|
| ||
| IE/Trojan Problems - Desktop Trojan I have the blue screen with the "Trojan-Spy.HTML.Smitfraud.c" on, and also "Virus Hunter Security" has created itself on my desktop, and I'm unable to delete it. My system is slower than usual and I've had innumerable trojans pop up from AVG (which I've healed or deleted, depending on the files location), but I'm really stuck for what to do, and my computer is extremely lagged and messed up right now. HiJackThis Log: Logfile of HijackThis v1.98.1 Scan saved at 11:57:18, on 30/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\LEXPPS.EXE D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\WINDOWS\system32\drivers\KodakCCS.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\ScsiAccess.EXE D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\RunDll32.exe D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe D:\Program Files\QuickTime\qttask.exe D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE D:\Program Files\Microsoft IntelliPoint\point32.exe D:\Program Files\Java\jre1.5.0\bin\jusched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Lexmark X74-X75\lxbbbmon.exe D:\WINDOWS\System32\ctfmon.exe D:\WINDOWS\Downloaded Program Files\html.exe c:\wp.exe D:\WINDOWS\System32\rundll32.exe D:\WINDOWS\System32\paytime.exe D:\WINDOWS\System32\taskmgr.exe D:\WINDOWS\tool.exe D:\WINDOWS\System32\wkfix.exe D:\WINDOWS\tool1.exe D:\Program Files\Grisoft\AVG Free\avgwb.dat D:\WINDOWS\system32\cmd.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\System32\newdial.exe D:\DOCUME~1\Stardust\LOCALS~1\Temp\B214849932\build2.exe D:\WINDOWS\system32\navupdts.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\WINDOWS\System32\taskmgr.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\system32\shdocpa.dll/security.htm#subID=PRFV;6784 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - D:\WINDOWS\System32\nsc3.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\svcnut32.exe home O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU) O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.ysbweb.com O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101486464781 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O19 - User stylesheet: D:\Documents and Settings\Stardust\My Documents\Random Crap\ban.css (file missing) O20 - AppInit_DLLs: MsgPlusLoader.dll Help ASAP would be appreciated very much. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan Please read these instructions carefully and print them out! Be sure to follow ALL instructions! Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop. Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below. Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. *IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES I need you to copy all of the Killbox file paths below and paste them into Notepad. * Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download. * Save it to your desktop. * Please double-click Killbox.exe to run it. * Select "Delete on Reboot". * Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C D:\wp.exe D:\wp.bmp D:\bsw.exe D:\Windows\sites.ini D:\Windows\popuper.exe D:\Windows\system32\hhk.dll D:\Windows\System32\wldr.dll D:\Windows\System32\helper.exe D:\Windows\System32\intmon.exe D:\Windows\System32\shnlog.exe D:\Windows\System32\intmonp.exe D:\Windows\System32\msmsgs.exe D:\Windows\system32\msole32.exe D:\Windows\System32\ole32vbs.exe D:\WINDOWS\System32\paytime.exe D:\WINDOWS\system32\svcnut32.exe D:\WINDOWS\system32\navupdts.exe D:\WINDOWS\System32\newdial.exe * Return to Killbox, go to the File menu, and choose "Paste from Clipboard". * Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Make sure you can view hidden files. Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way) FOLDERS to delete (in bold) if found: D:\Program Files\Search Maid D:\Program Files\Virtual Maid D:\Windows\System32\Log Files D:\Program Files\Security IGuard While still in Safe Mode, do the following: Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\system32\shdocpa.dll/security.htm#subID=PRFV;6784 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - D:\WINDOWS\System32\nsc3.dll O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\svcnut32.exe home O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file) O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU) O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.ysbweb.com Close HiJackThis. Reboot into normal mode. Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >Internet Options. Under the General tab click the Delete temporary internet files, delete all Offline content as well. Clear out Cookies. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.) C:\Documents and Settings\username\Local Settings\Temp\ In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. Empty the Recycle Bin. 1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program. 2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop. To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart) Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. 3.) Download, install, and run CleanUp! 4.) Run this online virus scan: ActiveScan - Save the results from the scan! Post a new HiJackThis log along with the results from ActiveScan. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan I still cant run IE (I'm using firefox), thus I was unable to run ActiveScan. However, all instructions were followed, albeit the first (in my impatience I'd followed a "self help" instruction, which consisted of rebooting in safe mode and deleting the unrecognised icon). Having deleted the user account this occured on (not the main one) the blue screen is no longer a problem. Trojan horse BackDoor.Small.27.AQ found in D:\WINDOWS\system32\.exe keeps coming up with AVG -- each time I heal it, but it still keeps coming back. Here is the HijackThis Log: Logfile of HijackThis v1.98.1 Scan saved at 19:24:36, on 30/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\WINDOWS\system32\cisvc.exe D:\WINDOWS\system32\drivers\KodakCCS.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\ScsiAccess.EXE D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\RunDll32.exe D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe D:\Program Files\QuickTime\qttask.exe D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE D:\Program Files\Microsoft IntelliPoint\point32.exe D:\Program Files\Java\jre1.5.0\bin\jusched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\Program Files\MessengerPlus! 3\MsgPlus.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINDOWS\System32\wkfix.exe D:\Program Files\Lexmark X74-X75\lxbbbmon.exe D:\WINDOWS\System32\lexpps.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\cmd.exe D:\WINDOWS\system32\ftp.exe D:\WINDOWS\system32\cidaemon.exe D:\WINDOWS\system32\NOTEPAD.EXE C:\unzipped\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Internet2 Optimizer] wkfix.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101486464781 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O17 - HKLM\System\CS2\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O20 - AppInit_DLLs: MsgPlusLoader.dll Thanks for all the help so far, much appreciated. UPDATE: Ran Hoster again, and can now get into IE - in the process of scanning with ActiveScan. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan Apologies for double post, but I presume as I edited the post previously, it wont allow me to do so again. Anyway, the ActiveScan result: Incident Status Location Virus:W32/Sdbot.CUB.worm Disinfected Operating system Spyware:Spyware/New.net No disinfected D:\WINDOWS\NDNuninstall*.exe Spyware:Spyware/BargainBuddy No disinfected Windows Registry Spyware:Spyware/ISTbar No disinfected D:\WINDOWS\tool1.exe Adware:Adware/PurityScan No disinfected Windows Registry Adware:Adware/KeenValue No disinfected D:\WINDOWS\System32\drivers\etc\hosts.bho Adware:Adware/FavoriteMan No disinfected Windows Registry Adware:Adware/QuickSearch No disinfected D:\Program Files\QuickSearch Adware:Adware/ISearch No disinfected D:\WINDOWS\isrvs Adware:Adware/WildTangent No disinfected Windows Registry Adware:Adware/Adsmart No disinfected D:\WINDOWS\System32\thun.dll Adware:Adware/IGuard No disinfected D:\WINDOWS\System32\wldr.dll Adware:Adware/BlueScreenWarningNo disinfected Windows Registry Virus:Application/Restart No disinfected C:\_RESTORE\ARCHIVE\FS55.CAB[A0006720.CPY] Virus:Application/Restart No disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe Virus:Trj/Agent.QW Disinfected C:\wp.exe Adware:Adware/Adtomi No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212132-771.dll Adware:Adware/PurityScan No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212133-253.inf Adware:Adware/MediaTickets No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212134-553.inf Adware:Adware/MediaTickets No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212134-553.dll Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Counter.class] Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Dummy.class] Virus:Trj/Shinwow.E Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Matrix.class] Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Parser.class] Spyware:Spyware/New.net No disinfected D:\Program Files\filesubmit\piratescaribbean4.zip\NNEZTA388.exe Adware:Adware/QuickSearch No disinfected D:\Program Files\filesubmit\piratescaribbean4.zip\TBEZA127Q.exe Virus:Trj/Qhost.Q Disinfected D:\WINDOWS\hosts Adware:Adware/Adtomi No disinfected D:\WINDOWS\koc.sys Spyware:Spyware/New.net