HELP!

Discussion in 'adware, spyware & hijack cleaning' started by Kat_wwe, May 9, 2004.

Thread Status:
Not open for further replies.
  1. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Hey

    I seem to be infected with a Trojan Horse. First sign was a programme running called 'Ech' on my task manager upon startup. I disabled this on the startup configuration but i think it is still running elsewhere.

    My Windows media player has also broken down now and dosent load up.

    Ive taken the advice of several people on here and done a full scan of my computer using quite a few different programmes including speciallist trojan search engines and all results come out clear so im at a loss now what to do.

    Any advice would be greatly apprechiated.


    Logfile of HijackThis v1.97.7
    Scan saved at 15:12:44, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\STDSB.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\AWLGTSTA.EXE
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\BitTorrent\btdownloadgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kat\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Kat_wwe,

    A few that I don't know:
    O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
    O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE

    Find the corresponding files, rrightclick them and let us know what they say under Properties > Version tab

    And one that can be disabled
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe

    For WMP https://www.wilderssecurity.com/showthread.php?t=28027

    Regards,

    Pieter
     
  3. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Hello thanks for replying

    The AWLGTSTA file seems to be linked with my wireless network.

    Version Tab states:
    File Version: 1.0.20.83
    Product Name: FRISBEE Wireless LAN
    Description: FRISBEE Status Tray Applet
    Copyright 2003 WLAN-G
    Developer build: by OEM

    As for the STDSB programme, there are 8 records of that filename on my computer and it seems to be linked to a scrollbar driver and the uninstall programme for it too.

    Version: 0.0.0.1

    Many thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Then I think everything is accounted for.
    Do you still have the file that was running as Ech?

    I will gladly have a look at it for you.

    Regards,

    Pieter
     
  5. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Yes the Ech programme is still running

    I disabled it on startup using MSConfig so it dosent load when windows starts.

    The programme command is called c:\APPS\EmailChecker\Ech.exe and is version 1.3.0.0

    The Location is SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    I want to be sure this is not a dangerou programme and my computer is safe from intrusion.

    Many thanks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I can't find anything conclusive about it.
    I will PM you my emailaddress and check the file when I get it.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.