Cant get rid of a trojan horse!!!

Discussion in 'Trojan Defence Suite' started by J?kull, Mar 29, 2004.

Thread Status:
Not open for further replies.
  1. J?kull

    J?kull Guest

    My computer got infected yesterday by a virus called "pws.hooker.trojan", located in C:\windows\tgbcde\library32.dll. Norton Antivirus finds it and deletes it when running in safemode/ and with the system restore function off. But every time i start the computer again the virus is back. The virus is somehow causing the CPU to be at 100% nonstop so I really cant do anything on the computer anymore.
    I have been looking ALL day for solutions on the net on my other computer without any luck. I installed TDS3 and it found three more trojans that Norton Ant. didnt find, but still TDS3 doesnt seem to find anything about this PWS.Hooker.Trojan virus, which seems to be the guilty one. On the internet this trojan is often mentioned together with worms like the w32.bugbear worm, but I ran a patch that was supposed to get rid of it and it didnt find anything.

    I guess the virus has added some values in the registry causing the virus to be run on start up, but the registry entries that symantec mentions do not apply in this case, so I dont know what/ or where to look for it.
    I have read everything on Symantecs pages about the virus but I couldnt find anything that helped.

    Please!

    I bet some of you guys have experience from something similar...
     
  2. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Download and install the HiJackThis!

    Copy paste the results.
    http://www.spywareinfoforum.com/~merijn/downloads.html
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jokull
    TDS3 does detect binded Hooker 2.4 but I don't know if that is the same as the one mentioned:(

    Also you could post your AutoStart viewer txt here:
    Link: http://www.diamondcs.com.au/index.php?page=products
    Runit and select the first two options in Main save the file to notepad and cut and paste the text here.
     
  4. J?kull

    J?kull Guest

    I am a new TDS user and I couldnt understand how to simply copy the info in the TDS autostart explorer. The usual procedure, highlight and copy didnt work. Plus its very hard for me to do anything in TDS when not in safemode, because of the CPU beeing at 100% all the time, causing TDS and another programs to crash all the time. ( I am messaging this from another comp.) And my guess is that you want the particular information from TDS when the virus is currently working in the background, i.e. not in safemode.

    But I managed to Hijackthis and I will paste the log here.
    Hope this will tell you something...

    Logfile of HijackThis v1.97.7
    Scan saved at 00:03:55, on 2004-03-30
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\WINDOWS\anvshell.exe
    C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program\D-Tools\daemon.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\tgbcde\module32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program\UltraMon\UltraMon.exe
    C:\Program\UltraMon\UltraMonTaskbar.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\Smartscaps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Norton Personal Firewall\NISUM.EXE
    C:\Program\Hijackthis\HijackThis.exe
    C:\Program\Symantec\LiveUpdate\NDETECT.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ganpug.t.muxa.cc/h.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ganpug.t.muxa.cc/s.php?aid=33 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2BC43670-C0BD-4794-BB11-F60F3E001DC5} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Certificate Mover.lnk = ?
    O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
    O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
    O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well done, I am no expert with HJT logs but one will be along shortly ;)
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It's a cws hijack do all this please
    First download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed on the last page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"
    then reboot &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R277 29.03.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    And this is a new keylogger trojan that only has turned up in the last 48 hours so get a copy of the file and send it to diamond support

    O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1

    in fact it is proabably a good idea to get hold of the entire C:\WINDOWS\tgbcde folder and let GAvin have a copy

    I am sure there are other nasties in there helping the one showing to do it's nasty work
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jokull, Once you have completed dvk01's advice plese:

    Download the latest TDS3 radius file from hare: http://tds.diamondcs.com.au/index.php?page=update
    Start TDS3 and open the configuration menu, enable all of the items in "initialization" except for initialize sockets and all of the items in startup scanning.
    In scan control scan options enable all, in the "generic" section enable both Anti Trojan - antiworm /scripts. Move the generic sensitivity to high. In the available scans select "scan all logical drives. Then start the scan

    This is a very deep and complex scan so please ensure that your AV and other resident programmes are disabled as this scan van take quite a time on large hard drives.

    At the end of the scan you will see the results at the bottom of the TDS console.

    Right clicking on the results will give you the details. Please do not delete just yet.
    Note the location of any of the files. Navigate to them using your file manager and copy them into a .zip file. Send the .zip file to submit@diamondcs.com.au for analysis.

    Once this has been achieved then use the right click on the files in the TDS console to delete them.

