How can I get rid of exploit trojan?

Discussion in 'malware problems & news' started by jeanette96792, Mar 25, 2004.

Thread Status:
Not open for further replies.
  1. jeanette96792

    jeanette96792 Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    1
    I really need your assistance....

    I just started getting this on my screen:

    C:\DOCUME~1\Jeanette\LOCALS~1\Temp\PerfectNavBHOLog.tmp is HTML.MHTMLRedir.exploittrojan

    How can I get rid of it? I already did a virus scan and found nothing. I also did a spyware scan and keep getting this message on my screen.

    What do I doo_O? :(
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Have you tried cleaning your browser caches?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jeanette96792,

    Welcome at Wilders. :)

    PerfectNaV installs a BHO on your computer which can be disabled by BHODemon: http://www.definitivesolutions.com/bhodemon.htm

    Or follow the directions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi jeanette96792,

    Welcome to Wilder's!!!!!

    If Phant0m`` suggestion does not work, go HERE and follow the instructions.

    Regards,
    Kent
     
  5. tazzma3

    tazzma3 Registered Member

    Joined:
    May 4, 2004
    Posts:
    1
    ok I get the same thing :eek: but diffrent situation
    I just need to now what this trjan does..... does it still your information or is it browser based..
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi tazzma3,

    Welcome to Wilders.

    This might help explain what the PerfectNaV BHO does:
    http://www.kephyr.com/spywarescanner/library/perfectnav/index.phtml

    You can disable the BHO using BHODemon (see the link Pieter posted above), or, you can follow the directions for posting a HijackThis log given in Puff_m_d's post above.

    Regards,

    snap
     
  7. thankfull

    thankfull Guest

    thanks, I have been woring what that thing was
     
  8. LadyJade

    LadyJade Guest

    Running 2000 service pack 4 I seem to keep having the same problem as the original user. So I did used hijack this and this is what was found

    Logfile of HijackThis v1.97.7
    Scan saved at 2:49:30 AM, on 7/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\gearsec.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\VetMsgNT.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINNT\PCLKMntr.Bin
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Documents and Settings\Administrator\Application Data\snao.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\cmd.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
    C:\WINNT\system32\dplayx.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.locators.com/sidebar/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {E82A543F-8033-42D9-8080-236D9FFF35CD} - (no file)
    O2 - BHO: (no name) - {F05B6711-B1A8-4e88-BDD5-AA1A9A51F35B} - C:\WINNT\System32\MSIEHObj.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [PC-Lock Monitor] C:\WINNT\PCLKMntr.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [dplayx] C:\WINNT\system32\dplayx.exe
    O4 - HKCU\..\Run: [Swuo] C:\Documents and Settings\Administrator\Application Data\snao.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Locators.com Search Bar (HKLM)
    O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
    O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www103.coolsavings.com/download/cscmv5X.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4347/mcfscan.cab

    Incredifind website i deleted as well as the i lookup and the search bar. But does anine see what could be cause me to still have he exploit virus and I dismantled the bxxs.dll Any comments are welcome
     
  9. LADYJADE

    LADYJADE Guest

    BUMP!!
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Sorry LadyJade,

    We have a policy here that requires member registration in order to get help with a hijack log. (We need people to post logs as members over in the spyware / hijack review section in order to enforce the security needed to prevent people from replying to other people's logs with bad advice, or mixing their logs in with someone else's because they think their problem is similar. We can't enforce the proper security with guest postings in that section.)

    So read this:

    HijackThis Log Posting Now Requires Member Registration

    and then read this, (if you haven't), and follow that procedure, posting a new log in your own thread in the appropriate section:

    HOW TO? Read here about how to post your log!!
     
Loading...
Thread Status:
Not open for further replies.