Jump to content
Compatible Support Forums
Sign in to follow this  
zoot

I have a trojan....

Recommended Posts

I have a trojan, and I can't get rid of it. I've tried spybot, Norton, webroot, adaware, etc. but nothing works. This is the log that Hijackthis gave me:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:50:21 AM, on 3/25/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\IC\Card Reader Driver v1.9e\Disk_Monitor.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Picasa\PicasaMediaDetector.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe

C:\DOCUME~1\DANMEY~1\LOCALS~1\Temp\edpj.dat

C:\WINDOWS\System32\fxiegwfr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dan Meyers\My Documents\Unzipped\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0B1EA5AB-7AA9-405E-8F22-C2CBBC2E76EA} - (no file)

O2 - BHO: (no name) - {14C2AA0E-5F2D-457E-98A8-2EBA0B9843E1} - (no file)

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_76.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6642760E-E7B5-4520-9609-63727E0523B5} - (no file)

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

O2 - BHO: (no name) - {8729E6C2-F5A2-43AE-BEDF-9AAA9DAAF935} - (no file)

O2 - BHO: (no name) - {A05E656A-7ED9-406F-9424-2D3099B1860E} - (no file)

O2 - BHO: (no name) - {BDDC1C19-0397-4255-9AB6-D63B7D49BACF} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D1DD356C-9A3D-4AC4-9AA2-7A0B4ABF3CAF} - (no file)

O2 - BHO: (no name) - {DFE2AC35-90CF-41A2-AC0E-6A5C1C58D2E2} - (no file)

O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e\Disk_Monitor.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: officejet 6100.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Hijacked Internet access by New.Net

O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1073052981437

O17 - HKLM\System\CCS\Services\Tcpip\..\{CBBADA0E-445E-4E92-8BBA-49D2FAD3E4CC}: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

What should I delete?

 

Thanks.

 

Share this post


Link to post

Boot into Safe mode before you fix anything.

 

Originally posted by zoot:

Quote:

 

C:\WINDOWS\NCLAUNCH.EXe

C:\DOCUME~1\DANMEY~1\LOCALS~1\Temp\edpj.dat

C:\WINDOWS\System32\fxiegwfr.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated)

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {0B1EA5AB-7AA9-405E-8F22-C2CBBC2E76EA} -

(no file)

 

O2 - BHO: (no name) - {14C2AA0E-5F2D-457E-98A8-2EBA0B9843E1} - (no file)

 

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_76.dll

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O2 - BHO: (no name) - {6642760E-E7B5-4520-9609-63727E0523B5} - (no file)

 

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

 

O2 - BHO: (no name) - {8729E6C2-F5A2-43AE-BEDF-9AAA9DAAF935} - (no file)

 

O2 - BHO: (no name) - {A05E656A-7ED9-406F-9424-2D3099B1860E} - (no file)

 

O2 - BHO: (no name) - {BDDC1C19-0397-4255-9AB6-D63B7D49BACF} - (no file)

 

O2 - BHO: (no name) - {D1DD356C-9A3D-4AC4-9AA2-7A0B4ABF3CAF} - (no file)

 

O2 - BHO: (no name) - {DFE2AC35-90CF-41A2-AC0E-6A5C1C58D2E2} - (no file)

 

O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

 

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

 

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

 

FIX THIS, IF YOU DO _NOT_ HAVE THIS SOFTWARE INSTALLED

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

 

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

 

FIX THIS, IF YOU DO _NOT_ HAVE THIS SOFTWARE INSTALLED

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

 

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: officejet 6100.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll

 

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll

 

O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)

 

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU)

 

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

 

O10 - Hijacked Internet access by New.Net

O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

 

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

 

Delete:

sfcman32.dll File.

C:\PROGRA~1\NEWDOT~1 Folder.

C:\Program Files\AWS\ Folder.

sfcman32.dll File.

edpj.dat File.

iegfxfrw.dll File.

 

Scan your system with all anti spy/virus programs, you got when you are still in safe mode.

 

And UPDATE your Windows XP with Windows Update.

Share this post


Link to post

Delete those files in safe mode. If you can, use recovery console via your Xp (2k?) cd........

 

 

Share this post


Link to post

Hello, I have deleted the files you listed to delete in Safe Mode. I did not have any of the files but the "iegfxfrw.dll" file. My question is: I found some other files that might be related to the "sfcmon32.dll" file. They are as follows:

 

"SFC.exe"

"SFC.dll"

"SFC.os"

"sfcfiles.dll"

 

Also I found some other files beginning with "ie" like the "iegfxfrw.dll" all of these other "ie" files are also .dll

 

ieakeng

ieakgie

ieakvi

iedkc32

iepeers

iernonce

iesetup

 

I am not sure of the function of the files I listed. Weither or not they are spyware/adware/malware related(I hope not) I do not know. I did not delete any of them incase they are suppost to be there. If you would like me to post my Hijackthis report, I will do so.

Share this post


Link to post

Files you mentioned are:

 

System File Checker files:

"SFC.exe"

"SFC.dll"

"SFC.os"

"sfcfiles.dll"

 

Internet Explorer Administrator Kit:

ieakeng

ieakgie

ieakvi

 

MS IE Peer Objects:

iepeers

 

IE stuff:

iernonce

iesetup

 

I and Google does not know what this is:

iedkc32

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×