|
#76
09-25-2006, 05:40 PM
|
|||
|
|||
Re: Virus issue has been resolved! Here is the latest news!
I don't know if this is connected with the exploit, but over the weekend I noticed that my log files contained references to "/index.php". It looked to have been invoked from a number of my pages, which show up in the referer field.
I don't have an index.php file in any directory, and looking in both my ftp client and the cpanel file manager shows no sign of index.php in any directory. I also checked the pages that supposedly invoked index.php, but they were unchanged from what I had uploaded. I tried accessing (the nonexistent) index.php from my browser, and I got the correct 404 error page that correctly redirected to my home page (using the header, not a frame). The log entries showed a 200 return code, but a very small number of bytes transferred. I haven't seen any of these entries since Saturday. 
|
|
#77
09-25-2006, 06:25 PM
|
|||
|
|||
Another Trojan - Looking for Solution
On a clients computer infected during this crisis, I am finding a randomly named executable in the C:\WINDOWS\TEMP folder ( always something like RY7FD9.EXE ) along with another file always named the same C:\WINDOWS\TEMP\Perflib_Perfdata_62c.dat
I see the executable in my process list, can kill it and delete it, but the Perflib_Perfdata_62c.dat file cannot be deleted. I've researched and found very little on this issue - most forums discussing the file are in another language =( I set the permissions on the folder C:\WINDOWS\TEMP\ to have NO-ACCESS, and set HijackThis to delete the Perflib_Perfdata_62c.dat file -which worked on reboot, but then after settings the permission back on the C:\WINDOWS\TEMP\ the files returned on the next reboot. I've run McAfee, Trend Micro, Spybot, Ewido, and the Trojan.Vundo tool (which found something and claimed to remove it - maybe another item) I cannot see anything obvious in the Hijack log - nor can I find anything in the Registry that is obvious - ie: Where the hell is this file being quede to load from?? Here is the Hijack log: BEGIN ----------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:26:22 PM, on 9/25/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\administrator.FUTUREFORWARD\Desktop\Hijac k This\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe ] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FUTUREFORWARD.local O17 - HKLM\Software\..\Telephony: DomainName = FUTUREFORWARD.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FUTUREFORWARD.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FUTUREFORWARD.local O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe END ----------------------------------------------------------- Thanks for any help, suggestions David Hunt hostgator_forum@byrgius.com
|
|
#78
09-25-2006, 06:32 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
I have been following all of this very closely, as I host over a dozen sites for my clients on hostgator. I know at least one of the sites was affected, and their customers were infected. I use firefox, but went in with IE to try and find the problem. I was hoping my zone alarm (etc) would stop everything, but give me a log. I didn't get any obvious signs (popups, etc), but ever since then my computer is acting very strangely. Most significant are the large cpu spikes I continue to have, which causes a "pause" in processing every 10 to 20 seconds. Anyone else having this problem?
I have downloaded the latest updates for zonealarm, spybot, adaware, ewido, avg and spyblaster. I've run it all, and it all says I'm clean. I tried Housecall, but everytime I try it my browser shuts down with 18 mins left on the scan. I am not technically inclined enough to know how to read my logs. Can someone give me suggestions for what to try next? I will go ahead and purchase Kaspersky if I need to, but do I have to uninstall avg first? Help!
|
|
#79
09-25-2006, 07:07 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
You can't run 2 AV's with real-time protection togather so its best if you uninstall AVG first. Just be sure to save the registration key for AVG if you need to.
|
|
#80
09-25-2006, 09:14 PM
|
|||
|
|||
|
Re: Another Trojan - Looking for Solution
Quote:
I don't know about the executable file. It might possibly be the detritus of a long-ago installation of some program. Installers tend to do things like that, particularly in the TEMP directory.
|
|
#81
09-25-2006, 10:55 PM
|
|||
|
|||
|
Re: Another Trojan - Looking for Solution
Quote:
I downloaded and used Hijack This. Also got rid of the LXBdne.dll in the IE, Tools, Manage Addons, as well as a few other things HiJack This found. Disconnected my DSL plug during reboots. Haven't had a problem for a few hours now....
|
|
#82
09-25-2006, 11:01 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Quote:
Can't you just turn off background scanning on one? Yesterday I downloaded and installed Anti Vir (was linked from forum) to back-up my AVG. But I turn the Anti Vir guard off, having heard of the conflict, using it for manual back-up scans. I turn both off during online scans. Is this sufficient?
