Please help how to remove Win32.Winshow.U trojan

SolutionWeb · 12-Aug-2004, 05:50 PM #1

Please how can i remove this torjan from my computer?

Logfile of HijackThis v1.97.7
Scan saved at 1:48:35 PM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
H:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
H:\WINDOWS\system32\ntjk32.exe
H:\Program Files\RFA\rfagent.exe
H:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
H:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
H:\WINDOWS\explorer.exe
H:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vet32.exe
H:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vet32.exe
H:\Program Files\SBC\Connection Manager\CManager.exe
H:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
H:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
H:\PROGRA~1\Yahoo!\browser\ycommon.exe
H:\Program Files\Yahoo!\browser\ybrwicon.exe
H:\Program Files\Yahoo!\Messenger\YPAGER.EXE
H:\WINDOWS\system32\addqm.exe
H:\Program Files\Yahoo!\browser\ybrowser.exe
H:\Program Files\TrackZapper.com\AntiSpy\TzAntiSpy.exe
H:\Program Files\TrackZapper.com\AntiSpy\8555CA6.DLL
H:\Documents and Settings\Kambiz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = h:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08547B92-E346-6E7C-0412-636EFA3F16A8} - H:\WINDOWS\msth.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntjk32.exe] H:\WINDOWS\system32\ntjk32.exe
O4 - HKLM\..\Run: [rfagent] H:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [SoloSentry] H:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] H:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] H:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\RunOnce: [addqm.exe] H:\WINDOWS\system32\addqm.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///H:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///H:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24eea748...p/RdxIE601.cab
O16 - DPF: {56EBE396-622A-47E0-915E-CA369A4D7A47} (QCV6B010.QCV6B010Install) - http://www.quickcleaner.com/redir/cab/QCV6B010.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8D2E886-963D-448E-A3D0-750E85C15F1D}

Flrman1 · 12-Aug-2004, 06:14 PM #2

Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

Go here and download Adaware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it after you run CWShredder and Adaware.

SolutionWeb · 12-Aug-2004, 08:11 PM #3

Thanks very much for your advice i believe that now my computer is as healty as when i bought it!!
Below is the report from runing new version of Hijackthis, please advice if i need to do more.
Thanks again

Logfile of HijackThis v1.98.2
Scan saved at 4:03:57 PM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Documents and Settings\Kambiz\Desktop\Torjan hunter\NewHijack-This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = h:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08547B92-E346-6E7C-0412-636EFA3F16A8} - H:\WINDOWS\msth.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O8 - Extra context menu item: Yahoo! Dictionary - file:///H:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///H:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - H:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - H:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - H:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - H:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - H:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - H:\Program Files\Free Surfer\FS20.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24eea748...p/RdxIE601.cab
O16 - DPF: {56EBE396-622A-47E0-915E-CA369A4D7A47} (QCV6B010.QCV6B010Install) - http://www.quickcleaner.com/redir/cab/QCV6B010.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8EEB54D5-CC70-40E4-B015-AC478C02ECC8} (SLViewer Control) - http://www.seevideo.co.kr/pub/seelive/SLViewer.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Flrman1 · 12-Aug-2004, 10:50 PM #4

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {08547B92-E346-6E7C-0412-636EFA3F16A8} - H:\WINDOWS\msth.dll

O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24eea74...ip/RdxIE601.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

Restart your computer.

Also I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP! See this thread for some good free ones:

http://forums.techguy.org/t110854/s.html

Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!