| Author | Thread |
|
|
08/15/2007 01:53:14 AM · #1 |
It's called Forthgoer, a password stealer, and is on my desktop. I'm usually quite careful about things, but my kids are on this computer and who knows. Windows Defender catches it and removes it, but it keeps appearing so I must have some file running that keeps downloading it.
Anybody want to help spot something suspicious?
Logfile of HijackThis v1.99.1
Scan saved at 10:51:02 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = //go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = //go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = //go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = //go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [yxxk0] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\crasos.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://rs1.advancedmd.com/rs-current/components/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - //update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162880780203
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - //www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - //www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - //a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://rs5.advancedmd.com/rs-current/components/RSClientPrint.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
Message edited by author 2007-08-15 01:53:29.
|
|
|
|
08/15/2007 01:58:34 AM · #2 |
I see the word microsoft pop up in there a few places. perhaps that has something to do with the security leak. that is just a guess though. :0
|
|
|
|
08/15/2007 02:07:15 AM · #3 |
This doesn't need to be in your reg..
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\woso.exe
Here's a link on how to get rid of that.
This looks suspect too.
O4 - HKCU\..\Run: [yxxk0] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\crasos.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
You can also go here and run House Call, it works great for a free online scanner.
Message edited by author 2007-08-15 02:14:21.
|
|
|
|
08/15/2007 02:11:55 AM · #4 |
|
|
|
08/15/2007 02:21:27 AM · #5 |
this may not help in the here and now, but i work in IT and at home i have 4 computers networked and i run Norton Internet Security on all along with Spybot (free) I have yet to have any problems in the 5 years i have gone with this. Another good precaution is to get into your router setup and disable wan ping, may also be called internet ping or wan side ping.that basically keeps your pc's from answering when hackers are pinging around looking for open machines.
feel free to pm me wit any questions
J
|
|
|
|
08/15/2007 02:27:59 AM · #6 |
free anti virus -AVG
//free.grisoft.com/doc/2/
i would suggest running that, and possibly a spybot search & destroy.
(avail at download.com)
-----
so far, everything i've found online about the virus mentions Windows Defender as being the detector.. did you install this program? it sounds fishy to me. |
|
|
|
08/15/2007 02:35:58 AM · #7 |
Originally posted by SbR06:
free anti virus -AVG
//free.grisoft.com/doc/2/
i would suggest running that, and possibly a spybot search & destroy.
(avail at download.com)
-----
|
I concur on downloading the AVG. Even the FREE version is an incredible thing. At the Grisoft Site, you can also download the AVG Anti-Spyware or the security suite (probably named different than that) that AVG just bought and tweaked and they are sweet!
And, although I know this may create some grumbling... download and switch to Firefox as your browser. MSIE seems (to me anyway) to be wrought with problems. Firefox is free... and less susceptible to security issues. And... there are a whole lot of add-ons to make things fun.
Good luck!!
Message edited by author 2007-08-15 02:37:29.
|
|
|
|
08/15/2007 02:52:20 AM · #8 |
I heard once that it is best to run the ad/spyware and virus software after you do a safe boot, does this really make a difference?
Last week I ran adaware on a guys computer and found 462 (yes that number is correct) items. I deleted them and thought his system was clean but have to go back tonight to run spybot and see if we can find his problem. He said that after being on the internet (happens no matter what page he visits) for about 10 minutes he gets a ton of pop-ups and stuff that says HP update. |
|
|
|
08/15/2007 04:28:09 AM · #9 |
Originally posted by DrAchoo:
It's called Forthgoer, a password stealer, and is on my desktop. |
first prove to us that you're the real doc, and not someone who stole his password! |
|
|
|
08/15/2007 04:50:46 AM · #10 |
First, stop the following process;
C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
Then use regedit to delete these keys;
HKLM\..\Run: [wosa] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\woso.exe
HKCU\..\Run: [yxxk0] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\crasos.exe
Of course, that's no guarantee that the trojan won't just add the key straight back in! - It would be more thorough to run an anti-virus program to remove it. |
|
|
|
08/15/2007 05:02:20 AM · #11 |
Originally posted by sabphoto:
I heard once that it is best to run the ad/spyware and virus software after you do a safe boot, does this really make a difference?
Last week I ran adaware on a guys computer and found 462 (yes that number is correct) items. I deleted them and thought his system was clean but have to go back tonight to run spybot and see if we can find his problem. He said that after being on the internet (happens no matter what page he visits) for about 10 minutes he gets a ton of pop-ups and stuff that says HP update. |
a safe boot does a few good things, it doesn't allow access to the internet, and it only loads the drivers/applications that windows needs to operate.
personally, i think you need to configure your antivirus to run on next startup. what this does is it allows the antivirus program to run/scan/delete ... BEFORE any other application. this greatly increases your chances of getting rid of the infection. |
|
|
|
08/15/2007 05:13:12 AM · #12 |
Originally posted by jhonan:
First, stop the following process;
C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
Then use regedit to delete these keys;
HKLM\..\Run: [wosa] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\woso.exe
HKCU\..\Run: [yxxk0] C:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\crasos.exe
Of course, that's no guarantee that the trojan won't just add the key straight back in! - It would be more thorough to run an anti-virus program to remove it. |
found this information to clear up the WOSO trojan
//forums.spywareinfo.com/index.php?showtopic=99581
this is the only information i can find on crasos... however, i haven't used the software "advertised" on the site. i can't vouch for it.
//spywarefiles.prevx.com/RRHCFD34639595/crasos.html |
|
|
|
08/15/2007 06:28:09 AM · #13 |
Haven't had time to read all of this as I am off to work, but did anyone mention that the good Doc should turn off his system restore before he starts his scanning process, it could be that his virus is re-infecting his system with every start-up.
Ray
PS: I run Ad-Aware SE Personal, Spybot Search and Destroy for anti-spyware , and Avast and AVG for virus scanning and have encountered no problems to date.
Message edited by author 2007-08-15 06:32:39. |
|
|
|
08/15/2007 12:04:00 PM · #14 |
Thanks for the help guys. I think I'm getting on top of it. I'll have to see if it's there again when I get home. I used Dr-Fixit or something like that and it found two sources. I had also found the woso file myself on Hijackthis, but hadn't seen the other (crasos).
I'm embarassed for having one. I don't think I've had a virus on the computer since Virginia over 5 years ago.
|
|
|
|
08/15/2007 12:12:28 PM · #15 |
When I caught a trojan earlier this year, the only thing that could zap it was a McAfee and Spy Sweeper combo. Neither are free, but the free stuff didn't work.
|
|
|
|
08/15/2007 12:18:57 PM · #16 |
Originally posted by Rebecca:
When I caught a trojan earlier this year, the only thing that could zap it was a McAfee and Spy Sweeper combo. Neither are free, but the free stuff didn't work. |
I have the free version of AVG and Avast, and both of these have worked famously for me. I also visit Trend Micro on a weekly basis and take advantage of their free scanning programs.
Ray |
|
|
|
08/15/2007 12:29:09 PM · #17 |
Hmmmm...while you're busy housecleaning your computer, you may consider changing any passwords you use for online banking, ebay, amazon or any account that gives access to credit card information.
Just a thought...
::Edited because I never learned to spell...;-)::
Message edited by author 2007-08-15 12:29:32. |
|
|
|
08/15/2007 12:35:46 PM · #18 |
This doesn't look good:
C:\WINDOW\Sexplorer.exe
Oh, nevermind...I guess I read that wrong;)
C:\WINDOWS\explorer.exe
Seriously though, good luck getting rid of that trojan. |
|
|
|
08/15/2007 12:37:45 PM · #19 |
Just buy a new computer...that'll take care of it.
That is what my sister wanted to do when she got a virus, lol. |
|
|
|
08/15/2007 12:42:53 PM · #20 |
Icrontric (I think it used to be called short-media.com)
I used this site some time ago and experts at the site will review your log file and help you remove the bad stuff. Worked like a charm for me. Read the rules on posting log files/seeking help.
Message edited by author 2007-08-15 12:44:44. |
|
|
|
08/15/2007 01:01:31 PM · #21 |
Not as costly as a broken Trojan condom.
|
|
|
|
08/15/2007 01:15:51 PM · #22 |
| Also, in Spybot or Adaware there's an option relating to registry updates. I have it set up so I can deny any updates. (prompted) |
|
|
|
08/15/2007 01:16:50 PM · #23 |
Originally posted by rox_rox:
This doesn't look good:
C:\WINDOW\Sexplorer.exe
Oh, nevermind... I guess I read that wrong;) |
You dirty woman. That's why I like you. |
|
|
|
08/15/2007 01:26:42 PM · #24 |
the only anti-virus program i trust is Avast. i also use Adaware and i run CCleaner on a regular basis. that keeps everything virus free. :)
|
|
|
|
08/15/2007 01:33:05 PM · #25 |
Just a thought. If you have a router you may be able to block the port that the trojan uses.
Netstat -a will show your network connections
You could also alter your firewall settings to hopefully do the same thing
|
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 03/13/2025 07:18:59 PM EDT.