|
|
#83
09-25-2006, 11:31 PM
|
|||
|
|||
|
Re: Another Trojan - Looking for Solution
Quote:
I deleted it via Hijack This, DSL unplugged. Subsequent HiJack This scan showed it was gone and I confirmed in Windows Explorer: O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) I just re-booted - DSL on - checked Windows/System 32 and WgaLogon.dll is back.
|
|
#84
09-26-2006, 12:38 AM
|
|||
|
|||
|
Re: Another Trojan - Looking for Solution
Quote:
http://labnol.blogspot.com/2006/04/w...n-genuine.html
|
|
#85
09-26-2006, 12:55 AM
|
||||
|
||||
|
Re: Virus issue has been resolved! Here is the latest news!
Good thing I was never infected. I jsut hope you upgraded the semi ded servers too
__________________
sudo rm -rf /mnt/win32 ; sync ; dd if=/dev/random of=/mnt/win32/ooops bs=16384 ; sync "Knowledge is Power, power corrupts, corruption is illegal. STOP LEARNING BEFORE YOU END UP IN JAIL!"
|
|
#86
09-26-2006, 03:03 AM
|
|||
|
|||
Re: Another Trojan - Looking for Solution
Quote:
WgaLogon Removal strait from MSKB: http://support.microsoft.com/kb/921914
|
|
#87
09-26-2006, 03:12 AM
|
|||
|
|||
Re: Another Trojan - Looking for Solution
Quote:
The {randomly named}.EXE keeps re-appearing each time I reboot, as well as finding it running in my process list - could be old junk, but it reminds me of spyware I've dealth with before. Unlike in the past where I've been able to track down how the file is being launched and snuff it (ie, some startup process) - this one isn't showing up using any methods I'm familiar with =( I'm either missing a boot process in my search or a common file has been infected with something that the AV's can't see - which seems less likely...
|
|
#88
09-26-2006, 06:50 AM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Now AVG finds this on my comptuer this morning:
Trojan horse Downloader.Generic2.QKH While opening c:\windows\system32\gebywvv.dll Searches online for this reveal nothing. I've about had it with this issue and don't want to jepardize any of the information on my computer. I think a format and re-install is in order but it is something I've been trying to avoid....
|
|
#89
09-26-2006, 07:27 AM
|
|||
|
|||
|
Re: Some things to look for
I'm still having some problems with stuff re-appearing. But, here's what I've learned.
- Look in IE (Tools, Manage Add-ons). Is there a file named ????.DLL? Make note of the dll name. -Run HijackThis. Look at the lines marked 02 & 20. Does the dll noted above appear? If so, this is a symptom. - You need to delete all references to that dll. This means in system32, IE, registry, etc. I used VundoFix.exe to help. I'm not sure my PC is clean. If I reboot, the process sometimes begins all over - with a new dll. Any additional suggestions would be welcome. peter
|
|
#90
09-26-2006, 08:49 AM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
I followed Bygrius' directions and have not had a recurrence or indication of the trojan since completion
O2 - BHO: (no name) - {2BD4658C-01DA-48CF-B40F-84E3EAEDF967} - C:\WINDOWS\system32\jkhhghf.dll this is the one that showed up in my Manage Add Ons - msihcfg.dll - without any description just the name in the list - did a search on google no hits on the file name so I started with that being suspect I disabled it in IE, and then used HijackThis to delete on reboot - all this being done with no connection to the Internet - did a new scan with HijackThis which then appeared with some traces but no file - but it also still had the O20 - Winlogon Notify: msihcfg - C:\WINDOWS\SYSTEM32\msihcfg.dll where the nasty was still launching it self everytime the system rebooted I then opened regedt32 and search for both 2BD4658C-01DA-48CF-B40F-84E3EAEDF967 and jkhhghf.dll.dll and removed all occurences of entries for both search strings - especially where it was attached to the Winlogon I then did another scan with HijackThis - no evidence of any trace of the file - rebooted the machine with a connection to the Internet and it has been clean since about 12:00 Eastern yesterday Thanks Byrgius
|
|
#91
09-26-2006, 11:11 AM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Quote:
|
|
#92
09-26-2006, 11:37 AM
|
|||
|
|||
|
Re: Another Trojan - Looking for Solution
Quote:
It's back now so no problem. I think Microsoft won't let one get rid of it so easy. But that LXBdne.dll I disabled then deleted after going to IE, Tools, Manage Adons was a definite improvement. Computer still stable for now.
|
|
#93
09-26-2006, 11:43 AM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Quote:
|
|
#94
09-26-2006, 11:46 AM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Strike that, sorry. It was the gebyayy.dll my AVG removed.
|
|
#96
09-26-2006, 01:37 PM
|
|||
|
|||
Re: Microsoft IE patch for VML Exploit on the way...
