[Solved] do all trojans reside in files they have created?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

billE

Thread Starter
Joined
Apr 13, 2004
Messages
32
i have a trojan Dropper.Small.GM residing in a file system\msconfd.exe and my avg virus software is having trouble "healing" it on its own... if this .exe file is expendable i sure would like to give it to the eraser hehe :D
 
Joined
Jul 26, 2002
Messages
46,349
Hi billE

Welcome to TSG! :)

Some trojans will infect or disable other files, but not this one. However there will likely be other files and reg entries associated with it that need removing.

You can boot to safe mode and delete the C:\Windows\system\msconfd.exe file.

Also please do this:

Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

billE

Thread Starter
Joined
Apr 13, 2004
Messages
32
hehe a quick search and i found out how to enter safe mode without asking... a note to future searchers (its the f8 key when booting...) the eraser did work in safe mode and made quick work of the exe file (8Xs even heh, just to make sure). i use the eraser instead of the recycle bin or the incinerator because my recycle bin is broke (perhaps a future question in the win98 section) and the trial period on the incinerator is expired (no progs i have tried will change its attris or remove it from my desktop to great frustration to me, again perhaps a future question in another section). i appreciated the extra note you left on putting the hack this exe file into mydocs because i had ran it before and simply opened it and ran it and watched it dissappear into oblivion =o) so without further ado...
Logfile of HijackThis v1.97.7
Scan saved at 11:26:39 AM, on 4/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://security.kolla.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = suck it!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\PROGRAM FILES\SYSSHIELD TOOLS\INTERNET ERASER\PKEXT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SystemSuite.lnk = C:\Program Files\Ontrack\SystemSuite\MXTask.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: AbsoluteShield Internet Eraser (HKCU)
O10 - Broken Internet access because of LSP provider 'wps.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.2352893519
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

a few notes and questions on this print of my system...
on the running procs... i recently learned that ptsnoop was a dialup modem prog, so now that i am on dsl, may i shut it down in my startup?
also, do any others such as WINMODEM.101\wmexe.exe qualify as unneccessary?
and... my buddy chuck asked me why i have msoffice start as well, isn't that what gives me my notebook and cutnpaste capabilities?
the \SYSTEMSUITE\MXTASK.EXE i believe is my memcheck and is redundant now that i have avg to handle my virus checks? heh

on the R1's ...yes, my windows header no longer says explorer and yes, i did change it to say suck it hehehe so yes, the current header reads: tech support guy forums - reply to topic - suck it! lol

on the o10, broken connection sounds scarey...
O14 ...aol is evil and i wish i could purge them from my system, whatever this link is for, i'd like to kill it and i wish i could get their silly symbol off my explorer header, it appears to be a moving gif file and as weak as my ressources are, i'm sure it prolly slows me. i have tiled gifs before as my background and those absolutely killed me and made me crawl.
yes my system is slow naturally, being a pentium ...no #'s just pentium. i believe its 120 speed. i do have dreams of building a compy on the underside of my coffee table and having it connected to a huge plasma wall tv (copyrights and patents pending) hehe and of course it would be athlon based w/the dual ram bouncing off each other for the ultimate sniper machine. but alas i am but a poor man and until i win the lotto all i have is my xboxlive ([email protected]'s account has been suspended in protest due to the setback of the release date of halo2). =o)
LOL all you wanted to know and more...
 

billE

Thread Starter
Joined
Apr 13, 2004
Messages
32
oh yeah, btw, the avg scans on boot and identifies a sector as damaged (due to the trojan?) and wants to restore those files on a nice part of the hd. now that i have erasered it 8x's i feel safe that the trojan cannot be restored by this and am considering letting it rebuild or cordon off that sector
 
Joined
Jul 26, 2002
Messages
46,349
I don't see anything bad in the log.

This one, O10 - Broken Internet access because of LSP provider 'wps.dll' missing, is supposed to be a Sygate firewall file. I see you have Zone Alarm. Did you at one time have Sygate?


Read here for more info on ptsnoop.exe:

http://www.sysinfo.org/startuplist.php?filter=ptsnoop.exe&count=&type=



More info on wmexe.exe:

http://www.sysinfo.org/startuplist.php?filter=wmexe.exe&count=&type=


This does not need to start:

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

It is a resouce hog. Uncheck that one in msconfig.


As far as Mxtask.exe goes, yes it is redundant and if you are using AVG now you need to disable System suite. Having them both running will cause conflicts and actually reduce your protection.


Go ahead and fix this one with Hijack This:

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

Restart your computer.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
O4 - Startup: PowerReg Scheduler.exe

Mark? That one should go too, no?
 

billE

Thread Starter
Joined
Apr 13, 2004
Messages
32
oh my brain hurts trying to remember hehe... as far as firewalls... i started out with system suite 4.0 and all was working fine... until! i was updating my virus defs and was informed that i would have to pay additional money to upgrade to the newest ver. 5.0 and that the earlier versions would no longer be supported. i believe a malicious bit was introduced into my system at that time because after that i could no longer get online and it was running slloooooowww. i tried everything i could think of, including shutting the suite down and attempting to get on bare nekkid. **remembers candy being around and blushes and giggles** imagine my embarrassment when i called charter (my isp) and told them it had to be their modem and that they would have to send a guy out. he spent all of 5 mins in my home and shut down the firewall and viola! *poof* interconnectivity restored (i swear i tried that-but maybe i hadn't restarted with it off). i'd sworn then that i would remove the suite prog in its entirety and find another way to do the same stuff. i tried a trial version of the prog group that had a firewall and panda virus and the incinerator i believe it was system mechanic. **swears and %$#@@$$#'s the incinerator and remembers candy and promises to mind his manners** so if the system mechanic came with sygate then yes. now some months have gone by and there are several aspects of the panda and incinerator and now you say sygate that still linger within my sys although i used all the proper uninstalls. i find i can still use certain aspects of the system suite (prettier defrag and uninstaller and regfixer), so i am still clinging to it for the $50 i originally dropped on it. i will drop the mxtask associated with it from the start up, i think it maybe a scheduler. and i have now found this place as well as the zone alarm and avg after finding merijn's site. so i have quite a few tasks left to clean *whew*
 

billE

Thread Starter
Joined
Apr 13, 2004
Messages
32
let us remember cluster #121,622 it stored \system files with its upmost ability for as long as it could. may whichever of its 2,435,102 brothers be as vigilant and capable.

i guess the ultimate goal of any malicious trojan, worm, or virus is destruction and we can only guess at the motives of the peoples who make them.

i've rerun avg and the trojan is no more. so again, my thanks to you mark(?) and additional thanks to candy =o) i'll search around and try to find why ptsnoop keeps reinserting itself into my startup. =o) but obviously the winmodem doesn't affect my onlinability heh
 
Joined
Jul 26, 2002
Messages
46,349
Glad we could help! (y)

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top