0

I'm Fixing a pc with winxp, and it is infected with a troja horse I can't remove.
I'm Guissing it is Trojan Banker A, but I'm not sure. The reason I belive that it is this trojan is because, Ad Aware succeded in deleting a dmid32.dll file, and every time I start the pc, I get an error that the dll file is missing. So I searced google and learned that that file is pressent in the windows system, if the trojan shall run properly. Further more my Norton keeps popping up with an error thar there is at trojan on the pc, but it can't remove it, not even in safe mode.

So can any one help me plz

5
Contributors
22
Replies
23
Views
13 Years
Discussion Span
Last Post by crunchie
0

The reason I belive that it is this trojan is because, Ad Aware succeded in deleting a dmid32.dll file... So I searced google and learned that that file is pressent in the windows system...

Are you sure you spelled the name of the file correctly in your post? I get no results at all when I Google for dmid32.dll.


Further more my Norton keeps popping up with an error thar there is at trojan on the pc, but it can't remove it, not even in safe mode.

Does Norton tell you the exact name of the trojan? If so, let us know what it is.

In terms of the error about the dll being missing, that's most likely a result of Ad Aware having deleted the file but there still being a reference to the file in your Registry. In my signature below there is a link to the HijackThis utility. Create a C:\HijackThis folder on your computer, download HJT into this folder, and run the program (close all other programs before doing so).

At this point, have HJT only perform a scan; do not have it fix anything yet! Save the log file it generates in a convenient location, open the log in Window's Notepad, and cut-n-paste the contents of the log here.

0

Thx very much, I will try the solutions and get back with results and/or logs :O)

And I made a missspell, the file name is cmid32.dll'

The virus name is backdoor.trojan, when I clik on the link, norton just tells me that it is a standard name for that type of virus....

0

This is the Hijack log:

Logfile of HijackThis v1.98.0
Scan saved at 20:55:17, on 20-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\mstasks2.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rdw.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jlepia.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: (no name) - {845DB2CF-FCE1-4B00-A8C3-874E88779F79} - C:\WINDOWS\System32\jlepia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O18 - Filter: text/plain - {F153D2BE-D645-4095-80DE-52FFF5A6B97C} - C:\WINDOWS\System32\jlepia.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll
O21 - SSODL: System - {C7916D83-690E-45ED-A129-E5002FF613D0} - C:\WINDOWS\system32\system32.dll (file missing)

0

HI I have posted the log not as a quote, but as a reply, and thank you very much for your help so far :O)

0

OK, you're right- that dll does seem to be associated with a couple of trojans.

Trend Micro's report on one of those trojan variants indicates that it is often installed by another malicious program, so you should check your system thoroughly, making sure you have the absolute latest virus definition updates installed in your anti-virus program. You should also download and run Ad Aware and SpyBot if you haven't already; links to those utilities are in my sig below. Before running Ad Aware, configure it as follows:

Click the “use custom scanning options, and then click “Customize

- In Settings, under 'scanning' - have it set to:
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'

- In 'tweaks':

under 'scanning engine', set it to: 'unload recognized processes during scanning.'
under 'cleaning engine', set it to: 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

- Select 'activate in-depth scan' before starting scan.

0

Looks like we were posting at the same time. Your log does show that you've got "unwanted guests" in your system, so run Ad Aware and SpyBot as I indicated above; let them fix everything they find.

Also- I believe the "Search-For-You" crap is associated with some version of the Cool Web Search trojan. You should download and run CWShredder (again, link is in my sig) to try to remove the stuff.

Once you've run the utilities, delete all of your browser cookies and all Temp/Temporary Internet files (including "offline content"), empty your trash, and reboot.


After you've done the above, post a fresh HJT log and we'll take it from there.

0

Now I have done all you asked :O) and this is the new log

Logfile of HijackThis v1.98.0
Scan saved at 10:19:58, on 21-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\bcwcuj.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Application Data\crpw.exe
C:\WINDOWS\System32\rdw.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

Norton didn't find anything new, but all the other did :O)

But I still think that there is something there because:

Everytime I start/restart the computer I get the following messege when windows start:

Winupd.exe - this component was not found
This program could not start, because cmid.dll was not found, the problem could perhaps be solved by installing the program again.
(I have translatet this message to english, so the error message isn't the exact word for word, but the basics of the error should be of use to you)

When norton start I get this message:

Notton AntiVirus has detected at virus on your computer:

Object name: C:\windows\system32\\log.dll
Virus name: Backdoor. trojan
Action taken: Uable to repair this file

Then I press th ok button, and emidiatly the same windos pop up, but in action taken it writes: Acces to the file was denied.
And I can pres the ok button, and these two windows take turns on popping up.