    Thanks - Pilli
     
  9. J?kull

    J?kull Guest

    Big thx for the advices!

    I have finally completed everything that dvk01 suggested. I.e. installed and runned, updated spybot, shredder, adaware, windows update. The programs found some dubious things in the registry and some spyware and that has now been deleted. I have also updated Norton Antivirus and the program still finds the virus "pws.hooker.trojan" and can as before delete it only in safe mode. But when I start the computer again its back again. I dont have to run N.A. to know that, the program tells me this right from the start in a alert window that wont go away.

    Right now I have updated TDS and I am letting it scan the way pilli described. ( I am doing this in safe mode, can TDS still find the virus, even if its not running in the background as in normal mode?).

    Here is the updated "HijackThis" log after I hade done the things dvk01 mentioned.

    Thx :p

    Logfile of HijackThis v1.97.7
    Scan saved at 14:37:38, on 2004-03-30
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\anvshell.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program\D-Tools\daemon.exe
    C:\WINDOWS\system32\Smartscaps.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\tgbcde\module32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\UltraMon\UltraMon.exe
    C:\Program\UltraMon\UltraMonTaskbar.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.telia.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Certificate Mover.lnk = ?
    O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
    O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
    O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Jökull, quite a job you've done!
    Did you submit the psw.hooker. to submit@diamondcs.com.au? they will love to get it from you to look deeper into the file.

    What happens when you try to scan with TDS in safe mode? does it run at all and do you get any alerts?
    I'm not 100% sure if it is working properly that way; if you get some alerts you knowit is working, but of course i hope you're clean now.
    If you don't get any results you best run in normal mode as well another time.

    You run XP: did you disable system restore in the clean situation, reboot, enable system restore again and manually make a new system restore point?

    I'm sure the dvk and Pilli will help you further.
     
  11. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Have a look at this thread regarding C:\WINDOWS\tgbcde\module32.exe....and also this one.

    I am sure someone can advise further though :).

    Regards,
    Jade.
     
  12. J?kull

    J?kull Guest

    I ran a full TDS scan as Pilli suggested (in safe mode). It gave me some alerts but nothing important. Mostly remarks about strange names of some of my personal documents and some temp files that were locked. I am going to do the same scan now in normal mode. The reason why I did it in safe mode was because of the virus causing the CPU to be at 100% the scan in normal mode probably takes about 12 hours or something like that.

    I had TDS on autostart with windows and it actually found the virus this time. Here is what it said "Live trojan found (in process memory)
    - Uknown Trojan. File name was C:\windows\tgbcde\module32.exe

    So everything is still pretty much the same. The virus is still there, the CPU is always at 100%, and the N.A alert window is constantly on the screen.

    I am going to try to send this hardheaded virus to the Diamond team as suggested.

    Another question: TDS tells me each time that "A change has been detected in the autostart registry". But how do I see these particular changes. Ctrl+A gets me to the registry but TDS doesnt hightlight the change so I dont know what to look for.



    Jooske asked "You run XP: did you disable system restore in the clean situation, reboot, enable system restore again and manually make a new system restore point?" I disabled system restore before doing the scans, but I have still not reached the clean situation.

    :doubt:
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That module32.exe worried me too, but ok, you might either like to zip it or rename it with something behind it like .tmp for instance so it can't run anymore for the moment.
    I'm not going to tell to repair or delete anything as dvk01 and other specialists are on it and have their steps for you to take.
    There must be a way to kill the process -- if you have TDS up, do you see in the process list that nasty running? fingers crossed you did and are able to kill the process to have some space for scanning and all the other stuff you want to do.
    Yeah, i forgot the 100% CPU use, i hope with killing the thing you will be able at least one session to scan all.
    Indeed there was no clean situation yet.
    Another way would be grab Port Explorer and see the nasty process and kill it via that way.
    Indeed it is difficult to know which AutoStart changed in the registry, this is why in the next version it will be indicated what and where the changes are, but this doesn't help you really at this moment.
    I guess it is the re-install of the nasty if you were able to kill/delete it and it got itself back in place, such annoying things i guess.
     
  14. J?kull

    J?kull Guest

    Ok, now we are getting somewhere ;) I checked out the threads that Bowserman pointed out. The problem described there is very similar to mine. I went to "msconfig" /autostartup and there I saw there was a on object called "module32" located in C:\windows\tgbcde. I unmarked it and restarted the computer.( I didnt know of this option before) The computer was then working properly. Soon I got N.A. Alert window telling me about the pws.hooker.trojan virus, but this time the program could delete it (it could only do so in safe mode before).

