Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojans etc: running wild [resolved]


  • This topic is locked This topic is locked

#16
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Right click http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.
reboot

Next, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O2 - BHO: (no name) - {EDD1A398-C8F7-CF1A-2911-C9840D86CEC4} - C:\WINDOWS\system32\winct.dll
O4 - HKLM\..\Run: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [atloo32.exe] C:\WINDOWS\system32\atloo32.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINDOWS\system32\appxe.exe" /s (file missing)


After this, Reboot and Delete the following files:

C:\WINDOWS\system32\winct.dll
C:\WINDOWS\system32\atloo32.exe
C:\WINDOWS\system32\sdkcx32.exe
C:\WINDOWS\system32\appxe.exe


Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.

Edited by Efwis, 27 February 2005 - 07:27 AM.

  • 0

Advertisements


#17
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

Right click http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.
reboot

Next, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O2 - BHO: (no name) - {EDD1A398-C8F7-CF1A-2911-C9840D86CEC4} - C:\WINDOWS\system32\winct.dll
O4 - HKLM\..\Run: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [atloo32.exe] C:\WINDOWS\system32\atloo32.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINDOWS\system32\appxe.exe" /s (file missing)


After this, Reboot and Delete the following files:

C:\WINDOWS\system32\winct.dll
C:\WINDOWS\system32\atloo32.exe
C:\WINDOWS\system32\sdkcx32.exe
C:\WINDOWS\system32\appxe.exe


Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.

View Post





I want to be sure that I follow your instructions exactly, so could you kindly advise me at what stage to I disconnect from online ? and when do I go back online ? when exactly do I go into 'safe mode' ?


I have presently successfully d/l DelDomains.inf, installed and rebooted ! I have also ensured that windows is set to show hidden files etc (this was already set )

I'll commence once I have your explicit instructions, I don't wanna make any mistakes :tazz:


Thnx .... Ricky
  • 0

#18
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
boot to safe mode, make sure you disconnect from the internet, then do as instructed

if you are on DSL the best way to make sure you are disconnected from the internet is to disconnect your modem from the computer
  • 0

#19
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

boot to safe mode, make sure you disconnect from the internet, then do as instructed

if you are on DSL the best way to make sure you are disconnected from the internet is to disconnect  your modem from the computer

View Post


Thnx for that ;) I am trying to install the latest Panda antivirus 2005, so that I'll be able to scan after completing, as usually I can't get to those 'housecall programs .... but there is a hitch, apparently I have "eTrust EZ Antivirus" on my computer, and am told to go to 'add-remove programs' and remove it .... but it's not there ! can you advise me how to find it/get rid of it ? I can't use search, it keeps shutting down IE and rebooting .... I did find a re-route to get to the control panel ....... sorry for giving you all this trouble ....... :tazz:


Ricky

.
  • 0

#20
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Did well this time I think, I even managed to d/l housecall and do a scan ... as it started it found some trojan, and told me it had deleted it, that was cool, on scanning it found the following
but was unable to 'clean' them, should I go into safemode and delete these ? they are all "Troj Agent Ale"

C:/windows/system32/d3kl.exe
C:/windows/system32/d3lk.exe
C:/windows/system32/d3gk.exe
C:/windows/system32/iewg.exe
C:/windows/system32/ipdn.exe
C:/windows/system32/syscg.exe
C:/windows/system32/appnu.exe
C:/windows/system32/syshk32.exe.bak
C:/windows/system32/winbp32.exe


I'll do and post another highjack after you advise me what to do with those files.

I hope this is good news, I'm scared to do anything else until I hear from you, as I might open myself for re-infection :tazz: hope to hear from you soon ... hope it's all good this time ..... but whatever, ;) I wanna thank you for helping me, it's more appreciated than I can adequately express.


Ricky :thumbsup:
  • 0

#21
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
I took a chance and deleted all those files, and it seems that I did the right thing :tazz:


This is my present highjackthis file, which looks pretty cool huh (I hope)

But I still have that anti-virus problem .... ;)


Logfile of HijackThis v1.99.1
Scan saved at 3:59:18 PM, on 28/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Eric F. Gordon.PRIVATE-ERIC\Desktop\HijackThis.exe 1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bigpond.com/webchannels
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Tell me thats cool, ........................ (fingers crossed)


Ricky

.
  • 0

#22
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
cool is an understatement,

your log is clean :tazz:

For Future Protection
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?

As for your EZ Trust Anti-virus issue, since you run Norton, I would advise you to look in C:\program files\ and look for a folder called EZTrust, you can also doa search for any files with EZ Trust anti-virus in the name. let em know how you fare.
  • 0

#23
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

cool is an understatement,

your log is clean  :tazz:

For Future Protection
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?

As for your EZ Trust Anti-virus issue, since you run Norton, I would advise you to look in C:\program files\ and look for a folder called EZTrust, you can also doa search for any files with EZ Trust anti-virus in the name. let em know how you fare.

View Post



Yippeeee, it's so good to be free :thumbsup: you did it for me, with your goodwill and persistence, thnx, really, thnx :cheers:

I still can't find that EZ Trust file ...... so I d/l PC-Cillen for 30 day trial, no problem, gives me time to sort it (hopefully) but that dwindles into insignificance compared to what you've accomplished when things looked really doomed :cheers:

The only thing that irks me now, is the fact that my macroflash ain't working, yet shockwave is no problem, I really would like to get that sorted, what thread should I go to for that please :woot:

You have a really nice day ;)


Ricky
  • 0

#24
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
i would recommend going to here for that issue:

http://www.geekstogo...ations-f12.html
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP