stick install.exe's (spybot, hijackThis, etc)in my USB and then install. We'll see how it goes.

/cracks knuckles.

/for the record
adtech2006a.exe seems to be giving me the most trouble now. I know, boot into safemode, delete it, restart, run scans. :P

also some CWS is there. yuck
dlinkwit27 is offline   Reply With Quote
Old 13th December 2005, 13:32   #2
Evil Lu
Forum Maitresse
 
Evil Lu's Avatar
 
Join Date: Mar 2005
Location: I'm hiding under your bed
Posts: 2,974
I am amazed that people still manage to get infected computers. I don't even run an anti-virus program any more. I'll do the Panda online free scan every few weeks and nothing is ever found. No spyware, no adware, no trojans.
I'm all for people being forced to take an internet safety test before being allowed online.
Evil Lu is offline   Reply With Quote
Old 13th December 2005, 14:39   #3
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
well mind you , my sisters are pretty much computer illerate. 11 and 14, they pretty much click on whatever they like when they are playing little online games and such.
dlinkwit27 is offline   Reply With Quote
Old 13th December 2005, 16:14   #4
mysterious_w
Forum King
 
mysterious_w's Avatar
 
Join Date: Dec 2003
Location: Good ol' Britain
Posts: 2,750
I'm running this Panda scan out of curiousity. It's already picked up 2 spywares, a secruity threat, and a dialer.

/edit Make that 2 dialers. Stupid parents.




mysterious_w is offline   Reply With Quote
Old 13th December 2005, 16:42   #5
Evil Lu
Forum Maitresse
 
Evil Lu's Avatar
 
Join Date: Mar 2005
Location: I'm hiding under your bed
Posts: 2,974
I keep saying it but http://www.mvps.org/winhelp2002/hosts.htm really will stop most spyware better than Spybot. I can't think of anything to stop people downloading infected shite except chopping their hands off, but at least if they're happily surfing in IE, blindly clicking YES to everything then having a reasonable hosts file will help lessen the damage.
Evil Lu is offline   Reply With Quote
Old 13th December 2005, 17:08   #6
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Question is, what do you belive?

Just for shits and giggles I ran pandascan on my laptop here....

2 Viruses
30 spywares
1 dialer

So I run trend housecall online scan, pretty similar....
0 viruses
25 spywares (tracking cookies)
0 dialer

I run spybot just for a laugh
9 spywares *(tracking cookies)
0 dialers

so which is right and which are picking false positives?

/I love the fact that all 3 of them picked out Windows media player as 'a problem'
Dialer:Dialer.HT Not desinfected C:\Program Files\Windows Media Player\wmplayer.exe
Mr Jones is offline   Reply With Quote
Old 13th December 2005, 17:13   #7
shakey_snake
Forum Domo
 
shakey_snake's Avatar
 
Join Date: Jan 2004
Location: Everyone, get over here for the picture!
Posts: 4,313
Quote:
so which is right and which are picking false positives?
Well, which one is trying to sell you stuff?
I got 1 "hacking tools", it was a registry patch that I made.
good one pandascare--er pandascan


elevatorladyelevatorladyelevatorladyelevatorladyelevatorladylevitateme
shakey_snake is offline   Reply With Quote
Old 13th December 2005, 17:24   #8
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Good point that.

I'm amazed at how many IE 'sploits I apparently have, despite only using IE to run windows updates and online virus scans
Mr Jones is offline   Reply With Quote
Old 13th December 2005, 17:27   #9
mysterious_w
Forum King
 
mysterious_w's Avatar
 
Join Date: Dec 2003
Location: Good ol' Britain
Posts: 2,750
It says it's found 43 viruses




mysterious_w is offline   Reply With Quote
Old 13th December 2005, 17:35   #10
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
That's you screwed then
Mr Jones is offline   Reply With Quote
Old 13th December 2005, 17:38   #11
Evil Lu
Forum Maitresse
 
Evil Lu's Avatar
 
Join Date: Mar 2005
Location: I'm hiding under your bed
Posts: 2,974
I shall arrange an internet driving test then for the lot of you. I can see there will be many failures. You must give me all your computers to be looked after by a careful lady owner.
Evil Lu is offline   Reply With Quote
Old 13th December 2005, 17:47   #12
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Nonsense, which is what pandascan looks to be.
Mr Jones is offline   Reply With Quote
Old 13th December 2005, 17:51   #13
shakey_snake
Forum Domo
 
shakey_snake's Avatar
 
Join Date: Jan 2004
Location: Everyone, get over here for the picture!
Posts: 4,313
I occasionally use the symantec online scan.
It gives quite a bit more info about the files it thinks are problems so that it's easier to identify False positives.


elevatorladyelevatorladyelevatorladyelevatorladyelevatorladylevitateme
shakey_snake is offline   Reply With Quote
Old 13th December 2005, 20:38   #14
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
winpad.exe

aka >> Backdoor.CHCP

woot! more fun work to do. This is taking too much of my time. >;(

code:
Logfile of HijackThis v1.99.1
Scan saved at 2:28:10 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\winpad.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Strokeit\strokeit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Documents and Settings\Timothy\Desktop\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\gp44l3hq1.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Word Process (msproc) - Unknown owner - C:\WINDOWS\winpad.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




/edit
well, with the removal of that (bless safemode) the comp seems to be up and running again smoothly. /whew

that's why I love windows. sure it's attacked a lot, and it can be fucked up pretty good, but with even a baic knowledge (ie, how to boot into safemode) you can fix just about anything.

/edit 2
aww dammit!
something is now spwanning pop-ups ever 45 seconds or so. grrr.

Last edited by dlinkwit27; 13th December 2005 at 21:35.
dlinkwit27 is offline   Reply With Quote
Old 13th December 2005, 21:40   #15
Mr Jones
Nothing to say...
 
Mr Jones's Avatar
 
Join Date: Sep 2000
Location: UK
Posts: 23,064
Could I take this momment to suggest the following course of action...

format c: /u
Mr Jones is offline   Reply With Quote
Old 13th December 2005, 22:07   #16
Mattress
Forum King
 
Mattress's Avatar
 
Join Date: Jun 2003
Location: Milwaukee
Posts: 4,577
Can't you force your sisters to use Firefox?

maybe remove IE from the desktop and start menu etc.. then replace FF's icon with the IE one

That'll probably prevent a lot of that crap in the future.
Mattress is offline   Reply With Quote
Old 13th December 2005, 22:23   #17
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
Quote:
Originally posted by Mattress
Can't you force your sisters to use Firefox?

maybe remove IE from the desktop and start menu etc.. then replace FF's icon with the IE one

That'll probably prevent a lot of that crap in the future.
that's my next step. The problem isn't IE so much, well, it is, but they use AOL too, so they trust every website they come across on it I think. I don't mind so much because they don't use my computer, so if they need stuff formatted, then it's just their sim games that are lost.
dlinkwit27 is offline   Reply With Quote
Old 13th December 2005, 23:22   #18
mysterious_w
Forum King
 
mysterious_w's Avatar
 
Join Date: Dec 2003
Location: Good ol' Britain
Posts: 2,750
42 of the viruses were the same thing btw (ByteVerifier supposedly), here's the log of stuff that was not disenfected, looks like I have CWS

code:


Incident Status Location

Adware:adware/block-checker Not desinfected
C:\WINDOWS\system32\ustart.exe
Adware:Adware/Block-checker Not desinfected
C:\WINDOWS\system32\navshext1.dll
Security Risk:HackTool/Gendel.ANot desinfected
C:\WINDOWS\gendel32.exe
Dialerialer.BEW Not desinfected
C:\Documents and Settings\DAVID\Local Settings\Temporary Internet Files\Content.IE5\CXAJS5EF\access[1].htm
Dialerialer.DIM Not desinfected
C:\Documents and Settings\DAVID\Local Settings\Temporary Internet Files\Content.IE5\SPEFODUB\sexy_blondes[1].exe
Adware:Adware/CWS Not desinfected
C:\Documents and Settings\DAVID\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-2d4ceb3-6095e66e.zip[web.exe]
Adware:Adware/WUpd Not desinfected
C:\Documents and Settings\ISABEL\Local Settings\Temporary Internet Files\Content.IE5\NEA4UA38\loudcashactive[1].htm
Virus:Trj/Multidropper.ABG Disinfected
C:\Documents and Settings\ISABEL\Local Settings\Temporary Internet Files\Content.IE5\NEA4UA38\WildAppNonUS[1].cab
Virus:Eicar.Mod Renamed
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\eicar.html





mysterious_w is offline   Reply With Quote
Old 14th December 2005, 02:14   #19
DrDel
Junior Member
 
Join Date: Dec 2005
Posts: 22
so what is the best free scanner out there?

Panda or somethign else?
DrDel is offline   Reply With Quote
Old 14th December 2005, 03:44   #20
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
i've seen panda recomended on almost all the site's i've been to. also webroot's spy sweeper, but it costs money
dlinkwit27 is offline   Reply With Quote
Old 14th December 2005, 04:17   #21
dlichterman
Forum King
 
dlichterman's Avatar
 
Join Date: Mar 2001
Location: Where Hell Froze Over
Posts: 2,466
no....spysweeper should be a 14 day trial

Software is like sex: It's better when it's free.-*-If at first you don't succeed; call it version 1.0-*-Guess the band from pics game
dlichterman is offline   Reply With Quote
Old 16th December 2005, 00:27   #22
Smeggle
Just Strolling By
(Major Dude)
 
Smeggle's Avatar
 
Join Date: Aug 2002
Location: A Long Winding Road.....
Posts: 3,250
em - hope you switched system restore of first? any problem will just re-propogate on next re-boot if not

Music is Life, Love and Happiness :|: Life is Music. Serren - 1985 - 2005
Religion? Religion is a Blasphemy against humanity - From the film What the Bleep do we know

siggy link So stumbling? whats it all about
Smeggle is offline   Reply With Quote
Old 16th December 2005, 03:34   #23
dlinkwit27
has no CT
(Forum King)
 
dlinkwit27's Avatar
 
Join Date: Sep 2000
Posts: 13,235
Send a message via ICQ to dlinkwit27 Send a message via AIM to dlinkwit27 Send a message via Yahoo to dlinkwit27
Quote:
Originally posted by dlichterman
no....spysweeper should be a 14 day trial
well yea, but I meant forever it's not free. It's nit like he can use it every day or every week like people do spybot or adaware
dlinkwit27 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Community Center > General Discussions

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump