trojan I can't find!

Discussion in 'adware, spyware & hijack cleaning' started by paulfry6393, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. paulfry6393

    paulfry6393 Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    1
    I removed some viruses and trojans from computer but still have a problem. When several programs are started, they immediately end. Some examples are regedit, NAV, TDS-3, etc. Below is Hijack log. Please help.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:30:04 PM, on 4/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\msmsgsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Janet Lazo\Desktop\HijackThis.exe
    C:\Program Files\Norton SystemWorks\OBC.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Messenger Service] msmsgsvc.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\RunServices: [Microsoft Messenger Service] msmsgsvc.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
     
    paulfry6393, Apr 23, 2004
    #1
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi paulfry6393,

    There is nothing obviously wrong in your HJT log. For starters, it is possible you have a virus. Please do an online virus scan. Some good online scans can be found HERE. I would suggest if the first scan you do finds something, then reboot and do another scan from another site. Then reboot and post a new HJT log.

    Regards,
    Kent
     
    puff-m-d, Apr 23, 2004
    #2
  3. Giordano

    Giordano Guest

    Recently I have problems with that virus. I haven't found any removal tool, and antivirus and regedit was not able to run.
    I have discovered that this virus renames itself as msmsgsvc.exe, trying to look like the microsoft messenger executable. If you pay attention at the processes running in the Windows Task Manager, you should find CPU activity at two processes: svchost.exe and msmsgsvc.exe, even when the true messenger is not running (this was my case).
    If you try to kill svchost.exe process, a RPC fault forces a restart, as the Blaster Worm does. If you try to kill the msmsgsvc.exe process, it is "magically" restarted instantaneously.
    The RPC fault reboot can be avoided. Open your command prompt and type: sc failure RpcSs reset= 0 actions= "" (text is case sensitive). Now your computer is safe from reboot caused by RPC fault exploits.
    I have also found the virus files at the folder \WINDOWS\System32\
    It apparently copies the files msmsgsvc.exe and msmsgsvc.POLY.exe to this folder, but is impossible to delete them in normal mode. Reboot your pc in the safe mode and then delete these files. It also have left two registry entries in folders \\\Run and \\\RunServices referring to msmsgsvc.exe. Delete them.
    This procedure apparently have solved the problem.
    I hope that I could help with something.

    Giordano.
     
    Giordano, Apr 28, 2004
    #3
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it looks like the latest version of one of the rpcdom viruses/trojans

    please copy this file zip it and send it to submit@thespykiller.co.uk
    C:\WINNT\system32\msmsgsvc.exe
    with a short note referring to this thread

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [Microsoft Messenger Service] msmsgsvc.exe

    O4 - HKLM\..\RunServices: [Microsoft Messenger Service] msmsgsvc.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINNT\system32\msmsgsvc.exe

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R300 28.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left

    and it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    a firewall blocks these worms so install a good firewall, lists here http://www.wilders.org/firewalls.htm
     
    dvk01, Apr 28, 2004
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...