Further more, I have a proces in my task manager call mstasks2.exe and that occupies 99 % of the cpu, so I have the end that process if I wan't to to anything on the machene.

Hope the information can be usefull.

And thanks again

0

by the way.

I alson ran adaware, spybot at cwshredder, and they all found and fixed at least 10 files.

I also deleted my temporary internet files, and cookies, but I'm not sure, that they were deleted properly, because, it didn't take very long, and knowing my friend he would never delete those things on his own.

0

You still have the CWS infection. Which version of the shredder do you have? It should be 1.59.1 & ALL windows, browser & folder, must be closed when fixing with hijackthis or it will not work.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-for-you.com/searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-for-you.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-for-you.com/searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-for-you.com/searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {66FE610C-BF31-5AB1-D656-64550DA67A13} - C:\WINDOWS\System32\pkhiv.dll

O4 - HKLM\..\Run: [svshost] C:\WINDOWS\System32\svshost.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\winupd.exe
O4 - HKLM\..\Run: [Aplune Service] svchosd.exe
O4 - HKLM\..\Run: [ynkdejahjwszz] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Sswh] C:\Documents and Settings\Administrator\Application Data\crpw.exe
O4 - HKCU\..\Run: [Knp] C:\WINDOWS\System32\rdw.exe

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\System32\svshost.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\winupd.exe
C:\WINDOWS\System32\bcwcuj.exe
C:\WINDOWS\mstasks2.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\rdw.exe
C:\WINDOWS\System32\log.dll (make sure this file is not *read only*)

C:\Program Files\WindowsSA
C:\Documents and Settings\Administrator\Application Data\crpw.exe

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Check the spelling & location on all those files to ensure you do not delete the wrong ones. The legitimate svchost.exe lives in the system32 folder. Do not delete that one.

Reboot normally after doing the above then post a fresh log please.

0

Thank you, I will try this, but I have one problem though. The norton virus alert windows keeps popping up, and there is no way I can make it stop, it is not enough to disable auto protection, so I have to find out how to shut down norton compleetly :O) but I'll try....

Thx very much

0

I found out how to get norton to stop sending the virus alert, so here is the new log

Logfile of HijackThis v1.98.0
Scan saved at 19:57:04, on 21-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [uxctluc] C:\WINDOWS\System32\bcwcuj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

there where 4 files I did not find when I was in save mode:
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\log.dll (make sure this file is not *read only*)
C:\Documents and Settings\Administrator\Application Data\crpw.exe

but I can see in the higjackthis log, that the log.dll files is still present in the system..... strange, I will look for once more. :O)

And I still get the virus alert from norton.

0

" C:\Programmer\Internet Explorer\iexplore.exe"

The above seems to indicate that you still had IE running when you ran HJT- you need to totally quit/close your web browser or else HJT won't be able to fully perform its function.

After closing your browser, run HJT again and have it fix:

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [uxctluc] C:\WINDOWS\System32\bcwcuj.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

You will need to reboot into safe mode and find and delete mxTarget.dll, bcwcuj.exe, and log.dll. Don't use Windows Explorer's search function to find these files, but instead:

In Windows Explorer, go to your Tools menu and select Folder Options. In the Advanced section under the View tab, check "show hidden files and folders"; uncheck "hide extentions for known filetypes" and "hide protected oprating system files". Click OK.

After that, manually navigate to the Windows and Windows\System folders to look for the files you need to delete. For files with seemingly gibberish-looking names such as the "bcwcuj.exe" file, it can often be helpful to sort files by date/time instead of filename. Many malicious programs create multiple files with randon and obscure names; if you see a pile of these that, judging from their date stamp, all got installed exactly (or almost exactly) at the same time, you should be suspicious of all of them.