No disinfected D:\WINDOWS\NDNuninstall6_22.exe Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\9ca.dll Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\b8fmu00.exe Virus:Trj/Zapchast.D Disinfected D:\WINDOWS\system32\c.bat Adware:Adware/KeenValue No disinfected D:\WINDOWS\system32\drivers\etc\hosts.bho Adware:Adware/nCase No disinfected D:\WINDOWS\system32\in3.dll Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\koc.sys Virus:Trojan Horse Disinfected D:\WINDOWS\system32\Microsoft.NET\msconfig.exe Virus:W32/Gaobot.FDD.worm Disinfected D:\WINDOWS\system32\msnmgd32.exe Virus:Bck/Cstrike.A Disinfected D:\WINDOWS\system32\navupdts.exe Virus:W32/Sdbot.ftp No disinfected D:\WINDOWS\system32\o Adware:Adware/KeenValue No disinfected D:\WINDOWS\system32\setup_incred_3.exe Spyware:Spyware/ISTbar No disinfected D:\WINDOWS\system32\snapple.exe[1.exe] Virus:W32/Sdbot.CEP.worm Disinfected D:\WINDOWS\system32\snapple.exe[2.exe] Adware:Adware/Adsmart No disinfected D:\WINDOWS\system32\thun.dll Adware:Adware/Adsmart No disinfected D:\WINDOWS\system32\thun32.dll Virus:Application/Restart No disinfected D:\WINDOWS\system32\Tools\Restart.exe Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\u88bawx.dll Virus:Trj/Agent.QW Disinfected D:\WINDOWS\system32\wldr.dll Virus:Trj/LowZones.EZ Disinfected D:\WINDOWS\tool.exe Virus:Trj/Downloader.BBA Disinfected D:\WINDOWS\tool1.exe Some backdoor trojans popped up in D:\Windows - 1.exe and 2.exe, both healed. Also in D:\Windows\System32\.exe: Trojan horse IRC/BackDoor.SdBot.185.BE A virus seems to be found that needs to be healed in the above every 10-20 mins. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan You have a few things there that need removing... - Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system. =============== Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's: 1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders: wkfix.exe* 2) Then if any are found in the 'prefetch' folder, delete them. Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it. =============== Next, Open a command prompt by: 1. Clicking "Start", then "Run...". 2. Enter "cmd" (without the quotes). 3. Enter "services.msc" (without the quotes). - Now, locate and 'stop' the following services, if present: Internet2 Optimizer ... (wkfix.exe) Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled. =============== Run HiJackThis then: 1. Click "Open the Misc Tools Section" 2. Click "Open Process manager" - Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: D:\WINDOWS\System32\wkfix.exe Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Still in HiJackThis, click "Scan", then check(tick) the following, if present: O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe O4 - HKCU\..\Run: [Internet2 Optimizer] wkfix.exe Now, with all windows closed except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: files... D:\WINDOWS\System32\wkfix.exe You also need to delete the files that were not disinfected by activescan. - Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode". - Reboot. =============== After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan Logfile of HijackThis v1.99.1 Scan saved at 22:51:37, on 30/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\LEXPPS.EXE D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\WINDOWS\system32\cisvc.exe D:\WINDOWS\system32\drivers\KodakCCS.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\ScsiAccess.EXE D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\RunDll32.exe D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe D:\Program Files\QuickTime\qttask.exe D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE D:\Program Files\Microsoft IntelliPoint\point32.exe D:\Program Files\Java\jre1.5.0\bin\jusched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\Program Files\MessengerPlus! 3\MsgPlus.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\Program Files\Lexmark X74-X75\lxbbbmon.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\MSN Messenger\msnmsgr.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\System32\msnmgd32.exe C:\HJT\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Offices] msnmgd32.exe O4 - HKLM\..\RunServices: [Offices] msnmgd32.exe O4 - HKLM\..\RunOnce: [Offices] msnmgd32.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101486464781 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O20 - AppInit_DLLs: MsgPlusLoader.dll O20 - Winlogon Notify: iexplore - OTW\E.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - D:\WINDOWS\System32\ScsiAccess.EXE Theres the new log (all instructions followed, though wkfix.exe didnt appear anywhere). |
| ||
