 |  |  |  |  |  |  |  |
Can't remove Trojan horse
 |
I'm Fixing a pc with winxp, and it is infected with a troja horse I can't remove.
I'm Guissing it is Trojan Banker A, but I'm not sure. The reason I belive that it is this trojan is because, Ad Aware succeded in deleting a dmid32.dll file, and every time I start the pc, I get an error that the dll file is missing. So I searced google and learned that that file is pressent in the windows system, if the trojan shall run properly. Further more my Norton keeps popping up with an error thar there is at trojan on the pc, but it can't remove it, not even in safe mode.
So can any one help me plz
I'm Guissing it is Trojan Banker A, but I'm not sure. The reason I belive that it is this trojan is because, Ad Aware succeded in deleting a dmid32.dll file, and every time I start the pc, I get an error that the dll file is missing. So I searced google and learned that that file is pressent in the windows system, if the trojan shall run properly. Further more my Norton keeps popping up with an error thar there is at trojan on the pc, but it can't remove it, not even in safe mode.
So can any one help me plz
•
•
Join Date: Aug 2003
Posts: 9,519
Reputation: 
Solved Threads: 488
download full working trojan hunter trial version ,scan computer . .
http://www.misec.net/trojanhunter/
http://www.misec.net/trojanhunter/
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
•
•
Originally Posted by Crispy
The reason I belive that it is this trojan is because, Ad Aware succeded in deleting a dmid32.dll file... So I searced google and learned that that file is pressent in the windows system...
•
•
•
•
Originally Posted by Crispy
Further more my Norton keeps popping up with an error thar there is at trojan on the pc, but it can't remove it, not even in safe mode.
In terms of the error about the dll being missing, that's most likely a result of Ad Aware having deleted the file but there still being a reference to the file in your Registry. In my signature below there is a link to the HijackThis utility. Create a C:\HijackThis folder on your computer, download HJT into this folder, and run the program (close all other programs before doing so).
At this point, have HJT only perform a scan; do not have it fix anything yet! Save the log file it generates in a convenient location, open the log in Window's Notepad, and cut-n-paste the contents of the log here.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Thx very much, I will try the solutions and get back with results and/or logs :O)
And I made a missspell, the file name is cmid32.dll'
The virus name is backdoor.trojan, when I clik on the link, norton just tells me that it is a standard name for that type of virus....
And I made a missspell, the file name is cmid32.dll'
The virus name is backdoor.trojan, when I clik on the link, norton just tells me that it is a standard name for that type of virus....
This is the Hijack log:
Logfile of HijackThis v1.98.0
Scan saved at 20:55:17, on 20-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\mstasks2.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rdw.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Symantec\LiveUpdate\AUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: (no name) - {845DB2CF-FCE1-4B00-A8C3-874E88779F79} - C:\WINDOWS\System32\jlepia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O18 - Filter: text/plain - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
O21 - SSODL: System - {C7916D83-690E-45ED-A129-E5002FF613D0} - C:\WINDOWS\system32\system32.dll (file missing)
Logfile of HijackThis v1.98.0
Scan saved at 20:55:17, on 20-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\mstasks2.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rdw.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Symantec\LiveUpdate\AUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: (no name) - {845DB2CF-FCE1-4B00-A8C3-874E88779F79} - C:\WINDOWS\System32\jlepia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O18 - Filter: text/plain - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
O21 - SSODL: System - {C7916D83-690E-45ED-A129-E5002FF613D0} - C:\WINDOWS\system32\system32.dll (file missing)
HI I have posted the log not as a quote, but as a reply, and thank you very much for your help so far :O)
OK, you're right- that dll does seem to be associated with a couple of trojans.
Trend Micro's report on one of those trojan variants indicates that it is often installed by another malicious program, so you should check your system thoroughly, making sure you have the absolute latest virus definition updates installed in your anti-virus program. You should also download and run Ad Aware and SpyBot if you haven't already; links to those utilities are in my sig below. Before running Ad Aware, configure it as follows:
Click the “use custom scanning� options, and then click “Customize�
- In Settings, under 'scanning' - have it set to:
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
- In 'tweaks':
under 'scanning engine', set it to: 'unload recognized processes during scanning.'
under 'cleaning engine', set it to: 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
- Select 'activate in-depth scan' before starting scan.
