| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64788 | 2005-12-28 04:29:00 | antonye....Trojan????? | ojos (3168) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 416172 | 2005-12-28 04:29:00 | Girlfriend has a toshiba satellite laptop. Yesterday opened an email that looked like she had sent it to herself (sigh) The attachment was a file foto 2315. which she clicked on, ( sighhhhhh) Since then the machine is nearly useless. very few programmes will open. Anti virus programme will not run. cannot connect to internet. I ran a search of all files created since this morning and came across a series of files: antonye.zip antonye.exe Foto 2315.exe a temp folder for antonye 1 foto2315.exe.pf in c: windows/prefetch and etc. It also looks as if some registry files have been created but I dont know enough about them to touch them. This sounds like a variant of Sircam The toshiba seems to boot straight into windows xp pro so hitting f8 to go into safe mode doesnt work. There seems to be no mention of this on the net can any one help please, regards, Ojos |
ojos (3168) | ||
| 416173 | 2005-12-28 04:40:00 | I would get hijackthis ( . merijn . org/files/hijackthis . zip" target="_blank">www . merijn . org) From here ( . spywareinfo . com/~merijn/" target="_blank">www . spywareinfo . com) Then unzip it into its own folder . Then run hijackthis, scan and copy and paste the log here . Or get this ( . ewido . net/ewido-setup . exe" target="_blank">download . ewido . net) from here ( . ewido . net/en/download/" target="_blank">www . ewido . net) Or get this ( . filekicker . com/send/file/168259-1P80/trsetup . exe" target="_blank">dl . filekicker . com) from here ( . simplysup . com/tremover/download . html" target="_blank">www . simplysup . com) And somehow, put one of these on hers . Or somehow get her to send the hijackthis log to you, (or put it on floppy or something), so u can post it here . |
Speedy Gonzales (78) | ||
| 416174 | 2005-12-28 23:15:00 | Thank you. I got the hijack programme and ran it (Yesterday I deleted the files in the user/temp file which included some antonye files) Here is the latest log Logfile of HijackThis v1.99.1 Scan saved at 11:27:54, on 29/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\TFNF5.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\System32\TPSMain.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\TPSBattM.exe C:\WINDOWS\System32\winlog.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\winlog.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\John Twhigg\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz/ N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.co.nz); (C:\Documents and Settings\John Twhigg\Application Data\Mozilla\Profiles\default\hiwe496e.slt\prefs.j s) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\John Twhigg\Application Data\Mozilla\Profiles\default\hiwe496e.slt\prefs.j s) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe O4 - HKLM\..\Run: [key2] C:\WINDOWS\System32\winlog.exe O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe O4 - HKCU\..\Run: [key2] C:\WINDOWS\System32\winlog.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{9E80EF4C-1D0D-4C83-A06D-7C8E530258C4}: NameServer = 202.27.184.3,202.27.184.5 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe regards, Ojos |
ojos (3168) | ||
| 416175 | 2005-12-28 23:36:00 | Oh dear. A quick look shows these to be nasties.... O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe O4 - HKLM\..\Run: [key2] C:\WINDOWS\System32\winlog.exe O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe O4 - HKCU\..\Run: [key2] C:\WINDOWS\System32\winlog.exe This one can be legit or a virus depending on its location, and it appears to be located in the correct place but why it's running twice is a mystery C:\WINDOWS\System32\wuauclt.exe |
godfather (25) | ||
| 416176 | 2005-12-28 23:39:00 | sounds like the Trojan.Lodear thats been doing the rounds. | tweak'e (69) | ||
| 416177 | 2005-12-29 00:45:00 | Hi It may help to print out or copy this page as you will be working in Safe Mode . . Make sure to work through the fixes in the exact order its listed . . Download any of the required programs before attempting to start any of the fixes . Please do NOT run Hijack This in a TEMPorary folder or on the Desktop . I recommend c:/program files/HJT/ SHOW HIDDEN FILES AND FOLDERS . To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK ------------------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive . ------------------------------------------------------------------ Download the trial version of Ewido Security Suite ( . ewido . net/en/download/" target="_blank">www . ewido . net) When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu" . Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it) . The program will now go to the main screen . You will need to update ewido to the latest definition files . On the left hand side of the main screen click update and then click on Start Update . The update will start and a progress bar will show the updates being installed . If you have problems with the updater, you can use this link to manually update ewido . . ewido . net/en/download/updates/ . " target="_blank">www . ewido . net Do not run a scan yet . When you have done this, boot into Safe Mode (restart your PC and keep tapping F8 while it restarts) . Run Ewido Security Suite now . Click on Scanner and click Complete System Scan and the scan will begin . During the scan it will prompt you to clean files, click OK . When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK . When the scan is finished, click the Save report button at the bottom of the screen . Save the report to your desktop and close Ewido Security SuitePost the log back here with your next HJT log . ----------------------------------------------------------------------- Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Go into HijackThis->Config->Misc . Tools->Open process manager . Select the following exe file and click End Process for each one if they are listed . winlog . exe anti_troj . exe wserv32 . exe ------------------------------------------------------------------ Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . O4 - HKLM\ . . \Run: [Microsoft Update] wserv32 . exe O4 - HKLM\ . . \Run: [anti_troj] C:\WINDOWS\System32\anti_troj . exe O4 - HKLM\ . . \Run: [key2] C:\WINDOWS\System32\winlog . exe O4 - HKLM\ . . \RunServices: [Microsoft Update] wserv32 . exe O4 - HKCU\ . . \Run: [Microsoft Update] wserv32 . exe O4 - HKCU\ . . \Run: [anti_troj] C:\WINDOWS\System32\anti_troj . exe O4 - HKCU\ . . \Run: [key2] C:\WINDOWS\System32\winlog . exe ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s Also delete the following red folder/s C:\WINDOWS\System32\winlog . exe C:\WINDOWS\System32\anti_troj . exe C:\WINDOWS\System32\wserv32 . exe ------------------------------------------------------------------- When finished please post a new log . . . . . . |
Pancake (6359) | ||
| 416178 | 2005-12-29 01:45:00 | Trouble with the toshiba satellite portable. When starting it doesn't seem to go through all the boot up stuff other comps do. It says Toshiba run and then starts windows. Pressing f8 furiously during boot up doesnt get it to go into safe mode. How can we achieve safe mode on this mode please? regards, |
ojos (3168) | ||
| 416179 | 2005-12-29 01:49:00 | if you can get normal mode to run go to run/msconfig and tick safe mode. i can't remember if XP can give you a menu like 9x can. | tweak'e (69) | ||
| 416180 | 2005-12-31 04:29:00 | thank you all, Machine fixed and in running order your help is appreciated Ojos |
ojos (3168) | ||
| 1 | |||||