Plz Help i got trojan horse

Discussion in 'Trojan Defence Suite' started by Emil Ny, Nov 28, 2003.

Thread Status:
Not open for further replies.
  1. Emil Ny

    Emil Ny Guest

    Couldn't open c:\program files\bestbuy\helpexpress\emil ny\client\helpexp.exe for read access, file is locked

    the above message was in the Tds Scanner window

    I know for a fact that that is the virus im trying to get rid of.
    Its thats same file that norton cant get rid of... HOW DO I GE RID OF IT
    Im so mad right now, I try so hard to keep my comp in good condition and its pretty new... Its a trojan horse. How do i go about getting rid of this problem. If the Norton anti-virus and tds cant.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Emil Ny,

    Could you please follow the instructions in this post:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Emil,
    in the meantime, can you find the file and zip it? or with rightclicking on it rename it to for instance helpexp.exe.bak or such a thing?
    so it can't run anymore.

    Please do as Pieter advised too with the cleaning tools/logs so there canbe looked immediately at your finds.

    Looking forward to results of your next steps.

    Are you using XP btw? And maybe have another instance of XP or NT (?) on another partition?
     
  4. Emil Ny

    Emil Ny Guest

    I used Adaware6 and im running on Xp, my Problem is listed in my first post.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:31:58 PM, on 11/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\GWMDMMSG.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\NoAds\NoAds.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Alset\HelpExpress\Emil Ny\HXIUL.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Alset\HelpExpress\Emil Ny\HXDL.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\websearch\websearch.exe
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Emil Ny\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://l2.orphus.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r1.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com;<local>
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [websearch] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [EmailMesh] C:\Documents and Settings\Emil Ny\Desktop\Emil's\client.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Emil Ny\HXIUL.EXE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Emil Ny\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Emil Ny,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1

    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [websearch] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Emil Ny\HXIUL.EXE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Emil Ny\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"

    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

    Reboot after doing so, preferably into safe mode and delete:
    C:\Program Files\Alset\HelpExpress <= entire folder

    Before you do this, please move HijackThis to another folder. It will not be able to make backups when you run it from the zip folder.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.