• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
redgrape

Help with Trojan virus!

2 posts in this topic

Hi can anyone help me please? I've spent all day trying to kill this trojan! I've downloaded ad-adware, spybot and trojan horse all to no avail. I really need to get rid of it. It's the one where it keeps changing my web browser to about:blank. And puts links into my favorites for internet Adult porn sites. It has disabled my Windows Media player. I even tried to download CoolWebShredder but the system trojan detected it and stopped it from running b/c it knew it could get rid of it!! What a nasty bugger!! Here is my hijackthis log if anyone can be of help! :) Thx!!

 

Logfile of HijackThis v1.97.7

Scan saved at 9:06:27 PM, on 7/1/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\msdtc.exe

C:\WINNT\System32\ati2plab.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\llssrv.exe

e:\PROGRA~1\Navnt\navapsvc.exe

e:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\inetsrv\inetinfo.exe

C:\WINNT\system32\Dfssvc.exe

C:\WINNT\Explorer.EXE

e:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\Atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

E:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\mjfect.exe

C:\Program Files\AIM95\aim.exe

E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

E:\Program Files\Navnt\NAVAPW32.EXE

E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\bdbasew.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\catsrv.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CPE3456J\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [NPS Event Checker] e:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [zcxvwxxui] C:\WINNT\system32\mjfect.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"

O4 - HKLM\..\Run: [bdbasew] C:\WINNT\system32\bdbasew.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [catsrv] C:\WINNT\system32\catsrv.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\RunOnce: [DeleteSlotchBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"

O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = E:\Program Files\Navnt\NAVAPW32.EXE

O4 - Global Startup: officejet 6100.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125a3a50112e6a28b423/...ip/RdxIE601.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7895.4409259259

O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

Share this post


Link to post
Share on other sites

Hi redgrape

 

Do you mean that you were prevented from the running cwshredder after downloading it? If so then download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly. Do this here http://www.safer-networking.org/files/delcwssk.zip

 

If you mean you were prevented from downloading cwshredder in the first place then try it from this location http://209.133.47.12/~merijn/files/CWShredder.exe

 

Then run the program, select 'fix' (not scan only) and let it fix everything that it finds.

 

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

 

In start > control panel > add or remove programs - make sure you have change or remove programs selected in the sidebar and highlight the following programs and uninstall them if they exist.

 

MS AUpdate

IST Bar

 

You are running an outdated version of HiJackThis, please download HijackThis v1.98 here.

Unzip to a convenient permanent folder, as you currently have it in a temp folder, for example: C:/HiJackThis/HiJackThis.exe

 

Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

 

O4 - HKLM\..\Run: [zcxvwxxui] C:\WINNT\system32\mjfect.exe

O4 - HKLM\..\Run: [bdbasew] C:\WINNT\system32\bdbasew.exe

O4 - HKCU\..\Run: [catsrv] C:\WINNT\system32\catsrv.exe

O4 - HKCU\..\RunOnce: [DeleteSlotchBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"

 

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125a3a50112e6a28b423/...ip/RdxIE601.cab

 

Reboot your computer

 

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

Make sure you have all hidden files shown

 

Delete the following entries:

Files

C:\WINNT\system32\mjfect.exe

C:\WINNT\system32\bdbasew.exe

C:\WINNT\system32\catsrv.exe

 

Folders

C:\Program Files\ISTbar

 

Reboot normally

 

Your operating system/internet explorer is not up to date, its important that you go to the windows update page to check for all updates, download and install all marked "critical".

 

Post a fresh log so we can check everything has been cleaned and we'll see about windows media player.

 

These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

 

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

 

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename or REALSCHED.EXE to REALSCHED.OLD as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

 

Then fix with HJT

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0