Trend Micro's report on one of those trojan variants indicates that it is often installed by another malicious program, so you should check your system thoroughly, making sure you have the absolute latest virus definition updates installed in your anti-virus program. You should also download and run Ad Aware and SpyBot if you haven't already; links to those utilities are in my sig below. Before running Ad Aware, configure it as follows:
Click the “use custom scanning� options, and then click “Customize�
- In Settings, under 'scanning' - have it set to:
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
- In 'tweaks':
under 'scanning engine', set it to: 'unload recognized processes during scanning.'
under 'cleaning engine', set it to: 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
- Select 'activate in-depth scan' before starting scan.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Looks like we were posting at the same time. Your log does show that you've got "unwanted guests" in your system, so run Ad Aware and SpyBot as I indicated above; let them fix everything they find.
Also- I believe the "Search-For-You" crap is associated with some version of the Cool Web Search trojan. You should download and run CWShredder (again, link is in my sig) to try to remove the stuff.
Once you've run the utilities, delete all of your browser cookies and all Temp/Temporary Internet files (including "offline content"), empty your trash, and reboot.
After you've done the above, post a fresh HJT log and we'll take it from there.
Also- I believe the "Search-For-You" crap is associated with some version of the Cool Web Search trojan. You should download and run CWShredder (again, link is in my sig) to try to remove the stuff.
Once you've run the utilities, delete all of your browser cookies and all Temp/Temporary Internet files (including "offline content"), empty your trash, and reboot.
After you've done the above, post a fresh HJT log and we'll take it from there.
Last edited by DMR; Jul 20th, 2004 at 4:07 pm.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Now I have done all you asked :O) and this is the new log
Logfile of HijackThis v1.98.0
Scan saved at 10:19:58, on 21-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rdw.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
Norton didn't find anything new, but all the other did :O)
But I still think that there is something there because:
Everytime I start/restart the computer I get the following messege when windows start:
Winupd.exe - this component was not found
This program could not start, because cmid.dll was not found, the problem could perhaps be solved by installing the program again.
(I have translatet this message to english, so the error message isn't the exact word for word, but the basics of the error should be of use to you)
When norton start I get this message:
Notton AntiVirus has detected at virus on your computer:
Object name: C:\windows\system32\\log.dll
Virus name: Backdoor. trojan
Action taken: Uable to repair this file
Then I press th ok button, and emidiatly the same windos pop up, but in action taken it writes: Acces to the file was denied.
And I can pres the ok button, and these two windows take turns on popping up.
Further more, I have a proces in my task manager call mstasks2.exe and that occupies 99 % of the cpu, so I have the end that process if I wan't to to anything on the machene.
Hope the information can be usefull.
And thanks again
Logfile of HijackThis v1.98.0
Scan saved at 10:19:58, on 21-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rdw.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
Norton didn't find anything new, but all the other did :O)
But I still think that there is something there because:
Everytime I start/restart the computer I get the following messege when windows start:
Winupd.exe - this component was not found
This program could not start, because cmid.dll was not found, the problem could perhaps be solved by installing the program again.
(I have translatet this message to english, so the error message isn't the exact word for word, but the basics of the error should be of use to you)
When norton start I get this message:
Notton AntiVirus has detected at virus on your computer:
Object name: C:\windows\system32\\log.dll
Virus name: Backdoor. trojan
Action taken: Uable to repair this file
Then I press th ok button, and emidiatly the same windos pop up, but in action taken it writes: Acces to the file was denied.
And I can pres the ok button, and these two windows take turns on popping up.
Further more, I have a proces in my task manager call mstasks2.exe and that occupies 99 % of the cpu, so I have the end that process if I wan't to to anything on the machene.
Hope the information can be usefull.
And thanks again
by the way.
I alson ran adaware, spybot at cwshredder, and they all found and fixed at least 10 files.
I also deleted my temporary internet files, and cookies, but I'm not sure, that they were deleted properly, because, it didn't take very long, and knowing my friend he would never delete those things on his own.
I alson ran adaware, spybot at cwshredder, and they all found and fixed at least 10 files.
I also deleted my temporary internet files, and cookies, but I'm not sure, that they were deleted properly, because, it didn't take very long, and knowing my friend he would never delete those things on his own.
|
Similar Threads
- Nasty Trojan Horse (Viruses, Spyware and other Nasties)
- Unable to remove the trojan TR/Dldr.WinShow.AX (Viruses, Spyware and other Nasties)
- Trojan Horse (Viruses, Spyware and other Nasties)
- Trojan horse Downloader.VB.R (Viruses, Spyware and other Nasties)
- Help me remove Trojan horse TR/Scagent.DLL.C (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Security Alert Bug on taskbar.. Please Help
- Next Thread: internet explorer-hijacked by about blank
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
