Jump to content


Photo

Trojan Horse


  • Please log in to reply
9 replies to this topic

#1 bridget

bridget

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 09:59 AM

Hi. Apparently my PC is infected with a Trojan Horse :grrr: My homepage has changed and I can't re-set it whatsoever and also get annoying pop-ups. I've run Norton but it's still there. Can anyone help me remove this? I'm sorry but I'm not really clued-up with computers and just really use for email and internet. If anyone can help I'd really appreciate it. ;)

PS Is there really any way it can be removed without having to pay?! :p

#2 bridget

bridget

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 11:51 AM

Can someone answer me please? I'm desperate ... :-(

#3 sundaypunch

sundaypunch

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 18 July 2004 - 11:58 AM

I have the same problem and am awaiting help. I do know that you need to do a bit more to help yourself before you are likely going to get anyone to help you.

#1- Read the "sticky" notes at the top and go through all the steps to get rid of your problem (Ad Aware, CWS shredder, Hijack This, Spybot, etc.)

#2- If you still have the problem you need to post detailed info. about exactly what is happening and the steps you have already taken.

Good luck.

#4 bridget

bridget

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 12:09 PM

Ok thanks. I've tried the usual Spybot, CWS - all of them and this problem won't go away.

The homepage that appears is: res://wuoal.dll/index.html#35759

I hate it - the worst thing is I've only just paid a lot of money for the PC - only had it a month... :blush:

Does anyone know if it's still safe to use to book holidays on and give Credit Card details? I'm worried about someone getting hold of my details.

thanks again.
B

#5 sundaypunch

sundaypunch

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 18 July 2004 - 12:23 PM

I'm not the one to answer your questions. As I mentioned, I have the same problem. You should try the About:blaster program as well if you haven't. Personally, I wouldn't give any credit card info. until you get the problem fixed. You may have some kind of tracking program that could capture that info.

#6 rob12786

rob12786

    Robert Velez

  • Full Member
  • Pip
  • 4 posts

Posted 18 July 2004 - 01:06 PM

Please do this.
Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

#7 bridget

bridget

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 01:53 PM

Hi Rob - here's the result of scan.

Logfile of HijackThis v1.98.0
Scan saved at 19:52:20, on 18/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\d3qu32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sdkno.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bridget Gardner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wuoal.dll/sp.html#35759
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wuoal.dll/index.html#35759
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wuoal.dll/index.html#35759
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wuoal.dll/sp.html#35759
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wuoal.dll/sp.html#35759
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wuoal.dll/index.html#35759
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {153AF5DA-EFD3-6F8C-0B4C-4FB02091E83D} - C:\WINDOWS\system32\d3pm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sdkno.exe] C:\WINDOWS\sdkno.exe
O4 - HKLM\..\RunOnce: [d3qu32.exe] C:\WINDOWS\system32\d3qu32.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B981A8-2543-4328-9359-ABEB987F86A2}: NameServer = 194.74.65.85 194.72.9.44
O17 - HKLM\System\CS1\Services\Tcpip\..\{15B981A8-2543-4328-9359-ABEB987F86A2}: NameServer = 194.74.65.85 194.72.9.44

#8 bridget

bridget

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 July 2004 - 12:24 PM

I'm desperate - please help.
xx B

#9 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 July 2004 - 02:56 PM

Briget,
I downloaded TrojanHunter - to which I found a link, either on this forum, or at ComputerCops. It combined with spybot, Ad-Aware, CWShreader, and PC bug doctor. did the trick for me.
I believe what you have is a new strain of Cool Web Share -(thus CWShreader). It may be that the latest CWShreader will take care of it.

Good luck.
JashaC :gasp:

#10 jashac

jashac

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 July 2004 - 03:01 PM

you might also try this link - and use hsremove (Home Search remove)
http://www.computerc...695.html#227695

good luck,
jashac




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button