|
|
|
trojan horse
Showing all messages in thread #1071899906
Windows Me Annoyances Discussion Forum
The following are all of the messages in this thread (4 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
trojan horse
Friday, December 19, 2003 at 9:58 pm
Posted by Craig
(2 messages posted)
I have the Trojan horse downloader stubby A virus.I downloaded Hijack This and now
need help with what I should delete from my log.
In addition I keep getting the pop up Failed to get data for 'ad" which crashes my
explorer.Are they related?
Logfile of HijackThis v1.97.7
Scan saved at 7:08:38 p.m., on 20/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\RCPrograms\RCSync.exe
C:\Program Files\RCPrograms\v2\prizesurfer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\windows\system32\fsg_3202.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\PROGRA~1\iMesh\Client\TTIL_I~1.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\CRAIG\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/");
(C:\Documents and Settings\CRAIG\Application Data\Mozilla\Profiles\default\3nuo0ctr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\CRAIG\Application Data\Mozilla\Profiles\default\3nuo0ctr.slt\prefs.js)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\mpz300.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINDOWS\system32\cpr.dll
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe
/AllUsers
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
-osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.dll,DllRunMain
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AStart] C:\WINDOWS\AStart
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\system32\fsg_3202.exe"
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe"
-turbo
O4 - HKCU\..\RunOnce: [eZstub] C:\PROGRA~1\iMesh\Client\TTIL_I~1.EXE
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
O8 - Extra context menu item: Grokster Support - file://C:\Program Files\websearch\System\Temp\grokstershop_script0.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {43D33A53-BCDD-4650-9ED7-36DC7298AC63} (TrStReg Control) - http://www.tresola.com/activex/trsguard2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.1800810185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE45187E-39F3-45AD-A748-5047D98D437C}: NameServer
= 203.109.252.42 203.109.252.43
[Reply or follow-up to this message]
| |
re: trojan horse
Saturday, December 20, 2003 at 12:08 am
Posted by Jack Gulley
(5917 messages posted)
1) This is the Windows ME forum, not the XP forum or a Security or Virus forum.
2) You are wasting yours and everyone elses time by not removing your ADware,
Spyware, Browser Hijackers, and common Virus programs first.
OPEN and run
CWshredder.exe , close all windows and then reboot when done.
Download, install, update online and run AD-Aware_v6, check all items it finds and remove them.
Reboot and run again.
Download, install, update online and run SpyBot_S&D and remove all items it finds.
Update your AVG v6 and run a full scan. If it does not remove any remaining threats,
go to their web site and look up the item and follow their manual removal instructions
for it. Then run an online virus scan from HouseCall_AV.
[Reply or follow-up to this message]
|
re: trojan horse
Saturday, December 20, 2003 at 12:33 am
Posted by Craig
(2 messages posted)
Hi Jack,
apologies to you and all the other ME forum users.I see that this is the wrong place
to post this query.I'm new at this kind of thing so it was just a screw up on my
part.I appreciate very much the info you gave me and all other users can feel free
to ignore my query.
Once again i'm very sorry.
On Saturday, December 20, 2003 at 12:08 am, Jack Gulley wrote:
>1) This is the Windows ME forum, not the XP forum or a Security or Virus forum.
> 2) You are wasting yours and everyone elses time by not removing your ADware,
>Spyware, Browser Hijackers, and common Virus programs first.
> OPEN and run
>CWshredder.exe , close all windows and then reboot when done.
> Download, install, update online and run color=#2200FF> AD-Aware_v6, check all items it finds and remove them.
>Reboot and run again.
> Download, install, update online and run target="_blank"> SpyBot_S&D and remove all items it finds.
> Update your AVG v6 and run a full scan. If it does not remove any remaining threats,
>go to their web site and look up the item and follow their manual removal instructions
>for it. Then run an online virus scan from target="_blank"> HouseCall_AV.
[Reply or follow-up to this message]
|
re: trojan horse
Monday, January 19, 2004 at 12:18 am
Posted by $teve
(1 messages posted)
I beg to differ.......You need to see a fully updated HojackThis log BEFORE anything
is removed with Adaware or Spybot....How can anyone prescribe CWSredder or RBKiller
if they dont see the H/T logfile 1st?To advise anything less is foolish,unless you
want the poster{who in most cases is very computerUN-Savvy]to possibly lose their
internet connection.
On Saturday, December 20, 2003 at 12:08 am, Jack Gulley wrote:
> 1) This is the Windows ME forum, not the XP forum or a Security or Virus forum.
> 2) You are wasting yours and everyone elses time by not removing your ADware,
>Spyware, Browser Hijackers, and common Virus programs first.
> OPEN and run
>CWshredder.exe , close all windows and then reboot when done.
> Download, install, update online and run
>color=#2200FF> AD-Aware_v6, check all items it finds and remove them.
>Reboot and run again.
> Download, install, update online and run
>target="_blank"> SpyBot_S&D and remove all items it finds.
> Update your AVG v6 and run a full scan. If it does not remove any remaining threats,
>go to their web site and look up the item and follow their manual removal instructions
>for it. Then run an online virus scan from
>target="_blank"> HouseCall_AV.
[Reply or follow-up to this message]
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows Me Discussion Forum
|
|
|
|
