PWSteal.Trojan

Discussion in 'adware, spyware & hijack cleaning' started by lui, May 30, 2004.

Thread Status:
Not open for further replies.
  1. lui

    lui Registered Member

    Joined:
    May 30, 2004
    Posts:
    2
    Hi

    I have not noticed any dificuties with my system due to this virus but it keeps comining up on Norton. After running a Norton virus check, Norton picks up the virus but is unable to quarantine or delete it. When I exit Norton it says that my computer is still infected with viruses.

    I have run Adware 6 which did not pick up any bad files. I then ran Hijakthis and have pasted my log below.

    Can you help?
    Thanks
    Lui

    Logfile of HijackThis v1.97.7
    Scan saved at 14:26:56, on 30/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Anti Trojan\Anti-Trojan-55\ATWatch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\PROGRA~1\MESSEN~1\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/mail?.intl=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Messenger\Messenger\ycomp.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Messenger\Messenger\ycomp.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti Trojan\Anti-Trojan-55\ATWatch.exe
    O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti Trojan\Anti-Trojan-55\ATWatch.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\MESSEN~1\MESSEN~1\ypager.exe -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37712.1633217593
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1065EE8F-1943-4B50-A790-538426738D85}: NameServer = 212.67.96.129 212.67.120.148
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1065EE8F-1943-4B50-A790-538426738D85}: NameServer = 212.67.96.129 212.67.120.148
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi lui,

    Can you tell us where Norton finds the Trojan?
    Full path and filename, please.

    Or do an online virusscan, you will find several listed here: http://www.wilders.org/free_services_m.htm


    Regards,

    Pieter
     
  3. lui

    lui Registered Member

    Joined:
    May 30, 2004
    Posts:
    2
    Hi

    This is the file path that Norton says:

    The compressed file dtc32.dll within C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G1ON07WF\dtc32_EN_XP[1].cab is infected with the PWSteal.Trojan virus.

    when I look there the folder Content.IE5 does not exist and if I do a search for the file it cannot be found. This includes when I say to search hidden and system files.

    I have followed the instructions on the Symantic site to remove it. The registry entry Symantic say to delete is not there.

    Thanks
    Lui
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi lui,

    Go offline, open IE and click Tools > Internet-options > on the General tab click delete Files > in the confirmation box put a checkmark in the box to delete offline content as well.

    That should do it.

    Please read How did this happen and can I prevent it?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.