Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yeakukz infection with bestfriends.scr


  • Please log in to reply
16 replies to this topic

#1 psychophreak

psychophreak

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 27 October 2004 - 04:46 PM

Girlfriend's friend had an away message up last night to the above screen saver/trojan. I cleaned best I could with adware, spybot, virusscan, and it "appears" that everything is out, however when I go to ANY webpage I get the IE security bar saying it has restricted this file from showing active content that could access my computer. If I can get rid of this I'll be a happy man. HJT log below.

---------log--------

Logfile of HijackThis v1.98.2
Scan saved at 5:37:55 PM, on 10/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINXP\System32\smss.exe
D:\WINXP\system32\winlogon.exe
D:\WINXP\system32\services.exe
D:\WINXP\system32\lsass.exe
D:\WINXP\system32\svchost.exe
D:\WINXP\System32\svchost.exe
D:\WINXP\system32\spoolsv.exe
D:\WINXP\Explorer.EXE
D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\WINXP\system32\atiptaxx.exe
D:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\WINXP\system32\kmw_run.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
D:\WINXP\System32\Ati2evxx.exe
c:\Program Files\VPN Client\cvpnd.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
D:\WINXP\System32\svchost.exe
D:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SynTPLpr] D:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094497317443
O17 - HKLM\System\CCS\Services\Tcpip\..\{591C7CC2-D948-4E5E-B4A8-BF44C785F176}: Domain = rutgers.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA9BBE38-4D67-4090-A5F9-FBE3EB79890C}: Domain = rutgers.edu

BC AdBot (Login to Remove)

 


m

#2 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:51 AM

Posted 28 October 2004 - 12:30 AM

Hi,

Having a look.

#3 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:51 AM

Posted 28 October 2004 - 12:37 AM

Girlfriend's friend had an away message up last night to the above screen saver/trojan. I cleaned best I could with adware, spybot, virusscan, and it "appears" that everything is out,

Yes the log looks clean.


however when I go to ANY webpage I get the IE security bar saying it has restricted this file from showing active content that could access my computer. If I can get rid of this I'll be a happy man. HJT log below.

This is a new feature with XP SP2, if you right click on the security bar you will find more information and some options for you to set.

Please read this for future protection:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

#4 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 28 October 2004 - 08:36 AM

Thanks for looking and replying. I'm actually a tech support specialist, and know most of what you said already, plus I've read a lot of the other posts :thumbsup: I keep system restore disabled permanently on all my systems, so that shouldn't affect it. I know what the bar is, however when I right click it all I get is infobar help, or allow the program to install. It won't tell me what's causing it to pop up. I thought the log looked clean as well, I was hoping maybe I was missing something. I went through most of the IE security settings last night, keeping most at prompt, I'll check for settings I missed when I get home tonight. I'm running updated McAfee VScan Enterprise 8.0, and I've run both updated adaware and updated spybot S&D. I run a router with hardware firewall + ZA plus on my desktop. All patched up with windows update and office update...

However the bar still pops up with ANY website. Google, yahoo, you name it. So it has to be something running locally, but I'm not sure where else to look. I've scanned the registry here and there to look for odd files related to the infection, one that comes to mind that might ring a bell was mediapIayer.exe (they get cleverer and cleverer...) which I deleted at first and removed from the registry long before I started doing any scans. Checked all the add-in's that IE has, removed one or two odd looking ones there as well. Looked through msinfo at everything that runs in startup, and nothing suspicious there except for indigo something which I removed, however the bar still pops up. The problem is I know the infobar didn't used to popup from every single website. And listening to the little blip's every time I open a webpage can get quite annoying. Any other advice would be greatly appreciated. I'm thinking maybe it's some javascript or more likely an activex control, but I'm not sure what's prompting it to run at EVERY website. I'd reinstall IE if I could, but of course M$ won't let you do that because I already have a newer version installed than any of their downloads since it's patched up.

Thanks again
Phreak

Edited by psychophreak, 28 October 2004 - 08:40 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 AM

Posted 28 October 2004 - 09:08 AM

Sorry to interject here, but curious about something. Can you give us a link to a screenshot of the screen with the bar?

#6 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 28 October 2004 - 09:28 AM

By all means interject away :thumbsup: It's just the standard bar (same as file download prompt, which now when I want to download a file I have two menus, one for whatever's trying to install and one for file download) with the yellow shield with the exclamation point. When I get home to the laptop I'll one up you and give you a screenie with the bar and with the right click options (few as they are)

Again, thanks for the help here.

Edited by psychophreak, 28 October 2004 - 10:50 AM.


#7 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 28 October 2004 - 01:15 PM

Here's the requested screenies. Standard stuff...

Posted Image
And if I click allow blocked content, the following prompt:
Posted Image

Edited by psychophreak, 28 October 2004 - 01:17 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:51 AM

Posted 28 October 2004 - 02:15 PM

This is part of sp2.... You prob have a setting in the security options asking it to prompt when running signed activex controls or some other activex setting.

You should it set for prompt for signed, disable for unsafe/unisgned.

#9 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 28 October 2004 - 03:56 PM

I know it's an SP2 setting, but there's no activex scripting that should be running/installing for EVERY web page, i.e. google, yahoo, etc. I can set it to prompt for everything here at work and it won't popup for EVERY page. I keep stressing ANY and EVERY webpage because I know that it obviously isn't being generated from the page I'm attempting to visit. It has to be something that's getting initiated locally, but I'm not sure where to find it. If you'd like, I can create a quick .html that has nothing in it but the text "hello world" and host it myself, and I'm sure the infobar will popup regardless.

By the way, I have a feeling it might be initializing from the registry keys trofkz.REG put in. Unfortunately I deleted the file before looking at it to see what actual keys it created. If anyone here has experience with this could they let me know what keys are created when that files is installed? If not, if anyone could find a copy of this file I can inspect it myself.

Thanks.

Edited by psychophreak, 28 October 2004 - 04:13 PM.


#10 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:51 AM

Posted 28 October 2004 - 04:32 PM

It might be a good idea to run this:

Download this file from here:

Getservice.zip
http://www.bleepingcomputer.com/files/spyware/getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.

#11 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 29 October 2004 - 09:23 AM

Didn't get to run getservice yet, but it's definately javascript related. I tried accessing my router last night and I get an error that I must use a java enabled browser, and that my current browser (IE) is NOT java capable. If I install the control, it loads up the router config just fine...

That give anyone any ideas?

#12 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:51 AM

Posted 29 October 2004 - 09:35 AM

I take it you have java permissions enabled in your Security Settings in Internet Options, to either low, med or high?

#13 psychophreak

psychophreak
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:51 AM

Posted 29 October 2004 - 01:00 PM

Went through all the security settings last night, even reset them to medium and then ran through them one by one. It still doesn't explain why it should be trying to run/install anything on such simple sites as google etc.

#14 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:51 AM

Posted 29 October 2004 - 01:06 PM

Ok, run me the Getservice, as posted previously.

#15 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 29 October 2004 - 03:03 PM

I'm actually a tech support specialist


I keep system restore disabled permanently on all my systems


I'm also sorry to interject, but why would you have system restore permanently disabled????

And why the reluctance to run GetService?
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users