|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 9th, 2004, 10:14 AM
|
|||
|
|||
HELP!
Hey
I seem to be infected with a Trojan Horse. First sign was a programme running called 'Ech' on my task manager upon startup. I disabled this on the startup configuration but i think it is still running elsewhere. My Windows media player has also broken down now and dosent load up. Ive taken the advice of several people on here and done a full scan of my computer using quite a few different programmes including speciallist trojan search engines and all results come out clear so im at a loss now what to do. Any advice would be greatly apprechiated. Logfile of HijackThis v1.97.7 Scan saved at 15:12:44, on 5/9/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\STDSB.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\AWLGTSTA.EXE C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe C:\Program Files\Packard Bell EverSafe\TrayControl.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\BitTorrent\btdownloadgui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Kat\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab |
|
#2
May 9th, 2004, 12:13 PM
|
||||
|
||||
Re: HELP!
Hi Kat_wwe,
A few that I don't know: O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE Find the corresponding files, rrightclick them and let us know what they say under Properties > Version tab And one that can be disabled O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe For WMP http://www.wilderssecurity.com/showthread.php?t=28027 Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#3
May 9th, 2004, 01:42 PM
|
|||
|
|||
|
Re: HELP!
Hello thanks for replying
The AWLGTSTA file seems to be linked with my wireless network. Version Tab states: File Version: 1.0.20.83 Product Name: FRISBEE Wireless LAN Description: FRISBEE Status Tray Applet Copyright 2003 WLAN-G Developer build: by OEM As for the STDSB programme, there are 8 records of that filename on my computer and it seems to be linked to a scrollbar driver and the uninstall programme for it too. Version: 0.0.0.1 Many thanks |
|
#4
May 9th, 2004, 02:53 PM
|
||||
|
||||
|
Re: HELP!
Then I think everything is accounted for.
Do you still have the file that was running as Ech? I will gladly have a look at it for you. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#5
May 9th, 2004, 03:18 PM
|
|||
|
|||
|
Re: HELP!
Yes the Ech programme is still running
I disabled it on startup using MSConfig so it dosent load when windows starts. The programme command is called c:\APPS\EmailChecker\Ech.exe and is version 1.3.0.0 The Location is SOFTWARE\Microsoft\Windows\CurrentVersion\Run I want to be sure this is not a dangerou programme and my computer is safe from intrusion. Many thanks |
|
#6
May 10th, 2004, 04:04 AM
|
||||
|
||||
|
Re: HELP!
I can't find anything conclusive about it.
I will PM you my emailaddress and check the file when I get it. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
