Cant get rid of a trojan horse!!!

J?kull · Mar 29, 2004

My computer got infected yesterday by a virus called "pws.hooker.trojan", located in C:\windows\tgbcde\library32.dll. Norton Antivirus finds it and deletes it when running in safemode/ and with the system restore function off. But every time i start the computer again the virus is back. The virus is somehow causing the CPU to be at 100% nonstop so I really cant do anything on the computer anymore.
I have been looking ALL day for solutions on the net on my other computer without any luck. I installed TDS3 and it found three more trojans that Norton Ant. didnt find, but still TDS3 doesnt seem to find anything about this PWS.Hooker.Trojan virus, which seems to be the guilty one. On the internet this trojan is often mentioned together with worms like the w32.bugbear worm, but I ran a patch that was supposed to get rid of it and it didnt find anything.

I guess the virus has added some values in the registry causing the virus to be run on start up, but the registry entries that symantec mentions do not apply in this case, so I dont know what/ or where to look for it.
I have read everything on Symantecs pages about the virus but I couldnt find anything that helped.

Please!

I bet some of you guys have experience from something similar...

FluxGFX · Mar 29, 2004

Download and install the HiJackThis!

Copy paste the results.
http://www.spywareinfoforum.com/~merijn/downloads.html

Pilli · Mar 29, 2004

Hi Jokull
TDS3 does detect binded Hooker 2.4 but I don't know if that is the same as the one mentioned

Also you could post your AutoStart viewer txt here:
Link: http://www.diamondcs.com.au/index.php?page=products
Runit and select the first two options in Main save the file to notepad and cut and paste the text here.

J?kull · Mar 29, 2004

I am a new TDS user and I couldnt understand how to simply copy the info in the TDS autostart explorer. The usual procedure, highlight and copy didnt work. Plus its very hard for me to do anything in TDS when not in safemode, because of the CPU beeing at 100% all the time, causing TDS and another programs to crash all the time. ( I am messaging this from another comp.) And my guess is that you want the particular information from TDS when the virus is currently working in the background, i.e. not in safemode.

But I managed to Hijackthis and I will paste the log here.
Hope this will tell you something...

Logfile of HijackThis v1.97.7
Scan saved at 00:03:55, on 2004-03-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\anvshell.exe
C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\tgbcde\module32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program\UltraMon\UltraMon.exe
C:\Program\UltraMon\UltraMonTaskbar.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norton Personal Firewall\NISUM.EXE
C:\Program\Hijackthis\HijackThis.exe
C:\Program\Symantec\LiveUpdate\NDETECT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ganpug.t.muxa.cc/h.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2BC43670-C0BD-4794-BB11-F60F3E001DC5} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Pilli · Mar 29, 2004

Well done, I am no expert with HJT logs but one will be along shortly

dvk01 · Mar 29, 2004

It's a cws hijack do all this please
First download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed on the last page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"
then reboot &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R277 29.03.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left

dvk01 · Mar 29, 2004

And this is a new keylogger trojan that only has turned up in the last 48 hours so get a copy of the file and send it to diamond support

O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1

in fact it is proabably a good idea to get hold of the entire C:\WINDOWS\tgbcde folder and let GAvin have a copy

I am sure there are other nasties in there helping the one showing to do it's nasty work

Pilli · Mar 30, 2004

Jokull, Once you have completed dvk01's advice plese:

Download the latest TDS3 radius file from hare: http://tds.diamondcs.com.au/index.php?page=update
Start TDS3 and open the configuration menu, enable all of the items in "initialization" except for initialize sockets and all of the items in startup scanning.
In scan control scan options enable all, in the "generic" section enable both Anti Trojan - antiworm /scripts. Move the generic sensitivity to high. In the available scans select "scan all logical drives. Then start the scan

This is a very deep and complex scan so please ensure that your AV and other resident programmes are disabled as this scan van take quite a time on large hard drives.

At the end of the scan you will see the results at the bottom of the TDS console.

Right clicking on the results will give you the details. Please do not delete just yet.
Note the location of any of the files. Navigate to them using your file manager and copy them into a .zip file. Send the .zip file to submit@diamondcs.com.au for analysis.

Once this has been achieved then use the right click on the files in the TDS console to delete them.

Thanks - Pilli

J?kull · Mar 30, 2004

Big thx for the advices!

I have finally completed everything that dvk01 suggested. I.e. installed and runned, updated spybot, shredder, adaware, windows update. The programs found some dubious things in the registry and some spyware and that has now been deleted. I have also updated Norton Antivirus and the program still finds the virus "pws.hooker.trojan" and can as before delete it only in safe mode. But when I start the computer again its back again. I dont have to run N.A. to know that, the program tells me this right from the start in a alert window that wont go away.

Right now I have updated TDS and I am letting it scan the way pilli described. ( I am doing this in safe mode, can TDS still find the virus, even if its not running in the background as in normal mode?).

Here is the updated "HijackThis" log after I hade done the things dvk01 mentioned.

Thx

Logfile of HijackThis v1.97.7
Scan saved at 14:37:38, on 2004-03-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\anvshell.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\tgbcde\module32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\UltraMon\UltraMon.exe
C:\Program\UltraMon\UltraMonTaskbar.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Jooske · Mar 30, 2004

Hi Jökull, quite a job you've done!
Did you submit the psw.hooker. to submit@diamondcs.com.au? they will love to get it from you to look deeper into the file.

What happens when you try to scan with TDS in safe mode? does it run at all and do you get any alerts?
I'm not 100% sure if it is working properly that way; if you get some alerts you knowit is working, but of course i hope you're clean now.
If you don't get any results you best run in normal mode as well another time.

You run XP: did you disable system restore in the clean situation, reboot, enable system restore again and manually make a new system restore point?

I'm sure the dvk and Pilli will help you further.

Bowserman · Mar 30, 2004

Have a look at this thread regarding C:\WINDOWS\tgbcde\module32.exe....and also this one.

I am sure someone can advise further though .

Regards,
Jade.

J?kull · Mar 30, 2004

I ran a full TDS scan as Pilli suggested (in safe mode). It gave me some alerts but nothing important. Mostly remarks about strange names of some of my personal documents and some temp files that were locked. I am going to do the same scan now in normal mode. The reason why I did it in safe mode was because of the virus causing the CPU to be at 100% the scan in normal mode probably takes about 12 hours or something like that.

I had TDS on autostart with windows and it actually found the virus this time. Here is what it said "Live trojan found (in process memory)
- Uknown Trojan. File name was C:\windows\tgbcde\module32.exe

So everything is still pretty much the same. The virus is still there, the CPU is always at 100%, and the N.A alert window is constantly on the screen.

I am going to try to send this hardheaded virus to the Diamond team as suggested.

Another question: TDS tells me each time that "A change has been detected in the autostart registry". But how do I see these particular changes. Ctrl+A gets me to the registry but TDS doesnt hightlight the change so I dont know what to look for.

Jooske asked "You run XP: did you disable system restore in the clean situation, reboot, enable system restore again and manually make a new system restore point?" I disabled system restore before doing the scans, but I have still not reached the clean situation.

Jooske · Mar 30, 2004

That module32.exe worried me too, but ok, you might either like to zip it or rename it with something behind it like .tmp for instance so it can't run anymore for the moment.
I'm not going to tell to repair or delete anything as dvk01 and other specialists are on it and have their steps for you to take.
There must be a way to kill the process -- if you have TDS up, do you see in the process list that nasty running? fingers crossed you did and are able to kill the process to have some space for scanning and all the other stuff you want to do.
Yeah, i forgot the 100% CPU use, i hope with killing the thing you will be able at least one session to scan all.
Indeed there was no clean situation yet.
Another way would be grab Port Explorer and see the nasty process and kill it via that way.
Indeed it is difficult to know which AutoStart changed in the registry, this is why in the next version it will be indicated what and where the changes are, but this doesn't help you really at this moment.
I guess it is the re-install of the nasty if you were able to kill/delete it and it got itself back in place, such annoying things i guess.

J?kull · Mar 30, 2004

Ok, now we are getting somewhere I checked out the threads that Bowserman pointed out. The problem described there is very similar to mine. I went to "msconfig" /autostartup and there I saw there was a on object called "module32" located in C:\windows\tgbcde. I unmarked it and restarted the computer.( I didnt know of this option before) The computer was then working properly. Soon I got N.A. Alert window telling me about the pws.hooker.trojan virus, but this time the program could delete it (it could only do so in safe mode before).

In the Bowserman - thread they are also talking about a module32 but it was supposed to be located in a c:\windows\rfv folder but the difference was in my case c:\windows\tgbcde.

I also unmarked other things in the msconfig\autostart menu. Object such as "rundll32 - rundll32.exe nview.dll,nviewLoadHook. I unmarked it because of for the past days I have often gotten a mysterius Hook.dll popped up on my desktop with out any explenation.

and..

mmrtkrnl - mmrtkrnl.exe

I dont know if that ones are viruses to? Perhaps you can enlighten me on that one. Should I delete the two other as well i.e. rundsll32 and mmrtkrnl??

I hope this means its gone for the moment beeing. It certainly gave me a wake up call regarding protection. I thought Norton Antivirus was enough protection against everything. But after this incident I have a big arsenal of good programs.

Thx for all of your help, I really appreciate it.

Jooske · Mar 30, 2004

Please don't delete anything yet unless told by an expert. Rundll32 normally is a normal necessary system file, to name one, so please keep it on your system.
It could for instance be located in a wrong place, thus indicating the experts it would be suspicious. In this case i have not the impression, but i leave all that to the experts.
Hope you were able to zip the module.32 thing and submit it to the TDS lab submit@diamondcs.com.au . As it was named an unknown trojan you might have a new variety so the lab would be grateful for your sample for deeper investigation.

I googled for the pws.hooker.trojan and indeed it does chose random directory names, so that part of the story fits too.
is there a file named KEYRIPPER.DLL in your windows\system or system32 too?
What i understood in the meantime the pws.hooker.trojan comes (often) together with other very nast things like bugbear, badtrans, who knows with what more and how it came on your system.
So you're not ready yet with the cleasing process, at the moment you only stopped it to be able to cleanse out better! Listen to the guys here please till they give the sign "all clear!"

Pilli · Mar 30, 2004

Hi Jokull, To aid us further can you also download the Autostart Viewer from here: http://www.diamondcs.com.au/index.php?page=products As asked for earlier in the thread.
AutoSart viewer works differently than HJT and can help determine what else may need to done to complete your clean up.

Thanks - Pilli

dvk01 · Mar 30, 2004

first zip the entire C:\WINDOWS\tgbcde\ folder and send it to support@diamondcs.com.au

then download & install reg protection from
http://www.diamondcs.com.au/index.php?page=regprot

it will pop up lots of entries do not let it start this file module32.exe

then boot into safe mode &

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1

O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB

and Delete these folders

C:\WINDOWS\tgbcde
then
Reboot normally

& re-enable everything you previously stopped in msconfig
then post a new hiujackthis log so we can check if we got it all

J?kull · Mar 30, 2004

I have not sent the virus to the diamont support. When I was experimenting with the new hints I deleted the file, and I dont know if I can get it back. I even tried to remark the entries in my "msconfig\autostart" just to see if the virus would come back on reboot but this time it didnt.

Jooske: I did not find a keyripper.dll in the windows\system folders

Pilli: Ok, now I get what you meant. I missunderstood you earlier and thought you were referring to autostart explorer in the TDS. I have downloaded the "autostartviewer" and here is the log.

Thx again,

Jökull.

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jökull Steinthorsson@DITT-YIHYK2HRF9, 03-30-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
C:\WINDOWS\System32\igfxtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program\Delade filer\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeltTray
C:\WINDOWS\system32\DeltTray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\System32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anvshell
C:\WINDOWS\anvshell.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LiveNote
C:\WINDOWS\livenote.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioEngineUtility
C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioDragToDisc
C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioAudioCentral
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeviceDiscovery
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DAEMON Tools-1033
C:\Program\D-Tools\daemon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GSICONEXE
C:\WINDOWS\system32\GSICON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DSLAGENTEXE
dslagent.exe USB
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDS3
C:\Program\TDS3\TDS-3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\CTFMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\Program\NORTON~1\NAVW32.EXE
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.lnk
C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Certificate Mover.lnk
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\EarTest (2).lnk
C:\Program\EarTest\EARTEST.EXE
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
C:\Program\Microsoft Office\Office\OSA9.EXE
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\NetVoyager.lnk
C:\Program\NetVoyager\NetVoyager.exe
C:\Documents and Settings\All Users\Start-meny\Program\Autostart\UltraMon.lnk
C:\Program\UltraMon\UltraMon.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\System32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD

Pilli · Mar 30, 2004

To my untrained eye, there is nothing that stands out but I would rather the experts gave it the final OK
Shame about the files but I am glad your PC is now back in a working state

For all your hardwork I hope you will except a Karma cookie

j?kull · Mar 30, 2004

I deleted the entries dvk01 told me about. My computer is working just fine and I see no signs of the virus/trojan anymore. I also installed the registry protector dvk01 recomended. Simple yet effective program. It alerted me everytime something critical was being done in the registry, good stuff

As I said I think its all over now, but dvk01 asked me to put a "HijackThis" log once more so here you have it.