I also deleted my temporary internet files, and cookies, but I'm not sure, that they were deleted properly, because, it didn't take very long, and knowing my friend he would never delete those things on his own.

Good catch- you're almost certainly right. Here's how to find and delete those items manually (do this while booted into safe mode):

1. In your Documents and Setting folder you'll find folders for the Administrator account, any user accounts you've created, and probably a couple of other default accounts. Within each of those user folders, look for the following subfolders and delete their contents.

- Cookies
- Local Settings\History
- Local Settings\Temp
- Local Settings\Temporary Internet Files

* If you get a warning about the desktop.ini or index.dat files, choose to delete them; they are system files which will automatically be regenerated when needed.

2. C:\Windows\Temp

After doing all of the above deletions, make sure to empty your Recycle Bin before rebooting.

0

Thanks I wil try this, but I know that the only window that was open was highjackthis, I was very carefull about that :O)
But should I try and diable all the prorams running in the systray ?

0

I have all you asked exactly as you specified.
I even disbled those programs in the sys tray that could be diabled.

when I wanted to get hjt to delete the files you asked for, it worned me that I shoul close ie, but there so no open windows, but to be completly sure, I tjek the task manager, and there where no programs running.

Here is the new log:

Logfile of HijackThis v1.98.0
Scan saved at 10:51:27, on 22-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O20 - AppInit_DLLs: C:\WINDOWS\System32\log.dll

This log is taken after I tryed to delete these files, and when I was scanning for this log, ie was runnig, because I was writing this message at the same time, but it was only running during the scan, not when I made the first scan, where I chose the files I wanted deleted :O)

But even though I did as you instucted in the folder options, I could not find bcwcuj.exe and log.dll.

And I still get the norton virus alert :O(

I wil try to run ad aware, spybot, CWSheredder and norton once more.

0

This is the new log file

Logfile of HijackThis v1.98.0
Scan saved at 11:06:15, on 22-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Fælles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

I couldn't find bcwcuj.exe or log.dll, even though I did every thing you asked, including the folder setings

when I wanted to delete an Idex.dat file under the andministator folder in save mode, I got the message that it could not be deleted because it was used by another user or program

I have started to consider that the only way to completly clean the machine, would be to make a clean installation of windows :O)

What do you think ?

0

I have started to consider that the only way to completly clean the machine, would be to make a clean installation of windows :O)

What do you think

It defentily would be ,We tend to spend way more time trying to clean them when I format and clean install is much faster!

0

when I wanted to delete an Idex.dat file under the andministator folder in save mode, I got the message that it could not be deleted because it was used by another user or program

Sorry about that- forgot to mention that if there's an index.dat file in the main, top-level folder you're deleting items from, it won't let you delete that file (which is OK). It was index.dat or desktop.ini files in any subfolders of the main folder that I was talking about.

0

I have deleted all the index and desktop files in the sub folder :O)

Thank you all very much for your help, It has actually been fun, and I have learned alot from this :O)

But now I will make a clean installation of windows. And then I can hope that my friend also learn from this, when he looses all his data :O)

0

Glad we could help, and glad a learned a few new things along the way. :idea:

Now that you know how nasty this stuff can be, you want to do your best not to get infected again once you install the fresh system. Right after the installation, make sure to tighten up your system by getting your anti-virus and anti-spyware programs up and running, and then immediately installing all of the Microsoft patches, updates,bug fixes, etc.

0

I recently got a trojan horse from AIM and it has affected a file named "3D8.tmp" in system32. When i open task manager, there is a application named "3D8.tmp" with the user name SYSTEM there. I clicked on END PROCESS, but it still stays there.
this is my log for HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 2:15:31 PM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\3D8.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\3D8.tmp
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\3D8.tmp
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINDOWS\system32\3D8.tmp
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?58712b70365b469fb6165ce746daf4
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?58712b70365b469fb6165ce746daf4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131153849171
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINDOWS\system32\wgav.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\system32\3D8.tmp

can someone help, i would really appreciate it

0

Hi heyitskitcat.

First of all- welcome to Daniweb :).

We ask that members not piggy-back questions on to a thread previously started by another member here in the Viruses, Spyware & other Nasties forum, (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules


Thanks for understanding.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.