DaniWeb Forum Index > Hardware and Software > Microsoft Windows > Windows NT / 2000 / XP

Windows NT / 2000 / XP RSS

Trojan Problem

Thread Solved

Last »

•

Join Date: Oct 2007

Posts: 48

Reputation: weasel7711 is an unknown quantity at this point

Solved Threads: 0

weasel7711 weasel7711 is offline

Offline

Light Poster

Trojan Problem

Sep 25th, 2008

My neighbor asked me to fix his computer because "its not working"

What I have discovered is that explorer.exe continually restarts itself every 10 seconds or so.
There is a main user name which has admin privileges however when you are logged in, "task manager has been disabled by the administrator" and "regedit has been disabled by the administrator". In the 10 seconds that I can have My Computer open, it doesn't show the C:\ drive. If I start in Safe Mode I can log into the Administrator account, but explorer still goes nuts.

I ran AdAware but it found nothing. I then ran ClamWin and Hijack this and this is what it gave back:

***********
ClamWin

***********

Scan Started Thu Sep 25 13:26:20 2008

-------------------------------------------------------------------------------

C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values: Permission denied

C:\hiberfil.sys: Permission denied

C:\pagefile.sys: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000003.FCS: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx: Permission denied

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\User\Local Settings\Temp\removalfile.bat: Trojan.Bat.Delete-1 FOUND

C:\Documents and Settings\User\Local Settings\Temp\windns.exe: Trojan.Fraudload-804 FOUND

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\HQI0UZV6\css4[1]: Trojan.Vundo-6722 FOUND

C:\Program Files\HPQ\Default Settings\CpqsetVer.exe: Trojan.Agent-14290 FOUND

C:\WINDOWS\erms.exe: Trojan.Zlob-7749 FOUND

C:\WINDOWS\evgratsm.dll: Trojan.Zlob-7416 FOUND

C:\WINDOWS\kgxmotapktx.dll: Trojan.Zlob-7401 FOUND

C:\WINDOWS\kvxqmtre.dll: Trojan.Zlob-8366 FOUND

C:\WINDOWS\qndsfmao.dll: Trojan.Zlob-7433 FOUND

C:\WINDOWS\system32\fccYSiGV.dll: Trojan.Vundo-7024 FOUND

C:\WINDOWS\system32\nnnNHYqn.dll: Trojan.Vundo-7024 FOUND

C:\WINDOWS\system32\qoMdBUKa.dll: Trojan.Vundo-6722 FOUND

C:\WINDOWS\system32\ssqnMETJ.dll: Trojan.Vundo-7024 FOUND

C:\WINDOWS\system32\xxyvuutq.dll: Trojan.Vundo-7024 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 411202

Engine version: 0.94

Scanned directories: 8279

Scanned files: 56001

Infected files: 14

Data scanned: 19416.46 MB

Time: 13374.828 sec (222 m 54 s)

--------------------------------------

Completed

--------------------------------------

**************
Hijack This
**************
Logfile of HijackThis v1.99.1

Scan saved at 13:38: VIRUS ALERT!, on 9/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ClamWin\bin\ClamWin.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\ClamWin\bin\clamscan.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

F:\hijackthis_sfx.exe

F:\HijackThis\HijackThis.exe

C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll

O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [F5D9010] C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [INTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/di...h.1.0.0.93.cab

O20 - AppInit_DLLs: WIKI.DLL

O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll

O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll

O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll

O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: Trojan Problem

Sep 25th, 2008

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Post also a fresh hijackthis [your version is obsolete!!] log with your comments:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

A note... if you dl MBAM to somewhere easy to find you can start it from Task Manager > File > New Task >... Enter mbam-setup.exe

Last edited by gerbil; Sep 25th, 2008 at 10:39 pm.

Deep, deep in the woods, but walking about.

•

Join Date: Jan 2008

Posts: 59

Reputation: DiNeSh_123 is an unknown quantity at this point

Solved Threads: 2

DiNeSh_123 DiNeSh_123 is offline

Offline

Junior Poster in Training

Re: Trojan Problem

Sep 26th, 2008

Hello, can anyone please tell me how to analyze Hijackthis or Smitfraud softwares?

http://www.techarena.in/ - Techarena Community - TechArena Photo Gallery

•

Join Date: Oct 2007

Posts: 48

Reputation: weasel7711 is an unknown quantity at this point

Solved Threads: 0

weasel7711 weasel7711 is offline

Offline

Light Poster

Re: Trojan Problem

Sep 26th, 2008

•

Originally Posted by DiNeSh_123

Hello, can anyone please tell me how to analyze Hijackthis or Smitfraud softwares?