| Re: IE/Trojan Problems - Desktop Trojan You have a few more things there that need removing... - Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's: 1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders: msnmgd32.exe* 2) Then if any are found in the 'prefetch' folder, delete them. Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it. =============== Next, Open a command prompt by: 1. Clicking "Start", then "Run...". 2. Enter "cmd" (without the quotes). 3. Enter "services.msc" (without the quotes). - Now, locate and 'stop' the following services, if present: Offices ... (msnmgd32.exe) Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled. =============== Run HiJackThis then: 1. Click "Open the Misc Tools Section" 2. Click "Open Process manager" - Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: D:\WINDOWS\System32\msnmgd32.exe Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Still in HiJackThis, click "Scan", then check(tick) the following, if present: O4 - HKLM\..\Run: [Offices] msnmgd32.exe O4 - HKLM\..\RunServices: [Offices] msnmgd32.exe O4 - HKLM\..\RunOnce: [Offices] msnmgd32.exe O20 - Winlogon Notify: iexplore - OTW\E.dll (file missing) Now, with all windows closed except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: files... D:\WINDOWS\System32\msnmgd32.exe - Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode". - Reboot. =============== After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan I followed all the steps -- I found offices in services, but it wouldnt let me delete it. Again, it was found in processes (hijackthis misc) but I was unable to delete it. Continuining on, I fixed the things in HijackThis and deleted the file in safe mode, rebooted and none of the processes are running now. New log: Logfile of HijackThis v1.99.1 Scan saved at 14:29:24, on 31/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\LEXPPS.EXE D:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\WINDOWS\system32\cisvc.exe D:\WINDOWS\system32\drivers\KodakCCS.exe D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\ScsiAccess.EXE D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\RunDll32.exe D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe D:\Program Files\QuickTime\qttask.exe D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE D:\Program Files\Microsoft IntelliPoint\point32.exe D:\Program Files\Java\jre1.5.0\bin\jusched.exe D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\Program Files\MessengerPlus! 3\MsgPlus.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Lexmark X74-X75\lxbbbmon.exe D:\WINDOWS\System32\wuauclt.exe D:\Program Files\Mozilla Firefox\firefox.exe C:\unzipped\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101486464781 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148 O20 - AppInit_DLLs: MsgPlusLoader.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - D:\WINDOWS\System32\ScsiAccess.EXE |
| ||
| Re: IE/Trojan Problems - Desktop Trojan Congratulations! Your log looks clean - good work! =============== Now that your PC is clean you need to follow these easy steps to keeping it this way: Secure your Internet Explorer by going here and following the instructions there. Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still. Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature. [color=blue]Install and keep updated, Ad-Aware SE, and Spybot S&D. Run them both on a regular basis, following the manufacturer's recommendations. Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others. Clear your Temp folders. Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >Internet Options. Under the General tab click the Delete temporary internet files, delete all Offline content as well. Clear out Cookies. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.) C:\Documents and Settings\username\Local Settings\Temp\ In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. Empty the Recycle Bin. =============== If you have any more problems, post back. - Happy surfing, crunchie. |
| ||
| Re: IE/Trojan Problems - Desktop Trojan I generally use firefox most of the time -- it happened to be one day I reverted back to IE. I already have (or should have) both a firewall, and AVG anti-virus, and the updates are constantly being downloaded. The fix, I'm afraid, was only temporary, for reasons I cant establish, they keep installing themselves once more. Theres been mentions of both trojan IRC backdoors and worms from AVG, and msnmgd32.exe and wkfix.exe keep reinstalling themselves, and in temp something keeps installing itself -- it didnt occur to me to catch its name, but it began with r (unhelpful, and I apologise). Perhaps its time for me to get my computer checked out properly, to completely solve this? |
| All times are GMT -4. The time now is 8:28 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC