Jump to content

libupd~1.exe


Guest ellas
 Share

Recommended Posts

Guest Gladiator

I am just making an update - because i am including the detection of netdevil trojans.....

and it looks like you have this nasty - so post your scan report here (all 4 pages) and we will see.

After this you need to download the update if i am ready

Link to comment
Share on other sites

  • Replies 181
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Guest Gladiator

Lets finish this scan - after this post here the report and then you can shut down kernel32.dlI

OHHHHHHHHHH

Moment.....

You are making a default system scan ?

If this is finish go to advanced options -> click on custom drives and folders then select "C:\Windows" and press on "SET PATH".

After this pick from the GAV Menu the point "Custom Scan (all files) :)

Link to comment
Share on other sites

Guest CalamityJane

p2ccolo

You should have gotten a report at the end of the scan showing what was found - if you still have that open on your screen you can copy & paste the text to here.

If you do not have that report still showing on your screen you can go to your Programs Folder, find the Gladiator Folder and look for a Reports Folder in there. You should see a file named Report.HTML and open it. It should be from this latest scan and you can copy and paste here.

Link to comment
Share on other sites

Guest CalamityJane

Actually, it might be helpful to post all of the text to show what files were scanned. I pulled up an older one of mine ....that looks like this:

Gladiator AntiVirus XXL

Interface Version: 1.0.0 Engine Version: 0.8.5 Pattern Version: 0.6.1

--------------------------------------------------------------------------------

Scan Report (12/29/02 at 9:09:16 AM )

--------------------------------------------------------------------------------

Eicar-Test-Signature C:\Program Files\Juno\USER0000\mailbox.bdb

FunLove.4099 C:\WINDOWS\Temporary Internet Files\Content.IE5\OP2R8XY3\viruslist[1].html

Eicar-Test-Signature C:\unzipped\eicar_com\eicar.com

--------------------------------------------------------------------------------

Scanned Folders : 1903

Scanned Files : 51678

Runtime-Packed : 6

Archive-Packed : 379

Infections found: 3

Warnings found : 2

Link to comment
Share on other sites

Guest CalamityJane

I have Win98, the reports on my machine are at:

C:\Program Files\Gladiator Scanner\REPORTS\REPORT.HTML

I couldn't find Gladiator online, but will leave a message for him in case he comes back on.

You might want to take the time to go back and do another online scan at Symantec or Panda to see if anything comes up there (with System restore disabled this time). I know the online Symantec scan doesn't scan compressed files so Panda might be better.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Also, did you download and run Spybot S&D (after getting the updates?)

Link to comment
Share on other sites

Guest CalamityJane

Ok - just add the stuff you missed at the bottom ....says number of files scanned etc.:

(something like this)

Scanned Folders : 1903

Scanned Files : 51678

Runtime-Packed : 6

Archive-Packed : 379

Infections found: 3

Warnings found : 2

Link to comment
Share on other sites

It looks like you have a trojan still onboard Backdoor assasin, I found this little bit on it , will explain why Norton F/wall didn't do you much good, also i recommend you change all of your passwords when we have got rid of it.

The trojan copies itself to the %WinDir% directory as MS SPOOL32.EXE and a registry run key is created to load the server at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Run\AntivirusAss=C:\WINDOWS\MS SPOOL32.EXE

TCP Port 5695 is opened (though this is configurable through the trojan client) and a notification message is sent via ICP Pager, MSN Messenger, and a remote PHP page. This message contains the victim's IP Address, server password, computer name, and Windows username. A file, MS SPOOL32.DAT is saved to the %WinDir%. This file contains a list of executable filename. A file, MS SPOOL32k.DAT is saved to the %WinDir%. This file contains keylogging information (typed keystrokes and corresponding Window titles). The trojan also stores information in several registry keys using a random key. Such as:

HKEY_LOCAL_MACHINE\Software\KU(QBX\Q\EU%T[EFN74+FZB

The server allows an attacker to perform the actions described in the Client component section of this description.

Client component

By connecting to the port opened by the trojan server, a remote attacker can use the trojan client to access the remote machine. Once connected, the attacker can perform these various functions:

Turn on the victim's Webcam and view the output

Capture screen shots

Send messages to the screen

Manage files and folders (upload, download, delete, rename)

Send keystrokes to certain or all Windows

Open additional server ports

Get system information

Get visited websites and Internet Explorer security settings

Open specified URLs

Update the server component

Change the registry run key

Change ICQ number to notify

Change PHP page to send notification to

Change trojan server password

Log typed keystrokes

View and terminate running processes

Edit the registry

Add/Remove network shares and mapped drives

Open/close CD-ROM

Hide/show desktop icons

Hide/show Start Menu

Hide/show system clock

Hide/show taskbar

Turn on/off monitor

Turn on/off NUM and or CAPS lock

Disable, enable, kill firewall programs

A nasty piece of work this one

Link to comment
Share on other sites

Guest Gladiator

123120.dat seems to be a dropper or something - that means it has the backdoor inside and is the possible start-point of your problems.

You can join different exe file together and during you execute (for instance a game) it installs in the background the backdoor/virus.

.DAT files are normaly *NEVER* UPX compressed --> as you can see GAV detects this s*** :)

Link to comment
Share on other sites

Guest Gladiator

Send me the following files via email to [email protected]

UPX Runtime packed: C:\dialler.exe

UPX Runtime packed: C:\Documents and Settings\me\Desktop\o.exe

UPX Runtime packed: C:\WINDOWS\system32\MNCPrgBr.OCX

UPX Runtime packed: C:\WINDOWS\system32\ActiveScan\qrvkrn.dll

C:\Program Files\sc480sxu_winxp_full.exe

C:\WINDOWS\inetconf.exe

C:\WINDOWS\winampw.exe

AND: This kernel32.dlI i need

Note: its "I" at the end not L

so make a search for this file and turn "hidden+system" on (folder options)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy