Have I ever got a new Malware/trojan HELP!

Discussion in 'adware, spyware & hijack cleaning' started by troffer, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. troffer

    troffer Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    17
    PROBLEM - Nwvd1.exe and Slns.exe are repeatedly showing up in my startup file as a result of the program 2TY@2KQ3@3W#77 attempting to put them there. I know this because I have STARTUP MONITOR installed and it continuosly tells me so.

    STEPS TAKEN - With Sys Restore OFF, I have run CWSHREDDER (found one registry entry it deleted), SPYBOT(clean), ADAWARE(clean), HIJACKTHIS (I dumped a couple of annoying files as well as the SLNS.EXE), Ive gone into the registry, found 2TY@2KQ3@3W#77 living in HKLM-Run and ripped it out by the roots, rebooted, turned system restore back on. All was good for a day, now we are back again with STARTUPMONITOR telling me the 2TY program is trying to install those 2 programs again in my startup! Ive dumped Local settings/temp, Ive dumped prefetch, Ive done a disk cleanup after each dump to make sure recycle bin is empty.

    And STILL this monster returns again and again.

    What other programs are out there in order to assist me in killing this thing?

    Anyone recognize it?

    My HIJACKTHIS report is as follows:

    StartupList report, 4/20/2004, 8:23:42 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Troffer\Local Settings\Temporary Internet Files\Content.IE5\6P8RABUV\StartupList[1].EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\System32\GaqupP4T.exe
    C:\WINDOWS\System32\GaqupP4T.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\SpyKiller\spykiller.exe
    C:\Documents and Settings\Troffer\Local Settings\Temporary Internet Files\Content.IE5\6P8RABUV\StartupList[1].exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
    HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Run StartupMonitor = StartupMonitor.exe
    2TY@2KQ3@3W#77 = C:\WINDOWS\System32\NwvD1.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
    PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Uninstall Expiration Reminder.job
    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job
    {AA2163BB-1BC5-4070-A91F-4382DA7E6B52}_R2Y0F6_Troffer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ppctlcab]
    CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
    OSD = C:\WINDOWS\Downloaded Program Files\OSD406.OSD

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [PPSDKActiveXScanner.MainScreen]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx
    CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

    [Yahoo! Audio UI1]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacsui.dll
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [CRAVOnline Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Troffer\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Troffer\LOCALS~1\Temp\irsetup.exe


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 6,579 bytes
    Report generated in 0.050 seconds
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    You have the Peper trojan, which requires special treatment to put it out of your misery!
    Please download and run this

    uninstaller

    Please post a followup Hijack this log after rebooting. No need for a startuplist, as yet.
     
  3. troffer

    troffer Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    17
    Bingo! That did it. Thank you. Sheesh that was MISERY. With some heavy research I can now read the HIJACKLIST pretty effectively. At least I gained some knowledge out of this mess. The Registry USED to scare me, not any more! And my FAVORITE sites in my PUTER FOLDER has really blossomed as well.

    Thanks for the help, Ill be sure and share the advice whenever possible. :)
     
Thread Status:
Not open for further replies.