Start your own thread.

When I get home from class today I will run the antivirus and HT and post the logs. Thanks for your help.

•

Join Date: Oct 2007

Posts: 48

Reputation: weasel7711 is an unknown quantity at this point

Solved Threads: 0

weasel7711 weasel7711 is offline

Offline

Light Poster

Re: Trojan Problem

Sep 26th, 2008

I downloaded both exe files 2 seperate times and tried executing each of them, however the computer will not execute them. When I double click or if I do the run command on them it gives me the hourglass for a second then nothing.

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: Trojan Problem

Sep 26th, 2008

I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll
O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll

Now delete these files... if they put up a fight I can give you a tool to do it with, else you can delete them from Safe Mode.

C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\system32\WIKI.DLL -this one may be in the windows folder if not here.

The deleter...Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.

Once those files are gone try again to run MBAM and the new version of hijackthis. If they still cannot run from the dl'd files, Run them from the dl site instead [Hijackthis will give you a warning about running from a temp folder, but proceed anyway].
Good luck.

Deep, deep in the woods, but walking about.

•

Join Date: Sep 2008

Posts: 2

Reputation: kingside7000 is an unknown quantity at this point

Solved Threads: 1

kingside7000 kingside7000 is offline

Offline

Newbie Poster

Re: Trojan Problem

Sep 26th, 2008

Hey the best way to get rid of trojans is to go on the computer. go to google.com. type in windows one care. download the three month free trail. it takes a while because of the trojans. After installing the program do a complete i mean complete virus and spyware scan. microsoft created the program very trustworthy. i got rid of 9 trojans on a friends computer. the windows one car pretty much takes care of it. let me know if it works.
love and peace
Marik S.

•

Join Date: Oct 2007

Posts: 48

Reputation: weasel7711 is an unknown quantity at this point

Solved Threads: 0

weasel7711 weasel7711 is offline

Offline

Light Poster

Re: Trojan Problem

Sep 26th, 2008

This virus is a pain in the butt. I deleted all the files, in the 15 seconds that I could open explorer to get to the folder to delete them, one by one, it took about 10 minutes.

Then anytime I try to download or go to certain sites (pretty much any site that has anything remotely to do with removing viruses/malware/etc.) it flips out and tells me the site "may be unsecure" Its really annoying me.
edit: What I mean by "flips out" is it takes me to a seperate IE page that says the site may not be securre and reloads it every microsecond on an infinite loop until I close the tab or click back. Thus preventing me from getting to the download.

Anyway I deleted those files except the WIKI file because I couldnt find it. I ran a hijack this and ill post the findings in a new post. So I tried rerunning malwarebyte's program but still the same result. I have searched on the net but there is a hijacker program infecting the internet searches, because anytime i do a google search the result links to another random search engine. I also tried installing firefox to see if it was just an IE thing but it wont let me RUN firefox. So I am not sure what to do now.

Last edited by weasel7711; Sep 26th, 2008 at 7:33 pm.

•

Join Date: Oct 2007

Posts: 48

Reputation: weasel7711 is an unknown quantity at this point

Solved Threads: 0

weasel7711 weasel7711 is offline

Offline

Light Poster

Re: Trojan Problem

Sep 26th, 2008

Here's the hijack this log for after I removed the dll files.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:29: VIRUS ALERT!, on 9/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\ClamWin\bin\freshclam.exe

C:\Program Files\Internet Explorer\iexplore.exe

H:\Help\HiJackThis.exe

C:\WINDOWS\explorer.exe

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\OPC\{31011D49-D90C-4DA0-878B-78D28AD507AF}\SSAUTORN.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [F5D9010] C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/di...h.1.0.0.93.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 10684 bytes

•

Join Date: Sep 2008

Posts: 2

Reputation: kingside7000 is an unknown quantity at this point

Solved Threads: 1

kingside7000 kingside7000 is offline

Offline

Newbie Poster

Re: Trojan Problem

#10

Sep 26th, 2008

hey try what i said earlier. i'm not sure if it's the best way but i can promise it will remove the trojans but also after installation the computer will restart and then you start deleting. try it out. let me know