    In the Bowserman - thread they are also talking about a module32 but it was supposed to be located in a c:\windows\rfv folder but the difference was in my case c:\windows\tgbcde.

    I also unmarked other things in the msconfig\autostart menu. Object such as "rundll32 - rundll32.exe nview.dll,nviewLoadHook. I unmarked it because of for the past days I have often gotten a mysterius Hook.dll popped up on my desktop with out any explenation.

    and..

    mmrtkrnl - mmrtkrnl.exe

    I dont know if that ones are viruses to? Perhaps you can enlighten me on that one. Should I delete the two other as well i.e. rundsll32 and mmrtkrnl??

    I hope this means its gone for the moment beeing. It certainly gave me a wake up call regarding protection. I thought Norton Antivirus was enough protection against everything. But after this incident I have a big arsenal of good programs.

    Thx for all of your help, I really appreciate it.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please don't delete anything yet unless told by an expert. Rundll32 normally is a normal necessary system file, to name one, so please keep it on your system.
    It could for instance be located in a wrong place, thus indicating the experts it would be suspicious. In this case i have not the impression, but i leave all that to the experts.
    Hope you were able to zip the module.32 thing and submit it to the TDS lab submit@diamondcs.com.au . As it was named an unknown trojan you might have a new variety so the lab would be grateful for your sample for deeper investigation.

    I googled for the pws.hooker.trojan and indeed it does chose random directory names, so that part of the story fits too.
    is there a file named KEYRIPPER.DLL in your windows\system or system32 too?
    What i understood in the meantime the pws.hooker.trojan comes (often) together with other very nast things like bugbear, badtrans, who knows with what more and how it came on your system.
    So you're not ready yet with the cleasing process, at the moment you only stopped it to be able to cleanse out better! Listen to the guys here please till they give the sign "all clear!"
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jokull, To aid us further can you also download the Autostart Viewer from here: http://www.diamondcs.com.au/index.php?page=products As asked for earlier in the thread.
    AutoSart viewer works differently than HJT and can help determine what else may need to done to complete your clean up.

    Thanks - Pilli
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first zip the entire C:\WINDOWS\tgbcde\ folder and send it to support@diamondcs.com.au

    then download & install reg protection from
    http://www.diamondcs.com.au/index.php?page=regprot

    it will pop up lots of entries do not let it start this file module32.exe

    then boot into safe mode &

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKCU\..\Run: [tgbcde] C:\WINDOWS\tgbcde\module32.exe arg1

    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/crack.CAB

    and Delete these folders

    C:\WINDOWS\tgbcde
    then
    Reboot normally

    & re-enable everything you previously stopped in msconfig
    then post a new hiujackthis log so we can check if we got it all
     
  18. J?kull

    J?kull Guest

    I have not sent the virus to the diamont support. When I was experimenting with the new hints I deleted the file, and I dont know if I can get it back. I even tried to remark the entries in my "msconfig\autostart" just to see if the virus would come back on reboot but this time it didnt.

    Jooske: I did not find a keyripper.dll in the windows\system folders

    Pilli: Ok, now I get what you meant. I missunderstood you earlier and thought you were referring to autostart explorer in the TDS. I have downloaded the "autostartviewer" and here is the log.

    Thx again,

    Jökull.

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Jökull Steinthorsson@DITT-YIHYK2HRF9, 03-30-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
    C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeltTray
    C:\WINDOWS\system32\DeltTray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINDOWS\System32\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anvshell
    C:\WINDOWS\anvshell.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LiveNote
    C:\WINDOWS\livenote.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioEngineUtility
    C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioDragToDisc
    C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RoxioAudioCentral
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
    C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeviceDiscovery
    C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DAEMON Tools-1033
    C:\Program\D-Tools\daemon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GSICONEXE
    C:\WINDOWS\system32\GSICON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DSLAGENTEXE
    dslagent.exe USB
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDS3
    C:\Program\TDS3\TDS-3.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
    C:\WINDOWS\system32\dumprep 0 -k
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\Program\NORTON~1\NAVW32.EXE
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Gamma Loader.lnk
    C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Certificate Mover.lnk
    C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\EarTest (2).lnk
    C:\Program\EarTest\EARTEST.EXE
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
    C:\Program\Microsoft Office\Office\OSA9.EXE
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\NetVoyager.lnk
    C:\Program\NetVoyager\NetVoyager.exe
    C:\Documents and Settings\All Users\Start-meny\Program\Autostart\UltraMon.lnk
    C:\Program\UltraMon\UltraMon.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\System32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    To my untrained eye, there is nothing that stands out but I would rather the experts gave it the final OK :)
    Shame about the files but I am glad your PC is now back in a working state :)

