1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] very bad Trojan

Discussion in 'Virus & Other Malware Removal' started by Darlene C, Jan 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    I am in big trouble, I don't know where to start. Someone tried to send me w32Sobig. virus, norton caught it and I deleted it. I did a complete scan, no virus. I could not open e-mail, it kept coming 3 in a row. I took my computer to the shop and they removed part of the trojan it was trying to connect to, scanned it 3 times. Put in Norton's firewall, everything was clear. Last night I brought it home and 15 min. later the firewall was blinking. It was Rat Trojan Horse, every half hour, then a couple back-door sub Seven Trojans. The rat trojan was coming from Pittsburgh on adelphia, that is what I am on. The subSeven came from Va. and some other state. It's blinking now as I write this. Msmsgs keeps trying to load, Kelly's korner said to delete it in H key current user/software/microsoft/windows/current version/run. I did and it keeps putting it back the minute I click another folder, I deleted it 5 times. My computer place said they did everything, notify adelphia. I did, they are backed up. I sent them the logs, picture of location and address to Abuse. I think something is still in here and it is connecting at least from msmsgs, because it had it to run in background. When loaded into system tray, can not shut off. Please help!
     
  2. Balzac

    Balzac Guest

  3. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    StartupList report, 1/21/2003, 9:08:56 PM
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist[1]\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\unzipped\startuplist[1]\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Works Calendar Reminders.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    WFXSwtch = C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    WinFaxAppPortStarter = wfxsnt40.exe
    PS2 = C:\hp\drivers\keyboard\PS2.exe
    KBD = C:\HP\KBD\KBD.EXE
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {2662BDD7-05D6-408F-B241-FF98FACE6054}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [iPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
    CODEBASE = http://www.ipix.com/viewers/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37611.5252893519

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Live365Player Class]
    InProcServer32 = C:\Play365.dll
    CODEBASE = http://www.live365.com/players/play365.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    --------------------------------------------------
    End of report, 5,204 bytes
    Report generated in 0.972 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're new to firewalls Darlene. Those blinking messages just mean they've been knocking at the door and no one answered. The firewall keeps them from knowing anyone's even home. Just ignore that stuff.

    Your startups look absolutely fine to me!
     
  5. Dark Star

    Dark Star

    Joined:
    Jun 8, 2001
    Messages:
    3,054
    Darlene ...

    Like Rollin' Rog said the blinking lights that you see on the the firewall just means that it's doing it's job and nothing is getting in your system.

    I do however see one problem in your startup list that Rog might have overlooked since there's quite a few line entries and its easy to miss one.

    Enumerating Browser Helper Objects:
    (no name) - (no file) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

    That BHO was a prior install as ...

    (no name) - C:\PROGRAM FILES\XUPITER\UPDATES\XTUPDATE.DLL (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

    or as...

    (no name) - C:\Program Files\Xupiter\Updates\XTUpdate.dll - {2662BDD7-05D6-408F-B241-FF98FACE6054}

    Xupiter foistware: http://allentech.net/parasite/Xupiter.html

    Xupiter components may still remain to be sure that all it's components are removed...

    The text below is standard step by step instructions suggested by TonyKlein for the install and setup of Spybot

    Let's do this first:

    Download Spybot - Search & Destroy

    It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

    After installing, go to the Online tab, and search for and install all updates.

    Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .

    These aren't needed for our present purpose, and you can always experiment with them later on.

    Finally, after closing down Internet Explorer, hit 'Check All', and have SpyBot remove all it finds.

    Next, go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

    Rightclick each one in turn, chose 'properties', and check the Version tab.

