HELP!

Discussion in 'adware, spyware & hijack cleaning' started by Kat_wwe, May 9, 2004.

Thread Status:
Not open for further replies.
  1. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Hey

    I seem to be infected with a Trojan Horse. First sign was a programme running called 'Ech' on my task manager upon startup. I disabled this on the startup configuration but i think it is still running elsewhere.

    My Windows media player has also broken down now and dosent load up.

    Ive taken the advice of several people on here and done a full scan of my computer using quite a few different programmes including speciallist trojan search engines and all results come out clear so im at a loss now what to do.

    Any advice would be greatly apprechiated.


    Logfile of HijackThis v1.97.7
    Scan saved at 15:12:44, on 5/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\STDSB.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\AWLGTSTA.EXE
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\BitTorrent\btdownloadgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kat\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Kat_wwe,

    A few that I don't know:
    O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
    O4 - HKLM\..\Run: [AWLGTSTA.EXE] AWLGTSTA.EXE

    Find the corresponding files, rrightclick them and let us know what they say under Properties > Version tab

    And one that can be disabled
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe

    For WMP https://www.wilderssecurity.com/showthread.php?t=28027

    Regards,

    Pieter
     
  3. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Hello thanks for replying

    The AWLGTSTA file seems to be linked with my wireless network.

    Version Tab states:
    File Version: 1.0.20.83
    Product Name: FRISBEE Wireless LAN
    Description: FRISBEE Status Tray Applet
    Copyright 2003 WLAN-G
    Developer build: by OEM

    As for the STDSB programme, there are 8 records of that filename on my computer and it seems to be linked to a scrollbar driver and the uninstall programme for it too.

    Version: 0.0.0.1

    Many thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Then I think everything is accounted for.
    Do you still have the file that was running as Ech?

    I will gladly have a look at it for you.

    Regards,

    Pieter
     
  5. Kat_wwe

    Kat_wwe Registered Member

    Joined:
    May 9, 2004
    Posts:
    3
    Yes the Ech programme is still running

    I disabled it on startup using MSConfig so it dosent load when windows starts.

    The programme command is called c:\APPS\EmailChecker\Ech.exe and is version 1.3.0.0

    The Location is SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    I want to be sure this is not a dangerou programme and my computer is safe from intrusion.

    Many thanks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    I can't find anything conclusive about it.
    I will PM you my emailaddress and check the file when I get it.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.