    For all your hardwork I hope you will except a Karma cookie :)
     
  20. j?kull

    j?kull Guest

    I deleted the entries dvk01 told me about. My computer is working just fine and I see no signs of the virus/trojan anymore. I also installed the registry protector dvk01 recomended. Simple yet effective program. It alerted me everytime something critical was being done in the registry, good stuff ;)

    As I said I think its all over now, but dvk01 asked me to put a "HijackThis" log once more so here you have it.

    I was really amazed to get this quick and high quality support here at this forum. You have been answering every post i put up just minutes after. Big thx to you guys...

    Pilli, dvk01, Jooske and Bowswerman :)


    Regards,

    Jökull.

    Logfile of HijackThis v1.97.7
    Scan saved at 23:45:58, on 2004-03-30
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\Program\Norton Personal Firewall\NISUM.EXE
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\WINDOWS\anvshell.exe
    C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program\D-Tools\daemon.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program\Norton Personal Firewall\ccPxySvc.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\UltraMon\UltraMon.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\Smartscaps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\UltraMon\UltraMonTaskbar.exe
    C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jökull Steinthorsson\Skrivbord\regprot\regprot.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwa.aftonbladet.se/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Certificate Mover.lnk = ?
    O4 - Global Startup: EarTest (2).lnk = C:\Program\EarTest\EARTEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetVoyager.lnk = C:\Program\NetVoyager\NetVoyager.exe
    O4 - Global Startup: UltraMon.lnk = C:\Program\UltraMon\UltraMon.exe
    O8 - Extra context menu item: ordabok.is - http://www.ordabok.is/browser.asp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38019.2030439815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CB1B4A5-8A58-4D77-90B5-A2E7726BF545}: NameServer = 195.67.199.39 195.67.199.40
     
  21. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,448
    Location:
    North Carolina, USA
    Hi jökull,

    Your log looks clean but I do have one question...
    Do you have any items disabled in startup via msconfig?
    If so, you may want to enable them and post a new HJT log.

    Regards,
    Kent
     
  22. J?kull

    J?kull Guest

    Yes, I had "C:\WINDOWS\tgbcde\module32.exe arg1" disabled at msconfig. Instead of enabling it and running hijackthis again I searched in the registry editor for module32. And I found a some entrys at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tgbcde. Here I found entrys such as

    C:\WINDOWS\tgbcde\module32.exe arg1,
    Item-reg_SZ-module32,
    key-REG_SZ-Software\microsoft\windows\currentversion\run.

    I also found this tgbcde entry at:
    HKEY_USERS\S-1-5-21-833800102-1989038691-135915348-1005\Software\Microsoft\Windows\CurrentVersion

    Name:tgbcde - type:REG_BINARY

    Is it safe for me to delete all the files in this tbcde folder? I got the impression that this tbcde business was entirely created by the trojan virus and has nothing to do with windows.
     
  23. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,448
    Location:
    North Carolina, USA
    Hi Jökull,

    Yes, you can delete the entire folder: C:\WINDOWS\tgbcde

    Also you may have a entry reappear in HJT for the module32.exe (when you enable it in msconfig) and if it does just go ahead and remove it with HJT. Do not worry about it being able to run once you have deleted the entire folder.

    Regards,
    Kent
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oops!
    in case it does reappear, please try to find that folder in your system if possible, zip the entire folder and please submit to submit@diamondcs.com.au
    As you have a new variety it seems, and your discovery can save the world. After you can delete it like Kent just says. Hope my message doesn't come too late!


    You say the team is quick and toroughly working on your problem: yes of course, as it's our mission to help people cleaning their valuable systems, we love working as a team as each has their own insights -- we might add such threads to our personal CV ! :)
     
  25. AquaDemon

    AquaDemon Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    2
    just a word of though that this HUGE topic wasn't neccesary...
    at startup press CTRL+ALT+DEL and end task the 2 processes called module32.exe [on my system it was twice :p]
    behind the process name there is always a pathname...

    plus, once in problem is over run explorer.exe in the task manager and msconfig and disable module32.exe from starting up :)

    Also if you want to know if you still got this trojan on your system the kbd.txt file is the stuff it sends to the hijacker...
     
    Last edited: Apr 12, 2004
Thread Status:
Not open for further replies.