Can't get rid of Trojan horse....lipe123

Discussion in 'Trojan Defence Suite' started by lipe123, May 12, 2004.

Thread Status:
Not open for further replies.
  1. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    OK I got the exact same thing that Shinji got :mad: !!

    I gto tds and the latest raduis files and it found nothing cept the same file that AVG finds - wich you can delete 100x and on the next reboot its back.

    Its closing my regedit, edit.com and a few others immediatley after I open them.. tho if i rename them to regedt1.exe i can open it again :).
    Tho there is no trace of the thing in the reg. I had a app hiappkiller thats
    supposed to kill hidden proccess too, but its expired :(, does anyone know of a similar app?

    I'm on win2k btw, any and all help would be great, thnx!

    Oh also, how did it get on my pc in the 1st place?

    Ps. Shinji cool name, anime fan?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: Can't get rid of Trojan horse....

    Did you close AVG entirely from it's console when scanning with TDS?
    Did you configure TDS with all scanoptions?
    did you submit the file your scanner found to submit@diamondcs.com.au (zipped please!!) or from the TDS console after which you deleted it, disable system restore (if you're on XP or ME) reboot enable system restore and make a new restore point if the scan you did before that with both scanners (the one after the other) showed your system to be really clean?

    Next would be sending in your AutoStartViewer log to Gavin gavin@diamondcs.com.au or post it here for further advice!

    Since you say your regedit and all those functions are disabled that could be possible with the AutoStartViewer and HiJackThis so your logs are important. In SpyBotS&D is in the advanced functions a registry check as well, so maybe after all these steps that could be an extra check?

    Hope you find solutions soon saving your valuable system! Please keep us informed how it goes!
     
  3. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Ok, well 1st time I didn't have AVG entirely disabled for the 1st scan, so I
    did a restart and then killed AVG and then scanned the winnt folder again.

    aaaand.....TDS found nothing :(. Anyways here is my autostart log.
    How did I get the virus tho, and how does it work, there should be a process and a executable somewhere, shouldnt there?! why can't I find it? I even went as far as trying to use diskprobe to find the file, but it helps if you know what the file name is :).

    Any websites that might help? cos sofar I just found a few sites with useless info and bright ideas like formatting...

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Liep@AMD-XP1700, 05-13-2004
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    vidc.cram=msvidc.drv
    VIDC.IV32=ir32.dll
    VIDC.IV31=ir32.dll
    VIDC.MRLE=msrle.drv
    VIDC.RT21=ir21_r.dll
    VIDC.YVU9=ir21_r.dll
    WaveMapper=msacm.drv
    MSACM.msadpcm=msadpcm.acm
    MSACM.imaadpcm=imaadpcm.acm
    VIDC.MSVC=msvidc.drv
    VIDC.CVID=iccvid.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tweak UI
    RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINNT\system32\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\C-Media Mixer
    Mixer.exe /startup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LWBMOUSE
    C:\Program Files\Dexxa\Wireless Desktop\lwb3dapp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Go!Zilla dial-up fix
    C:\Program Files\GoZilla\Go.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GAINWARD
    C:\WINNT\TBPanel.exe /A
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus CX3200
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Disk Monitor
    C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Network Service
    C:\WINNT\svhost.exe -sr -0
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus CX3200
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\system32\E_S6.tmp"
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Network Service
    C:\WINNT\svhost.exe -sr -0
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\CommCenter
    C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
    C:\WINNT\system32\internat.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\system32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINNT\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINNT\System32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINNT\System32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}\
    regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINNT\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINNT\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\GRISOFT\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\GRISOFT\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\BT848\
    C:\WINNT\system32\drivers\cxvcap.sys
    HKLM\System\CurrentControlSet\Services\cisvc\
    C:\WINNT\system32\cisvc.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\ElbyCDIO\
    C:\WINNT\System32\Drivers\ElbyCDIO.sys
    HKLM\System\CurrentControlSet\Services\EpsonBidirectionalAgent\
    C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
    HKLM\System\CurrentControlSet\Services\EPSONStatusAgent2\
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    HKLM\System\CurrentControlSet\Services\EPSON_PM_RPCV2_02\
    C:\WINNT\system32\E_S00RP2.EXE
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\NtmsSvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINNT\system32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\RasMan\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINNT\system32\regsvc.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINNT\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\RVSINST\
    C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
    HKLM\System\CurrentControlSet\Services\rvsport\
    C:\WINNT\System32\drivers\rvsport.sys
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\system32\MSTask.exe
    HKLM\System\CurrentControlSet\Services\SecDrv\
    \??\C:\WINNT\system32\drivers\SECDRV.SYS
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINNT\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\StiSvc\
    C:\WINNT\system32\stisvc.exe
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\WinMgmt\
    C:\WINNT\System32\WBEM\WinMgmt.exe

    PS.

    I just ran that rootkit detector thingy, here is the result :(

    -Searching again for Hidden Services..
    -Gathering Service list Information... ( Found: 0 Hidden Services)
    -Searching for wrong Service Paths.... ( Found: 5 wrong Services )
    -------------------------------------------------------------------------------
    *SV: BT848 (CxVCap, WDM Video Capture) PATH: C:\WINNT\system32\drivers\cxvcap.s
    ys
    -------------------------------------------------------------------------------
    *SV: DSDrvNT (DSDrvNT) PATH: c:\temp\dc13\dsdrvnt.sys
    -------------------------------------------------------------------------------
    *SV: nthwio (nthwio) PATH: d:\copy\mnet stuff\aiwtv103\nthwio.sys
    -------------------------------------------------------------------------------
    *SV: VICHW00 (VICHW00) PATH: c:\winnt\system32\drivers\vichw00.sys
    -------------------------------------------------------------------------------
    *SV: WFIOCTL (WFIOCTL) PATH: c:\program files\winfast\wftvfm\wfioctl.sys
    -------------------------------------------------------------------------------
    -Searching for Rootkit Modules........
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\winnt\system32\imm32.dll
    -------------------------------------------------------------------------------
    -Trying to detect hxdef with TCP data..( Found: 1 running rootkits)
    -------------------------------------------------------------------------------
    *ROOTKIT HACKER DEFENDER v1.0.0 IS INSTALLED IN YOUR HOST.
    -------------------------------------------------------------------------------
    -Searching for hxdef hooks............ ( Found: 1 running rootkits)
    -------------------------------------------------------------------------------
    *ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available
    -------------------------------------------------------------------------------
    -Searching for other rootkits......... ( Found: 0 running rootkits)

    C:\Business\problems\virus\RKDetectorv0.62>
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    Hi Lipe123. I have requested expert assistance.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    One of our experts has reviewed your AS viewer info' and advises that you now post a HiJackThis log.
    Here is the "how to" information link https://www.wilderssecurity.com/showthread.php?t=15913

    Please post the results back into this thread - Thanks
     
  6. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Ok we hit a terse spot this time!

    when I so much as go tot he hijackth!s website or just type tit out
    my browser promptly gets closed down...

    Could any of you guys please be so kind as to email me the hijack proggy zip file? Cos I can't get it downloaded.

    Thnx very much for all the great assistance, you guys rock!
     
  7. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Yep I tried it every wich way now, internet explorer, opera, gozilla, you name it as soon as the file is about 25% downloaded the program misteriousley gets closed down, do you think it uses a scnaner like AV programs? Cos I tried saving it as any other name and that didn't help either.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: Can't get rid of Trojan horse....

    Try downloading it from our server; see this thread which contains a download link. In case of no luck, drop one from the Moderators an IM.

    regards.

    paul
     
  9. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Ok I got it downloaded now with gozilla (i didnt edit the right "save as" field) New problem tho: Its being closed just like regedit and the others after only a few secs, even if I change the filename. Will booting in safe mode work?
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: Can't get rid of Trojan horse....

    I wouldn't bet on it - but no harm in giving it a try.

    regards.

    paul
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    Lipe123, Can you check to see if any of these files exist on your system, you will need to ensure that View all file types and show hidden is enabled in windows explorer options:
    hxdef100.exe 70 144 b - program Hacker defender v1.0.0
    hxdef100.ini 3 872 b - inifile with default settings
    hxdef100.2.ini 3 695 b - inifile with default settings, variant 2
    bdcli100.exe 26 624 b - backdoor client
    rdrbs100.exe 49 152 b - redirectors base
    readmecz.txt 34 654 b - Czech version of readme file
    readmeen.txt 35 956 b - this readme file
    readmefr.txt 38 029 b - French version of readme file
    src.zip 93 174 b - source
     
  12. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Ok the safe mode thing worked, or at least it bought me enough time to save the log file.

    Those other files, I'm goin to start looking for them right now... *edit* none found - just that hxf...file that the AV scanner finds every time. other close matches are : hxdsui.dll, hxds.dll

    here is the hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 15:55:24, on 13/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\explorer.exe
    C:\downloads\hj.exe
    C:\WINNT\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxpfvt.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxpfvt.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxpfvt.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxpfvt.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxpfvt.outhost.info/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = nov
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = nov
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info
    O1 - Hosts: 213.159.118.228 1-se.com
    O1 - Hosts: 213.159.118.228 58q.com
    O1 - Hosts: 213.159.118.228 aifind.cc
    O1 - Hosts: 213.159.118.228 aifind.info
    O1 - Hosts: 213.159.118.228 allneedsearch.com
    O1 - Hosts: 213.159.118.228 approvedlinks.com
    O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.228 awebfind.biz
    O1 - Hosts: 213.159.118.228 best.royalsearch.net
    O1 - Hosts: 213.159.118.228 cracks.am
    O1 - Hosts: 213.159.118.228 default-homepage-network.com
    O1 - Hosts: 213.159.118.228 find.microgirls.com
    O1 - Hosts: 213.159.118.228 find4u.net
    O1 - Hosts: 213.159.118.228 freshvideogals.com
    O1 - Hosts: 213.159.118.228 i-lookup.com
    O1 - Hosts: 213.159.118.228 ie-search.com
    O1 - Hosts: 213.159.118.228 in.webcounter.cc
    O1 - Hosts: 213.159.118.228 itseasy.us
    O1 - Hosts: 213.159.118.228 just.find-itnow.com
    O1 - Hosts: 213.159.118.228 link.startmake.com
    O1 - Hosts: 213.159.118.228 mysearchnow.com
    O1 - Hosts: 213.159.118.228 nativehardcore.com
    O1 - Hosts: 213.159.118.228 qwertysearch123.biz
    O1 - Hosts: 213.159.118.228 search.ieplugin.com
    O1 - Hosts: 213.159.118.228 search.psn.cn
    O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.228 searchcentrix.com
    O1 - Hosts: 213.159.118.228 searchmyrequest.com
    O1 - Hosts: 213.159.118.228 super-spider.com
    O1 - Hosts: 213.159.118.228 t.rack.cc
    O1 - Hosts: 213.159.118.228 teen-biz.com
    O1 - Hosts: 213.159.118.228 teenhqpics.com
    O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
    O1 - Hosts: 213.159.118.228 webcoolsearch.com
    O1 - Hosts: 213.159.118.228 wmmse.com
    O1 - Hosts: 213.159.118.228 www.008i.com
    O1 - Hosts: 213.159.118.228 www.2fastsearch.net
    O1 - Hosts: 213.159.118.228 www.8095.com
    O1 - Hosts: 213.159.118.228 www.alfa-search.com
    O1 - Hosts: 213.159.118.228 www.boredlife.com
    O1 - Hosts: 213.159.118.228 www.couldnotfind.com
    O1 - Hosts: 213.159.118.228 www.cracks.am
    O1 - Hosts: 213.159.118.228 www.daum.net
    O1 - Hosts: 213.159.118.228 www.dreamwiz.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find4u.net
    O1 - Hosts: 213.159.118.228 www.firstbookmark.com
    O1 - Hosts: 213.159.118.228 www.gajai.com
    O1 - Hosts: 213.159.118.228 www.hand-book.com
    O1 - Hosts: 213.159.118.228 www.hao123.com
    O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
    O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.228 www.hugesearch.net
    O1 - Hosts: 213.159.118.228 www.iquicksearch.com
    O1 - Hosts: 213.159.118.228 www.lookfor.cc
    O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
    O1 - Hosts: 213.159.118.228 www.naver.com
    O1 - Hosts: 213.159.118.228 www.nkvd.us
    O1 - Hosts: 213.159.118.228 www.nova****.com
    O1 - Hosts: 213.159.118.228 www.ohcorea.com
    O1 - Hosts: 213.159.118.228 www.omega-search.com
    O1 - Hosts: 213.159.118.228 www.onet.pl
    O1 - Hosts: 213.159.118.228 www.power-search.info
    O1 - Hosts: 213.159.118.228 www.rightfinder.net
    O1 - Hosts: 213.159.118.228 www.search-1.net
    O1 - Hosts: 213.159.118.228 www.search-and-go.com
    O1 - Hosts: 213.159.118.228 www.search-dot.com
    O1 - Hosts: 213.159.118.228 www.search-space.com
    O1 - Hosts: 213.159.118.228 www.searchforge.com
    O1 - Hosts: 213.159.118.228 www.searching-the-net.com
    O1 - Hosts: 213.159.118.228 www.searchv.com
    O1 - Hosts: 213.159.118.228 www.searchxl.com
    O1 - Hosts: 213.159.118.228 www.seznam.cz
    O1 - Hosts: 213.159.118.228 www.slotch.com
    O1 - Hosts: 213.159.118.228 www.spidersearch.com
    O1 - Hosts: 213.159.118.228 www.startium.com
    O1 - Hosts: 213.159.118.228 www.therealsearch.com
    O1 - Hosts: 213.159.118.228 www.ttjj.com
    O1 - Hosts: 213.159.118.228 www.viewpornkey.com
    O1 - Hosts: 213.159.118.228 www.wazzupnet.com
    O1 - Hosts: 213.159.118.228 www.websearch.com
    O1 - Hosts: 213.159.118.228 www.windowws.cc
    O1 - Hosts: 213.159.118.228 www.xgmm.com
    O1 - Hosts: 213.159.118.228 xwebsearch.biz
    O1 - Hosts: 213.159.118.228 yourbookmarks.ws
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
    O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Dexxa\Wireless Desktop\lwb3dapp.exe
    O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
    O4 - HKLM\..\Run: [GAINWARD] C:\WINNT\TBPanel.exe /A
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKLM\..\Run: [Network Service] C:\WINNT\svhost.exe -sr -0
    O4 - HKCU\..\Run: [EPSON Stylus CX3200] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\system32\E_S6.tmp"
    O4 - HKCU\..\Run: [Network Service] C:\WINNT\svhost.exe -sr -0
    O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
    O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8611AF15-1A67-44B4-899B-67691F1ED79E}: NameServer = 192.168.0.1
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    Yes, You have problems :) I will get an expert to verify them ...
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: Can't get rid of Trojan horse....

    First download CWshredder from http://www.thespykiller.co.uk

    download http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.zip and save it to desktop

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxpfvt.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxpfvt.outhost.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://kxpfvt.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://kxpfvt.outhost.info/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kxpfvt.outhost.info/sp.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = nov
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = nov
    O1 - Hosts: 213.159.118.228 collections.inhost.info
    O1 - Hosts: 213.159.118.228 collections.inhost2.info
    O1 - Hosts: 213.159.118.228 1-se.com
    O1 - Hosts: 213.159.118.228 58q.com
    O1 - Hosts: 213.159.118.228 aifind.cc
    O1 - Hosts: 213.159.118.228 aifind.info
    O1 - Hosts: 213.159.118.228 allneedsearch.com
    O1 - Hosts: 213.159.118.228 approvedlinks.com
    O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
    O1 - Hosts: 213.159.118.228 awebfind.biz
    O1 - Hosts: 213.159.118.228 best.royalsearch.net
    O1 - Hosts: 213.159.118.228 cracks.am
    O1 - Hosts: 213.159.118.228 default-homepage-network.com
    O1 - Hosts: 213.159.118.228 find.microgirls.com
    O1 - Hosts: 213.159.118.228 find4u.net
    O1 - Hosts: 213.159.118.228 freshvideogals.com
    O1 - Hosts: 213.159.118.228 i-lookup.com
    O1 - Hosts: 213.159.118.228 ie-search.com
    O1 - Hosts: 213.159.118.228 in.webcounter.cc
    O1 - Hosts: 213.159.118.228 itseasy.us
    O1 - Hosts: 213.159.118.228 just.find-itnow.com
    O1 - Hosts: 213.159.118.228 link.startmake.com
    O1 - Hosts: 213.159.118.228 mysearchnow.com
    O1 - Hosts: 213.159.118.228 nativehardcore.com
    O1 - Hosts: 213.159.118.228 qwertysearch123.biz
    O1 - Hosts: 213.159.118.228 search.ieplugin.com
    O1 - Hosts: 213.159.118.228 search.psn.cn
    O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
    O1 - Hosts: 213.159.118.228 searchcentrix.com
    O1 - Hosts: 213.159.118.228 searchmyrequest.com
    O1 - Hosts: 213.159.118.228 super-spider.com
    O1 - Hosts: 213.159.118.228 t.rack.cc
    O1 - Hosts: 213.159.118.228 teen-biz.com
    O1 - Hosts: 213.159.118.228 teenhqpics.com
    O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
    O1 - Hosts: 213.159.118.228 webcoolsearch.com
    O1 - Hosts: 213.159.118.228 wmmse.com
    O1 - Hosts: 213.159.118.228 www.008i.com
    O1 - Hosts: 213.159.118.228 www.2fastsearch.net
    O1 - Hosts: 213.159.118.228 www.8095.com
    O1 - Hosts: 213.159.118.228 www.alfa-search.com
    O1 - Hosts: 213.159.118.228 www.boredlife.com
    O1 - Hosts: 213.159.118.228 www.couldnotfind.com
    O1 - Hosts: 213.159.118.228 www.cracks.am
    O1 - Hosts: 213.159.118.228 www.daum.net
    O1 - Hosts: 213.159.118.228 www.dreamwiz.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find-itnow.com
    O1 - Hosts: 213.159.118.228 www.find4u.net
    O1 - Hosts: 213.159.118.228 www.firstbookmark.com
    O1 - Hosts: 213.159.118.228 www.gajai.com
    O1 - Hosts: 213.159.118.228 www.hand-book.com
    O1 - Hosts: 213.159.118.228 www.hao123.com
    O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
    O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
    O1 - Hosts: 213.159.118.228 www.hugesearch.net
    O1 - Hosts: 213.159.118.228 www.iquicksearch.com
    O1 - Hosts: 213.159.118.228 www.lookfor.cc
    O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
    O1 - Hosts: 213.159.118.228 www.naver.com
    O1 - Hosts: 213.159.118.228 www.nkvd.us
    O1 - Hosts: 213.159.118.228 www.nova****.com
    O1 - Hosts: 213.159.118.228 www.ohcorea.com
    O1 - Hosts: 213.159.118.228 www.omega-search.com
    O1 - Hosts: 213.159.118.228 www.onet.pl
    O1 - Hosts: 213.159.118.228 www.power-search.info
    O1 - Hosts: 213.159.118.228 www.rightfinder.net
    O1 - Hosts: 213.159.118.228 www.search-1.net
    O1 - Hosts: 213.159.118.228 www.search-and-go.com
    O1 - Hosts: 213.159.118.228 www.search-dot.com
    O1 - Hosts: 213.159.118.228 www.search-space.com
    O1 - Hosts: 213.159.118.228 www.searchforge.com
    O1 - Hosts: 213.159.118.228 www.searching-the-net.com
    O1 - Hosts: 213.159.118.228 www.searchv.com
    O1 - Hosts: 213.159.118.228 www.searchxl.com
    O1 - Hosts: 213.159.118.228 www.seznam.cz
    O1 - Hosts: 213.159.118.228 www.slotch.com
    O1 - Hosts: 213.159.118.228 www.spidersearch.com
    O1 - Hosts: 213.159.118.228 www.startium.com
    O1 - Hosts: 213.159.118.228 www.therealsearch.com
    O1 - Hosts: 213.159.118.228 www.ttjj.com
    O1 - Hosts: 213.159.118.228 www.viewpornkey.com
    O1 - Hosts: 213.159.118.228 www.wazzupnet.com
    O1 - Hosts: 213.159.118.228 www.websearch.com
    O1 - Hosts: 213.159.118.228 www.windowws.cc
    O1 - Hosts: 213.159.118.228 www.xgmm.com
    O1 - Hosts: 213.159.118.228 xwebsearch.biz
    O1 - Hosts: 213.159.118.228 yourbookmarks.ws
    O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
    O4 - HKLM\..\Run: [Network Service] C:\WINNT\svhost.exe -sr -0
    O4 - HKCU\..\Run: [Network Service] C:\WINNT\svhost.exe -sr -0

    Delete these files
    C:\WINNT\svhost.exe


    now run hosts file reader unzip it and then click on search for hosts
    when any hosts file is found, it will be listed in the bottom window, click on it and press the reset default button.
    that will replace any bad entries with the standard windows entries
    NOTE: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally &


    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R303 08.05.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  15. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Mommy!.. ok thanx a million, I'll get right on that, just got to go install a modem for some guy and get some eats...
    Oh btw I'm kinda a Pc technician(apparently not a too good one) and I have a lil network goin here. If I share my root on the net I can see the "hidden" files there. For instance if I make a file called hijackthis.txt its immidiatley hidden from view, and I have "show all files" and "dont hide system files" on.
    But on the net I can see the file just fine. On the infected pc nothing shows the file including attrib, dir /ah /as, not even disk probe. What I don't understand is that If there is a process busy that is so actively busy hiding stuff and killing programs why can't it be seen? wtf is wrong with microsoft?

    Oh well I'm off - I'll edit this later and post the new hijack log...
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: Can't get rid of Trojan horse....

    see what happens after you kill & remove the "bad svchost" file
     
  17. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    uhm ok kinda misunderstanding here, I deleted svhost and not svchost... i was wondering about that one, but since there was a svhost I thought that was it.

    Anyways we did make some progress, the virus file is still there after every reboot, but programs like hijackthis can now be onpened without auto closure. However files are still being hidden if I call them "hijackthis" or the Spybot program name.

    Shoud I delete the real svchost too, and then i suppose the one in the sysbackup too right? wouldnt a sfc /scannow fix it too?

    Oh very importantly, how si it hiding the files from me and how can I get past that, isnt that the 1st step in killing it?

    here is my latest hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:14:05, on 13/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\GRISOFT\AVG6\avgserv.exe
    C:\WINNT\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\system32\E_S00RP2.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\Mixer.exe
    C:\Program Files\Dexxa\Wireless Desktop\lwb3dapp.exe
    C:\WINNT\TBPanel.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
    C:\WINNT\system32\cidaemon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\downloads\hj.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Dexxa\Wireless Desktop\lwb3dapp.exe
    O4 - HKLM\..\Run: [Go!Zilla dial-up fix] "C:\Program Files\GoZilla\Go.exe" /FIXRAS
    O4 - HKLM\..\Run: [GAINWARD] C:\WINNT\TBPanel.exe /A
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
    O4 - HKCU\..\Run: [EPSON Stylus CX3200] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINNT\system32\E_S6.tmp"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
    O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8611AF15-1A67-44B4-899B-67691F1ED79E}: NameServer = 192.168.0.1
     
    Last edited: May 13, 2004
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: Can't get rid of Trojan horse....

    Delete these files
    C:\WINNT\svhost.exe

    this one, i hope you did?
     
  19. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    ok but woudl the one in sysbackup be clean, cos windows will restore it from there right?

    *edit* did a reboot again into safe mode, can't delete the svchost file, its being used by windows. tried to rename it, and it worked but I think it was fake. I'm losing a little hope here, none of the scanners or anything found any concrete virus files yet - why? th eonly thing that gives me any results is the rkdetector??.exe program. it sais i got backdoor version .84 and 1.0 installed :(. Well at least there was some progress since stuff doesnt just get closed down anymore.

    I went on the net and saw a few rootkit download sites in which they describe how to hide files and redirect commands etc... but with my current system state I thought it best to not look around too much.

    so whats next? I can boot from the win2K cd and use recovery console to replace svchost with the orig from the cab files - i think. Would that make everything show again, or is it just a start? Anyways its 24h and I still got to work tommorrow - at least we got some results sofar, I'm going home.

    Oh btw I unsinstalled microsoft Java as per instruction from CWshredder since I've got the sun java loaded from somewhere a long time ago anyways.

    Once again thnx, let me know what to do next, maybe after this we can do a rootkit removal instruction book and sell it to become milionaires :D
     
    Last edited: May 13, 2004
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: Can't get rid of Trojan horse....

    do NOT delete svchost it is a legit windows file

    It was my bad typing that sugested it was svchost when I should have said the bad svhost


    you had a couple of problems and the svhost file was stopping antivirus and security programs from running

    hopefully TDS will run now and find the rootkit and be able to delete it

    do a full tds scan and see what it finds now
     
  21. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  22. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....


    Ahh common I was just goin to brag that I finally got it fixed and you beat me to it :D. Yep I found that site last night just before I was about to give up and did it this morning. I disabled the hackerdefender startup process' and now everything is honky dorey. Oh ok, I thought the sv and svchost thing was a mixup - np I just did a dllcahe resotre to be safe anyways.

    The thing is prolly still on here so I'll scan with tds again and hope it finds it this time.

    THnx a lot ppl, this site has a poor guy like me that had a hapy ending too
    http://www.dslreports.com/forum/remark,10171581~mode=flat~days=9999~start=20

    Check the last post.
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    Glad you are almost clean Lipe123 :) Hopefully TDS3 will pick up any remnants.
    Once your system is clean add Process Guard which stops rootkits and many other new types of malware ;)

    Pilli
     
  24. lipe123

    lipe123 Registered Member

    Joined:
    May 12, 2004
    Posts:
    16
    Re: Can't get rid of Trojan horse....

    Well now there is just one teeny tiny thing still. The hackerdefender registry key in the registry *opens regedit to get the key* system -> controlset -> enum ->root; is stil there and I can't delete it. It just sais error deleting key. Does it still pose a threat?
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Can't get rid of Trojan horse....

    Hi Lipe123, Try this to delete the key.

    As admim - Regedit- find the key - right click on it - open permissions and click the allows, you may have to select a certain type of user to do this if it is greyed out, once the allows are ticked close and then do a right click "delete"

    HTH Pilli.
     
Thread Status:
Not open for further replies.