I was really amazed to get this quick and high quality support here at this forum. You have been answering every post i put up just minutes after. Big thx to you guys...

Pilli, dvk01, Jooske and Bowswerman

Regards,

Jökull.

Logfile of HijackThis v1.97.7
Scan saved at 23:45:58, on 2004-03-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Norton Personal Firewall\NISUM.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\anvshell.exe
C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Norton Personal Firewall\ccPxySvc.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\UltraMon\UltraMon.exe
C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\UltraMon\UltraMonTaskbar.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jökull Steinthorsson\Skrivbord\regprot\regprot.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CB1B4A5-8A58-4D77-90B5-A2E7726BF545}: NameServer = 195.67.199.39 195.67.199.40

puff-m-d · Mar 30, 2004

Hi jökull,

Your log looks clean but I do have one question...
Do you have any items disabled in startup via msconfig?
If so, you may want to enable them and post a new HJT log.

Regards,
Kent

J?kull · Mar 30, 2004

Yes, I had "C:\WINDOWS\tgbcde\module32.exe arg1" disabled at msconfig. Instead of enabling it and running hijackthis again I searched in the registry editor for module32. And I found a some entrys at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tgbcde. Here I found entrys such as

C:\WINDOWS\tgbcde\module32.exe arg1,
Item-reg_SZ-module32,
key-REG_SZ-Software\microsoft\windows\currentversion\run.

I also found this tgbcde entry at:
HKEY_USERS\S-1-5-21-833800102-1989038691-135915348-1005\Software\Microsoft\Windows\CurrentVersion

Name:tgbcde - type:REG_BINARY

Is it safe for me to delete all the files in this tbcde folder? I got the impression that this tbcde business was entirely created by the trojan virus and has nothing to do with windows.

puff-m-d · Mar 30, 2004

Hi Jökull,

Yes, you can delete the entire folder: C:\WINDOWS\tgbcde

Also you may have a entry reappear in HJT for the module32.exe (when you enable it in msconfig) and if it does just go ahead and remove it with HJT. Do not worry about it being able to run once you have deleted the entire folder.

Regards,
Kent

Jooske · Mar 31, 2004

Oops!
in case it does reappear, please try to find that folder in your system if possible, zip the entire folder and please submit to submit@diamondcs.com.au
As you have a new variety it seems, and your discovery can save the world. After you can delete it like Kent just says. Hope my message doesn't come too late!

You say the team is quick and toroughly working on your problem: yes of course, as it's our mission to help people cleaning their valuable systems, we love working as a team as each has their own insights -- we might add such threads to our personal CV !

AquaDemon · Apr 12, 2004

just a word of though that this HUGE topic wasn't neccesary...
at startup press CTRL+ALT+DEL and end task the 2 processes called module32.exe [on my system it was twice ]
behind the process name there is always a pathname...

plus, once in problem is over run explorer.exe in the task manager and msconfig and disable module32.exe from starting up

Also if you want to know if you still got this trojan on your system the kbd.txt file is the stuff it sends to the hijacker...

Log in or Sign up

Cant get rid of a trojan horse!!!

J?kull Guest

FluxGFX Registered Member

Pilli Registered Member

J?kull Guest

Pilli Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

Pilli Registered Member

J?kull Guest

Jooske Registered Member

Bowserman Infrequent Poster

J?kull Guest

Jooske Registered Member

J?kull Guest

Jooske Registered Member

Pilli Registered Member

dvk01 Global Moderator

J?kull Guest

Pilli Registered Member

j?kull Guest

puff-m-d Registered Member

J?kull Guest

puff-m-d Registered Member

Jooske Registered Member

AquaDemon Registered Member

Log in or Sign up

Cant get rid of a trojan horse!!!

J?kull Guest

FluxGFX Registered Member

Pilli Registered Member

J?kull Guest

Pilli Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

Pilli Registered Member

J?kull Guest

Jooske Registered Member

Bowserman Infrequent Poster

J?kull Guest

Jooske Registered Member

J?kull Guest

Jooske Registered Member

Pilli Registered Member

dvk01 Global Moderator

J?kull Guest

Pilli Registered Member

j?kull Guest

puff-m-d Registered Member

J?kull Guest

puff-m-d Registered Member

Jooske Registered Member

AquaDemon Registered Member

Useful Searches