    If the company is anyone else but Macromedia, Apple, or Microsoft, rightclick the file, and choose 'remove'.
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yup, good catch Dark Star, I overlooked that; it's probably residual, I don't know if Spybot will catch it. If it doesn't, another way to delete it is to get HijackThis, run the scan log and check it for removal from there.

    http://www.lurkhere.com/~nicefiles/
     
  7. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    Thank you Rolling Rog and Dark Star,
    I downloaded Spybot Search and Destroy and did as Dark Star suggested. That number that you were concerned about was from Xupiter, I had to remove most of it in Sept 2002, I didn't know how to get that number out. There were other things that Spybot found, some from Gator, a lot from Xupiter. I thought I got rid of everything but that number. I don't know a lot about the registry, I am older and self taught. There is something else that I am concerned about. Msmsgs keeps trying to load even though I un-checked it. I went to Kelly's corner and she said to just delete it from H key/current user/software/Microsoft/Windows/Current version/run/ and every time I delete it, it comes back as soon as I close the folder. I never used it and don't want to. When it loads in my system tray I can not right click and close it. It says another program is using it. In the registry it is listed in the right as C:\Program Files\Messenger\Msmsgs.exe/Background. I keep deleting it and it comes back, this never happened before the initial W32.Sobig virus tried to get in. That is what the computer place said that part of it was in my computer and they got it out. I recently joined a newsgroup for Stardock, window blinds. Could that have put something in to make the Msmsgs keep trying to come in. I un-subscribed, but How can I get Msmsgs permanently out of my computer? It wants to run in the background, before I just unchecked it. Thanks again for all your help.
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I think I know what you mean about MS Messenger. I went about in circles trying to keep it out of the System Tray too when I first got XP. It would stay out for a while, then come back. Unchecking or deleting the msconfig entry did not help.

    At first I just renamed msmsgs.exe to msmsgs.bak -- and that did work, although I could see some "errors" in the applications "event" log when it couldn't be found, although no other error messages were produced.

    Then I noticed that "messenger" is also configured to start as a "Service". I was under the impression that this was not associated with MS Messenger, but when I disabled it and restored the original name to msmsgs.exe -- it worked too, with no errors in the event log.

    To disable "messenger" as a service (which is desirable for other reasons as well), go to Administrative Tools and open your Services Profile. Look for it there and either double click it or right click and select "properties", you will see a drop menu with the option to "disable". Then make sure you have deleted the startup entries once more.

    If that doesn't work for you, just try renaming the exe as I did first.
     
  9. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    Rolling Rog,
    The Messenger in services has been disabled since about Sept. when they started to send spam on that grey box. I saw it on Teck TV, and disabled it. It is still disabled is there another name it could be under? If I rename it where should I rename it at. In C/programs, where there is a whole folder and which one, the white box Msmsgsin, or the two guys msmsgs, or in the registry.
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That was the one I was referring to. What I'd do then is delete that startup entry again, and before you reboot rename the msmsgs.exe in this path to msmsgs.bak

    C:\Program Files\Messenger\msmsgs.exe

    Then when you reboot see if you get a "can't find" error; it may give some clue as to what is starting it. If you don't get an error message it should be all right to leave it renamed. If you do, we need to figure out what is calling it. Unfortunately I don't see anything in Startups. You might need to post the problem in XP and see if anyone there knows more about Messenger. I've never used it all myself and right now I don't know what might be launching it on your system.

    >>>> I also just remembered that it has a Tools > Options > Preferences dialog to set options to "run when windows starts" and "allow program to run in background". Have you unchecked both of those? I had the first unchecked; if you didn't then that is probably why it is returning
     
  11. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    Rollin'Rog and Dark Star,
    A very special thanks to both of you. That un-checking messenger from running in the background and on startup, seems to be what was needed. I had never signed up for it or used it. I am hoping this is not premature, but the firewall only went off 2 times since running Spybot, I am greatly relieved and reassured I just hope it doesn't start again every half hour. A Very Special Thanks to Dark Star for leading me step by step through the installation of Sbybot, I would never have known what to do with it if she didn't. I never did find the settings in Internet Options, show Objects to examine all Active X objects, but it seems better already, there was something called back-door light in there that he had checked. Maybe that was it. I will be sending a special thanks and prayer to him also. Thank you once again. What a great place Teck Support Guy is and all the people that help. Again I hope I am not being premature.
    Regards Darlene
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Happy to put a "resolved" on this one for you, hopefully :)
     
  13. Darlene C

    Darlene C Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    105
    I almost forgot to thank Balzac, and Tony Klein who got me started. Thanks Guys!
    Darlene
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114581

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice