Have I ever got a new Malware/trojan HELP!

Discussion in 'adware, spyware & hijack cleaning' started by troffer, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. troffer

    troffer Registered Member

    Apr 20, 2004
    PROBLEM - Nwvd1.exe and Slns.exe are repeatedly showing up in my startup file as a result of the program 2TY@2KQ3@3W#77 attempting to put them there. I know this because I have STARTUP MONITOR installed and it continuosly tells me so.

    STEPS TAKEN - With Sys Restore OFF, I have run CWSHREDDER (found one registry entry it deleted), SPYBOT(clean), ADAWARE(clean), HIJACKTHIS (I dumped a couple of annoying files as well as the SLNS.EXE), Ive gone into the registry, found 2TY@2KQ3@3W#77 living in HKLM-Run and ripped it out by the roots, rebooted, turned system restore back on. All was good for a day, now we are back again with STARTUPMONITOR telling me the 2TY program is trying to install those 2 programs again in my startup! Ive dumped Local settings/temp, Ive dumped prefetch, Ive done a disk cleanup after each dump to make sure recycle bin is empty.

    And STILL this monster returns again and again.

    What other programs are out there in order to assist me in killing this thing?

    Anyone recognize it?

    My HIJACKTHIS report is as follows:

    StartupList report, 4/20/2004, 8:23:42 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Troffer\Local Settings\Temporary Internet Files\Content.IE5\6P8RABUV\StartupList[1].EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options

    Running processes:

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpyKiller\spykiller.exe
    C:\Documents and Settings\Troffer\Local Settings\Temporary Internet Files\Content.IE5\6P8RABUV\StartupList[1].exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,


    Autorun entries from Registry:

    SystemTray = SysTray.Exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
    HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Run StartupMonitor = StartupMonitor.exe
    2TY@2KQ3@3W#77 = C:\WINDOWS\System32\NwvD1.exe


    Autorun entries from Registry:

    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
    PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Uninstall Expiration Reminder.job
    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job


    Enumerating Download Program Files:

    CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
    OSD = C:\WINDOWS\Downloaded Program Files\OSD406.OSD

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx
    CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

    [Yahoo! Audio UI1]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacsui.dll
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [CRAVOnline Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Troffer\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Troffer\LOCALS~1\Temp\irsetup.exe


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    End of report, 6,579 bytes
    Report generated in 0.050 seconds
  2. dave38

    dave38 Spyware Expert

    Feb 26, 2004
    You have the Peper trojan, which requires special treatment to put it out of your misery!
    Please download and run this


    Please post a followup Hijack this log after rebooting. No need for a startuplist, as yet.
  3. troffer

    troffer Registered Member

    Apr 20, 2004
    Bingo! That did it. Thank you. Sheesh that was MISERY. With some heavy research I can now read the HIJACKLIST pretty effectively. At least I gained some knowledge out of this mess. The Registry USED to scare me, not any more! And my FAVORITE sites in my PUTER FOLDER has really blossomed as well.

    Thanks for the help, Ill be sure and share the advice whenever possible. :)
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.