Jump to content


Photo

Help with Trojan virus!


  • Please log in to reply
1 reply to this topic

#1 redgrape

redgrape

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 08:49 PM

Hi can anyone help me please? I've spent all day trying to kill this trojan! I've downloaded ad-adware, spybot and trojan horse all to no avail. I really need to get rid of it. It's the one where it keeps changing my web browser to about:blank. And puts links into my favorites for internet Adult porn sites. It has disabled my Windows Media player. I even tried to download CoolWebShredder but the system trojan detected it and stopped it from running b/c it knew it could get rid of it!! What a nasty bugger!! Here is my hijackthis log if anyone can be of help! :) Thx!!

Logfile of HijackThis v1.97.7
Scan saved at 9:06:27 PM, on 7/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\ati2plab.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
e:\PROGRA~1\Navnt\navapsvc.exe
e:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
e:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\mjfect.exe
C:\Program Files\AIM95\aim.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Navnt\NAVAPW32.EXE
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\bdbasew.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\catsrv.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CPE3456J\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...rt.cgi?new-hkcu
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [NPS Event Checker] e:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zcxvwxxui] C:\WINNT\system32\mjfect.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [bdbasew] C:\WINNT\system32\bdbasew.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [catsrv] C:\WINNT\system32\catsrv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\RunOnce: [DeleteSlotchBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = E:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: officejet 6100.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7895.4409259259
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalcha...ent/msichat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 08 July 2004 - 06:38 AM

Hi redgrape

Do you mean that you were prevented from the running cwshredder after downloading it? If so then download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly. Do this here http://www.safer-net...es/delcwssk.zip

If you mean you were prevented from downloading cwshredder in the first place then try it from this location http://209.133.47.12.../CWShredder.exe

Then run the program, select 'fix' (not scan only) and let it fix everything that it finds.

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

In start > control panel > add or remove programs - make sure you have change or remove programs selected in the sidebar and highlight the following programs and uninstall them if they exist.

MS AUpdate
IST Bar


You are running an outdated version of HiJackThis, please download HijackThis v1.98 here.
Unzip to a convenient permanent folder, as you currently have it in a temp folder, for example: C:/HiJackThis/HiJackThis.exe

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...rt.cgi?new-hkcu
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O4 - HKLM\..\Run: [zcxvwxxui] C:\WINNT\system32\mjfect.exe
O4 - HKLM\..\Run: [bdbasew] C:\WINNT\system32\bdbasew.exe
O4 - HKCU\..\Run: [catsrv] C:\WINNT\system32\catsrv.exe
O4 - HKCU\..\RunOnce: [DeleteSlotchBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab


Reboot your computer

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

Make sure you have all hidden files shown

Delete the following entries:
Files
C:\WINNT\system32\mjfect.exe
C:\WINNT\system32\bdbasew.exe
C:\WINNT\system32\catsrv.exe


Folders
C:\Program Files\ISTbar

Reboot normally

Your operating system/internet explorer is not up to date, its important that you go to the windows update page to check for all updates, download and install all marked "critical".

Post a fresh log so we can check everything has been cleaned and we'll see about windows media player.

These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE


You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename or REALSCHED.EXE to REALSCHED.OLD as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

Then fix with HJT

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button