Don't like stuff I see in HijackThis/Trojan?

Discussion in 'adware, spyware & hijack cleaning' started by dreamcatcherco, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    I ran HijackThis upon the advise of posters in the trojan section. I had previously scanned online with Trend Micro's "Housecall" & it detected Troj Delf.CX. TDS didn't detect & remove it. Also had used ad-aware to remove Stop Sign & a bunch of data miners. Now I have questions about the Trojan & also about some other stuff I see in the HijackThis log.
    Cut & Paste of the log as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:04:52 AM, on 3/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Pest Removal Program Files\TrojanHunter 3.6\THGuard.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\oldstuff\Juno 5.0\BIN\juno.exe
    C:\Program Files\Pest Removal Program Files\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\System32\aux.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [WinUpd v2.2] C:\WINDOWS\WINUPD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\Pest Removal Program Files\TrojanHunter 3.6\THGuard.exe"
    O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\Pest Removal Program Files\spyblocker.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\System32\aux.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu   &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms   &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms   &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmtrans.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms   &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms   &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar   &2 (HKLM)
    O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_spy.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/045926ff760af03a4114/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webone/supporter5.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.5790162037
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AABCEE95-2564-43F3-A6D8-4F47180630B1}: NameServer = 64.136.20.133 64.136.28.133


    This log has 2 references to a file I downloaded without being aware that the program was tracking my surfing habits (e-scorcher). When I became aware I deleted it, but its on the log. Also had a worse problem with StopSign which as I remember kept reinstalling itself. Its on the log also. And there is yet another program that I thought I deleted--SpyBlocker.
    Do you see my trojan? Please instruct me. Thanks so much.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Re:Don't like stuff I see in HyjackThis/Trojan?

    Hi dreamcatcherco,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\System32\aux.exe

    O4 - HKLM\..\Run: [WinUpd v2.2] C:\WINDOWS\WINUPD.EXE

    O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth

    O4 - HKLM\..\Run: [eScorcher] C:\Program Files\eScorcher\eScorcher.exe

    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\Pest Removal Program Files\spyblocker.exe

    O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\System32\aux.exe

    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_spy.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/045926ff760af03a4114/netzip/RdxIE601.cab

    O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://www.escorcher.com/webone/supporter5.exe

    Download CWShredder and run. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\System32\aux.exe
    C:\WINDOWS\WINUPD.EXE
    C:\WINDOWS\winlogon.exe
    C:\Program Files\eScorcher\ <-- entire folder
    C:\Program Files\Pest Removal Program Files\spyblocker.exe

    Then download and run STINGER.

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    :D
    Oh, boy, you guys are gooood. Just incredible. The trojans/spyware/worm have been a burr under my saddle (little Tojan joke--get it?) for some time. Seemed like forever after I got a worm (netsky), 5 virally infected files, 2 trojans & soon after, a 3rd trojan all at the same time. How do you think its looking now? Here's the HijackThis log after I follwed Kent's instructions:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:02:46 PM, on 3/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Pest Removal Program Files\TrojanHunter 3.6\THGuard.exe
    C:\Program Files\Pest Removal Program Files\TrojanHunter 3.6\THGuard.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
    C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Pest Removal Program Files\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\Pest Removal Program Files\TrojanHunter 3.6\THGuard.exe"
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: Instant Update.lnk = C:\Program Files\U.S. Robotics\Instant Update\InstUpDt.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu   &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms   &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms   &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.108-deleon.dll/cmtrans.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms   &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms   &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar   &2 (HKLM)
    O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.5790162037
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Congratulations dreamcatcherco...

    Your log is clean now....

    Good work!!!

    Regards,
    Kent
     
  5. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    Ok, it's war now. We got the HijackThis log clean as a whistle--way better-- but Housecall still says the remaining trojan is there--Troj Delf.CX in C:\windows\wdll.dll. I am thinking just use dellater & delete it's little equine tail (and the rest of it too)--what do you think?? Problem is, I'm not very computer savvy & I don't always see the simpliest things. I don't understand how to use dellater--where do I type in the file name??
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Try this...

    Open up your task manager (Control>>Alt>>Delete) and under processes, see if you have this running:

    W98SYS.EXE

    If it is, then select it and click end task.

    Then, either way, do a search for that file on your system, being sure to show hidden files.

    If you find it delete it.

    Let me know the results....

    Kent
     
  7. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    :cool:
    Ok. Deleted file. Now what? Checked in with Housecall--trojan still there.
    Oh, here's another simple thing I don't know how to do--I posted to the Trojan section about DelLater & I can't see a page 2, so I can read the response to my post.
     
  8. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    :D
    Update: I think I got the son of a horse! Housecall pronounces my system clean. I deleted C:\WINDOWS\wdll.dll. I don't see it popping up somewhere else yet. I'm going to clear out my restore files & see if I need to patch a hole. Yeah!!!
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi dreamcatcherco,

    Good work!!!

    From what I could find out:
    W98SYS.EXE <--- the file that installs the
    wdll.dll <--- the Delf.CX trojan HouseCall was finding.
    You have deleted them both now.

    One step left, to clean the registry:
    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry or entries:
    Default = "%Windows%\W98SYS.EXE"
    Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.
    Close Registry Editor.

    This should get rid of the final remains.....

    Post back your results.

    HTH....

    Regards,
    Kent
     
  10. dreamcatcherco

    dreamcatcherco Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    9
    :cool:
    I see a file that says default. But doesn't say "%windows%" or the maleware file name either--W98SYS.EXE. In fact, in the data column it says, "value not set". I don't know what to make of that. I did use a bunch of cleaners--in fact, one had attached its name as an extension to the W98SYS.EXE. (But I deleted it just for good measure anyway.) I think the software was parma? Or something like that? I wasn't overly impressed with the software So I already took it off my system, but it did do some work on the trojan. Maybe it already got to this registry entry before we did & changed it?? Do I need to set a value or leave it set as it is? Thanks for your help. I really do appreciate it.
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi dreamcatcherco,

    You can leave that entry as is. I just wanted to doublecheck it as HJT should have shown what was entered there. I just thought since we never saw the W98SYS.EXE entry in HJT, it would be good to doublecheck.

    Good work on getting the last of the baddies!!!!

    Regards,
    Kent
     
Thread Status:
Not open for further replies.