first of all a HEARTFELT CONTRATS to the ADMIN and MODS out here who have been doing a gr8 job... i found this forum thru google and man its mindblowing to say the least
now the topic for which i startd the thread
plz help me i have been infected by this crazy trojan and its been eating up my system resources like crazy and making my system run too slow
i use Norton Antivirus 2003 and last updated it on 11/08/2005 and was infected with this [bleep] trojan on 12th august 2005
now Norton detected two files which are used by the virus viz
winkey.dll
reginv.dll
i found thru some other sites that these r used to get keystrokes and hide that trojan from system processes respectively....
also the SERVICES proceses has been eating up a lot of my system resources and there r two of them one thru my own name and other thru system name
i have Zone Alarm Firewall installed for my computer thru whih i blocked the sservice.exe and fservice.exe from accessing the internet which me sure r the products of the prorat trojan since i saw those entires in my registry key
also i was not able to delete any registry values included by the trojan since as soon as i change them the values where set back right in there to the trojan one
i saw many people posting te output of the hijackthis software.. been using it and i thank one of the mods/staff of this site for helping me get the newer version
SO here is my Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 12:59:38 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\services.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\dllhost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\Explorer.exe
D:\HJT\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeMonitor - {8170D7DC-BDD6-461e-88EB-F047257898C9} - D:\Program Files\Conceiva\DownloadStudio\DLMonitr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: &DownloadStudio - {CB789373-04D5-4ef4-9C16-871463FD0830} - D:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download Image Using DownloadStudio... - D:\Program Files\Conceiva\DownloadStudio\ds_img.htm
O8 - Extra context menu item: Download Page Using DownloadStudio... - D:\Program Files\Conceiva\DownloadStudio\ds_all.htm
O8 - Extra context menu item: Download Selection Using DownloadStudio... - D:\Program Files\Conceiva\DownloadStudio\ds_sel.htm
O8 - Extra context menu item: Download Target Using DownloadStudio... - D:\Program Files\Conceiva\DownloadStudio\ds_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show Page Links Using DownloadStudio... - D:\Program Files\Conceiva\DownloadStudio\ds_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {4D0C4820-53F7-4d79-A2E1-5252683CF69C} - D:\Program Files\Conceiva\DownloadStudio\DownloadStudio.exe
O9 - Extra 'Tools' menuitem: &DownloadStudio - {4D0C4820-53F7-4d79-A2E1-5252683CF69C} - D:\Program Files\Conceiva\DownloadStudio\DownloadStudio.exe
O9 - Extra button: DownloadStudio - {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - D:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{328E7120-A6C6-48D1-A099-36033D75AE48}: NameServer = 202.138.130.15,202.88.130.67,202.54.1.18,202.54.1.30,202.88.130.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
also 1 more query .....
i hae dual booting sysytem WIn XP and Win 98
is is possible that the trojan from XP can affect the 98 version...( 1 fact i have these two versions on 2 physically different harddisks but the same computer)
my Norton Scan didnt Show up anything
kindly advice
thx