Help! got a trojan!

Discussion in 'malware problems & news' started by olee253, Feb 16, 2004.

Thread Status:
Not open for further replies.
  1. olee253

    olee253 Guest

    I got a trojan, here is the log, what should i delete?




    Logfile of HijackThis v1.97.7
    Scan saved at 18:09:56, on 2004-02-16
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\NORTON~1\navapw32.exe
    C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQInet.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Program\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Microsoft Office\Office10\WINWORD.EXE
    C:\Program\NoNameScript\mirc.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program\NoNameScript\download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.rub.to
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.rub.to
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.rub.to
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=041d&ac
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=041d&s=search&ap=b204
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [CMESys] "C:\Program\Delade filer\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Steam] "c:\program\steam\steam.exe" -silent
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://sadfasdf.9online.fr/df/freedownload.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/se/win/QuickTimeInstaller.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37984.1518981481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{68190E51-E155-4776-89E0-62C8A2AD48F5}: NameServer = 195.67.199.30 195.67.199.31
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    What is it that tipped you off that you have a trojan? What was the trojan identified as? Most trojans cannot be cleared using HijackThis.

    You might want to download and install the trial of TDS3 from here

    http://tds.diamondcs.com.au/index.php?page=download

    Once it is installed but before you open it you should download the latest database from the same page and save it in your tds folder (overwriting the default radius file)

    Then launch TDS and set all sensitivity settings to maximum and scan your local disks.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Also, you are being impacted by a CoolWebSearch adware/spyware variant. Can you please download and run CWShredder from

    www.zerosrealm.com/downloads/CWShredder.zip

    Once this is done please rescan with hijackthis and post a fresh log.

    Thanks
     
  4. olee253

    olee253 Guest

    My scanner sais that i got a W32.Welchia.B.exe virus. when i delete it comes again on next startup
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi olee,

    Visit here

    http://sarc.com/avcenter/venc/data/w32.welchia.b.worm.html

    see whether the characteristics match and if it doz follow the removal instructions or just download removal tool.

    after that run test again and post HJT fresh log for expert review

    thx
     
  6. Trojan scientist

    Trojan scientist Registered Member

    Joined:
    Feb 16, 2004
    Posts:
    16
    the findthewebsiteyouneed.com site below is associated with widespread trojan/virus infections for a start. :mad:

    http://vil.nai.com/vil/content/v_100916.htm


     
Loading...
Thread Status:
Not open for further replies.