Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help regarding trojan horse[RESOLVED]


  • This topic is locked This topic is locked

#1
Duality_88

Duality_88

    Member

  • Member
  • PipPip
  • 26 posts
hi,

My PC was infested by trojans, malwares, etc for i think about a year now. it was only recently when i started to clean it up after a nasty trojan attack about a month or 2 ago. i've already followed the steps stated above installed needed softwares now all i need to do is to fix some invalid or missing dll files.... a have a few questions:

1st) I've already scanned and found these trojans now they're in a quarantine in ad_aware should i permanently delete them w/o fear of losing important files?

2nd) even though my system is already cleaned( i guess so because pop-ups, change ie settings, advertisements are all gone from my ie and said to be quarantined in ad_aware and scanned by clean_up and cwshredder) of these, why am i still getting some problems(like missing dlls', hangs, messed up dial up-networking #'s, etc.) and finally...........

3rd) i have already my hijackthis log( i've read the step-by-step procedure) when can i send it for immedaite checkup? anyway for further help and info as well here are some programs that may be altered:
gopy.dll
spfrr.dll
C:\WINDOWS\SYSTEM\SPFFR.DLL/blank.html
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ex.cab
iexplore.exe

also there is a best search engine in my add/remove that i cannot remove

tnx,
duality_88

Edited by Duality_88, 01 June 2005 - 10:02 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

You may post it right here. I will take a look at it and help you now.
  • 0

#3
Duality_88

Duality_88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:18:41 PM, on 6/1/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\USBN.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES2\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES2\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

F1 - win.ini: load=C:\FAXTALKM\FAXTALKM.EXE
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c96 -w
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\YK0bpMTwYc.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\YhC23D39DSzKxKUH952.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Office Startup.lnk = C:\Program Files2\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files2\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\PROGRA~1\INTERN~1\PLUGINS\NPSWF32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab



_________________

btw tnx 4 d help,
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c96 -w
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SVCHOST.EXE - make sure you delete it in the WINDOWS folder ONLY and no where else
C:\WINDOWS\SYSTEM\USBN.EXE
gopy.dll


Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
Duality_88

Duality_88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
q:my internet connection is too slow plus everytime i use panda online scan it always hangs in the middle!! i'm kinda irritated bout this can't i use avg(though it can't fully detect spywares) or other programs recommended in the step by step manual?

tnx

Edited by Duality_88, 01 June 2005 - 09:26 PM.

  • 0

#6
Duality_88

Duality_88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here's the hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 6:46:01 PM, on 6/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES2\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES2\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\TROJAN REMOVERS\HIJACKTHIS.EXE

F1 - win.ini: load=C:\FAXTALKM\FAXTALKM.EXE
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Office Startup.lnk = C:\Program Files2\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files2\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\PROGRA~1\INTERN~1\PLUGINS\NPSWF32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


__________________________

sorry for d late post i just had to fix some problems, btw i hope this is already fixed...... tnx 4 d help

anyway here's something i noticed in the pervious log:

O1 - Hosts: 64.91.255.87 www.dcsresearch.com(*not found*)
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe -(*found and fixed)-
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c96 -w -(*found and fixed)-
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe gopy.dll, DllRegisterServer (*not found*)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (*not found*)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (*not found*)
O15 - Trusted Zone: http://*.63.219.181.7 (*not found*)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

/*all erased*/
C:\WINDOWS\SVCHOST.EXE - make sure you delete it in the WINDOWS folder ONLY and no where else
C:\WINDOWS\SYSTEM\USBN.EXE
gopy.dll
//
  • 0

#7
Duality_88

Duality_88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
just finished the steps that you gave above and i think the problem may be fixed now! but while i was scanning using ad-aware avg found a virus and could not heal it so i put it in the virus vault.
It is:
A0035550.CPY
C:\_RESTORE\TEMP\
Trojan horse Collected.6.BK

what will i do with this??

tnx

Edited by Duality_88, 02 June 2005 - 11:36 AM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That one should be easy to fix :tazz:

Your log is clean.

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
Duality_88

Duality_88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
just followed your instructions and the trojan is now gone!! thank you very much for all of your help!! I will be following your advice to avoid these problems again....tnx again
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP