Author Topic: Windows XP Trojan Question - Am I Safe Now?  (Read 11387 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #15 on: January 05, 2009, 06:14:32 PM »
Hi audiodrome,

Yes sometimes you need Java to display certain content, if Java is there it should be the latest version.
This is for every third party software on your OS, a good tool to check this and keep everything up to date and fully patched is Secunia PSI, download it from here: http://secunia.com/PSISetup.exe
If you just to do an online scan to see what should be updated, then go here and scan: http://secunia.com/vulnerability_scanning/online/
This is the best advice I can give you, stay free of malware and secure,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #16 on: January 05, 2009, 06:35:38 PM »
Thanks! That's the main reason I asked about it. I went to the Secunia site to do the check but it wouldn't work without Java installed.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #17 on: January 05, 2009, 07:53:52 PM »
Hi audiodrome,

There you got your instant reply about the necessity of java, did you fix this with HJT?:
Fix this using HJT: O18 - Filter hijack: text/html - {b30e42aa-52fe-4576-b661-8cda00822be8} - (no file)
You must have had a Smidfraud-like infection, these are traces of that, you can run the SmidfraudFix from here: http://siri.geekstogo.com/SmitfraudFix.php

 and

vundofix from here:
http://vundofix.atribune.org/

Download both install them and run them.
See on their pages how to use them,

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Spiritsongs

  • Guest
"Java"
« Reply #18 on: January 05, 2009, 09:15:36 PM »
 :)  Hi :

 Since you say you have the "old" Microsoft "Java", you should seriously
 consider following the Info at www.bleepingcomputer.com/tutorials/tutorial97.html  .

Offline audiodrome

  • Jr. Member
  • **
  • Posts: 47
Re: Windows XP Trojan Question - Am I Safe Now?
« Reply #19 on: January 05, 2009, 09:51:34 PM »
I did install the latest version Java and did the Secunia scan. I also ran SmitfraudFix and VundoFix. VundoFix found nothing, but I couldn't figure out ghow to read the SmitfraudFix log (below).

SmitFraudFix v2.388

Scan done at 15:47:39.76, Sun 01/04/2009
Run from C:\Documents and Settings\Sean\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sean\My Documents\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sean


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sean\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sean\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sean\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.64.146

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0B4C6820-C715-4E21-A6B6-C8DFC3A1924A}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{53D393AF-BB23-415F-AAEA-C4BECAF94F3F}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE88C533-F6F2-4740-9BF2-A0310248A43D}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.129.33.2 10.129.5.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End