Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
mctonale

Please help remove trojan.

By mctonale, in Security

Recommended Posts

mctonale    0

mctonale
Posted

I have a recuring trojan (long story) called installer.exe (c:\documents and settings\me(or any other login)\local settings\temp\.)

 

searched for files containing text "installer.exe" none but spybot reg backups.

 

on startup it(?) opens www.freewebs.com\anywho\plays.html (may not be exact).

 

Searched for files containing text but none exist.

 

It also deactivates my sp2 firewall on startup.

 

Don't want to think about what else it is donig.

 

Removed all:

Viruses (AVG - up to date)

Adware (Ad-aware - upto date)

Spyware (spybotS&D - uptodate)

Managed to remove malware with Windows-KB890830-V1.4-ENU.exe (easier said than done).

 

AVG detects and removes (or heals) it. but the next time i restart there it is again.

 

I didn't restart very often because of a faulty RAM module. (easier and cheeper to hibernate).

 

Found this http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075415 but none of the files it suggests exist.

 

I think it has been spread from my computer.

got 900 undeliverable e-mail reports in 3 hours (Now supressed using junkmail filter). (I think that was the malware though it seems to have stoped trying to send).

 

Can anyone help?

Share this post

Link to post

Wilhelmus    1

Wilhelmus
Posted

Download program called "hijack this" and post its log file here, so we can look at it.

Share this post

Link to post

mctonale    0

mctonale
Posted

Got a hijack this report. (with trojan removed) will this do or will you need one with the trojan active?

Share this post

Link to post

mctonale    0

mctonale
Posted

Here is the one with trojan deleted.

 

Logfile of HijackThis v1.99.1

Scan saved at 22:25:53, on 29/05/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe

C:\Program Files\McAfee\QuickClean\Plguni.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\jflv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\oxlbcawg.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

C:\WINDOWS\system32\devldr32.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe

C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.uzy

C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

C:\Program Files\BHODemon 2\BHODemon.exe

C:\Program Files\3B Software\GhostSurf\GhostSurf.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Tony\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [msnappau] C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe

O4 - HKLM\..\Run: [imonitor] C:\Program Files\McAfee\QuickClean\Plguni.exe /START

O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\Tweak-XP Pro\AdBlocker.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ad Blocker Pro] "C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.exe" -minimized

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray

O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\WINDOWS\System32\jflv.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [updater] C:\WINDOWS\System32\oxlbcawg.exe

O4 - HKLM\..\RunServices: [system Updates Manager] winserv32.exe

O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe /startmonitor

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Startup: GhostSurf.lnk = C:\Program Files\3B Software\GhostSurf\GhostSurf.exe

O4 - Global Startup: LG SyncManager.lnk = ?

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\3B Software\GhostSurf\info.allow.html

O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\3B Software\GhostSurf\popup.allow.html

O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\3B Software\GhostSurf\menu.allowimg.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\3B Software\GhostSurf\info.block.html

O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\3B Software\GhostSurf\popup.block.html

O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\3B Software\GhostSurf\menu.blockimg.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll

O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe

O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106346043992

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab

O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: System Updates Manager (WinManager) - Unknown owner - C:\WINDOWS\System32\winserv32.exe" -service (file missing)

 

Thanks for your help.

Share this post

Link to post

Wilhelmus    1

Wilhelmus
Posted

Boot into safe mode, rescan with hijack this, select and fix these:

Originally posted by mctonale:

Quote:

C:\WINDOWS\System32\jflv.exe

C:\WINDOWS\System32\oxlbcawg.exe

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\WINDOWS\System32\jflv.exe

O4 - HKLM\..\Run: [updater] C:\WINDOWS\System32\oxlbcawg.exe

O4 - HKLM\..\RunServices: [system Updates Manager] winserv32.exe

O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O23 - Service: System Updates Manager (WinManager) - Unknown owner - C:\WINDOWS\System32\winserv32.exe" -service (file missing)

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Security
×