Quote:
http://support.microsoft.com/kb/925568/en-us
|
|
#97
09-26-2006, 02:08 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Quote:
|
|
#98
09-26-2006, 03:47 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
|
|
#99
09-26-2006, 08:40 PM
|
|||
|
|||
|
Help!!! Something weird is going on with my sites.
When I attempt to access my sites, I'm thrown to some Myfamily.com location. I've contacted hostgator. They said it had nothing to do with their servers. It is apparently something I've picked up on my computer, however involving my sites with hostgator.
isapi.dll?c=home&htx=loginfrontmember is appended to the end of my site URLS.
|
|
#100
09-26-2006, 08:46 PM
|
|||
|
|||
|
Re: Virus issue has been resolved! Here is the latest news!
Perhaps you can just point me to some software to help me clean it off my computer. The AVG isn't working. I'm goint to try some of the other software mention in these posts. I'm adding my support transcript, perhaps someone else has had a similar problem.
function scrollwindow(){ if ((navigator.appName.indexOf("Netscape") < 0) || (parseInt(navigator.appVersion)>4)) scroll(0, 50000); if (navigator.appName.indexOf("Netscape") >= 0) scroll(0, 50000);} This functionality requires JavaScript. Please enable JavaScript and try again.To read the LivePerson accessibility policy, please go to the Liveperson accessibility policy page. http://server.iad.liveperson.net/hcp...o/chatinfo.gifPlease wait for a HostGator operator to respond. http://server.iad.liveperson.net/hcp...o/chatinfo.gifWelcome to HostGator Live Chat! You are now chatting with 'Rob' Rob: Welcome to HostGator Live Chat, how may I assist you? Vicki: I'm being redirected to Myfamily.com Rob: http://www.deepcotton.com to Myfamily.com ? Vicki: Okay, Rob. I've been trying to trying this virus redirect issue on the message board so I know this isn't as far fetched as you're attempting to make it sound. I just want to know what to do about it. Vicki: trying to track Rob: Do you experiment the same issue if you use another browser/ Vicki: Yes Vicki: Both IE and Firefox Rob: Have you tried using another computer? Vicki: Not yet. But, I understand that you just did. Rob: Yes .. and it worked fine. Rob: Except for vwebster.com Rob: that one didnt load. Vicki: I thought the nameserver was having issuse and changed it back to ns1.websitewelcome.com & ns2.websitewelcome.cojm Vicki: But, it was having the same issues as deepcotton before the change. Rob: so that is the problem with that one Rob: update the name servers for that done. Rob: one* Vicki: okay Vicki: I changed the nameservers back. Vicki: I assume it will take a minute. Vicki: This morning only vwebster as affected as well as a few other sites, now deepcotton is affected as well. Rob: It will take actually a couple hours. Vicki: ok Vicki: So, I've been trying to track the virus problem on the message board, but I haven't gotten an email from hostgator or anything. What is going on? What do I need to do? Rob: I do not think this issue is on the server end Vicki. As I said i could load your site just fine from my end. Rob: Please load this page: Rob: http://www.ztrer.com/ Vicki: So, are you telling me this has nothing to do with the message board comments about redirects that had to do with what was initially thought to be a virus on hostgator computers. Rob: Yes .. the redirection was to another site Rob: not to that one. Rob: did youload that page? Vicki: load what page Rob: Rob: Please load this page: Rob: Rob: http://www.ztrer.com/ Vicki: Nope Vicki: I get Myfamily.com when I load that site. Vicki: Actually, I get http://www.ztrer.com/isapi.dll?c=hom...ginfrontmember Rob: do you see a place to put your domain name? Vicki: No Vicki: The isapi.dll?c=home&htx=loginfrontmember is attached to my sites hosted with hostgator.com Rob: Well you definitely have a local problem. Vicki: alrighty, Rob Rob: I suggest that you scan your computer against mallwares/ viruses etc. Vicki: I did that Rob. Thank you, I think. Rob: Please check it using another computer first and you will see what I am saying Vicki: No, I get it Rob. It's happening on my system. Rob: ok Vicki: I will check with some of the people on the message board. Maybe they can help me.
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
All times are GMT -6. The time now is 04:56 AM.