This topic is locked
I tried getting rid of this trojan myself but the [bleep] blue screen is still in the background. I've already used ad-aware, CWShredder, Spybot, Ewido security suite, trend housecall, and AVG.
Here's the hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 12:35:32 AM, on 17/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Documents and Settings\Teo\My Documents\Messenger Service Received Files\msnshell.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\downloads\HJT\HijackThis.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\vincent\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Configuration Loader] win2update.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MSNShell] C:\Documents and Settings\Teo\My Documents\Messenger Service Received Files\msnshell.exe autorun
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\ReGet\RG_Link.htm
O8 - Extra context menu item: &List for ReGet - C:\Program Files\ReGet\RG_List.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\ReGet\RG_All.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldling...ripts/translate
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldling...ripts/translate
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ripts/translate (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ripts/translate (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ReGet - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Re&Get - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\WINNT\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! Chat JP 2 - http://cs.chat.yahoo...p/c302/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail00.nshr....c.ca/iNotes.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4A88CB42-BBFE-496A-884F-98E8AC316292} (YJInstStarter Control) - http://dl.msg.yahoo....load/yjinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://communities.m...al/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FireDaemon Service: csrss2 (csrss2) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: csrsss (csrsss) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: FireDaemon Service: msnet (msnet) - Unknown owner - C:\winnt\ms.tmp\FireDaemon.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: FireDaemon Service: rundll32 (rundll32) - Unknown owner - c:\winnt\system32\Microsoft\Protect\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: svchost32 (svchost32) - Unknown owner - c:\winnt\system32\Microsoft\Protect\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: systemnt (systemnt) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: winmgnt (winmgnt) - Unknown owner - C:\winnt\ms.tmp\FireDaemon.EXE (file missing)
and here's the ewido report
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:20:24 PM, 16/06/2005
+ Report-Checksum: 88A52F3A
+ Date of database: 17/06/2005
+ Version of scan engine: v3.0
+ Duration: 232 min
+ Scanned Files: 100666
+ Speed: 7.21 Files/Second
+ Infected files: 24
+ Removed files: 24
+ Files put in quarantine: 24
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\crv.exe/aload.exe -> Backdoor.XLog.221 -> Cleaned with backup
C:\crv.exe/mpanel.exe -> Not-A-Virus.HackTool.Clearlog -> Cleaned with backup
C:\crv.exe/mstask.exe -> Trojan.Glitch -> Cleaned with backup
C:\crv.exe/pipecmd.exe -> Not-A-Virus.Tool.PipeCmd -> Cleaned with backup
C:\crv.exe/wmserver.exe -> Backdoor.Litmus.203 -> Cleaned with backup
C:\heel.exe/cool.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\heel.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\heel.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\lala.exe/winbaa.exe -> Trojan.Glitch -> Cleaned with backup
C:\lala.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\new.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\new.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\nieuw.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\nieuw.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\nieuw1.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\nieuw1.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll -> Spyware.MyWay.e -> Cleaned with backup
C:\Program Files\Serv-U\Serv-U32.exe -> Backdoor.ServU-based -> Cleaned with backup
C:\WINNT\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\system32\download\handbot4.exe/winbaa.exe -> Trojan.Glitch -> Cleaned with backup
C:\WINNT\system32\download\handbot4.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\WINNT\system32\mѕdtc.exe -> Spyware.PurityScan -> Cleaned with backup
C:\WINNT\system32\nvnav32g.dll -> Backdoor.IRC.Zcrew -> Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup
::Report End
Any help would be greatly appreciated.
Sign In
Create Account
