1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] do all trojans reside in files they have created?

Discussion in 'Virus & Other Malware Removal' started by billE, Apr 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. billE

    billE Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    32
    i have a trojan Dropper.Small.GM residing in a file system\msconfd.exe and my avg virus software is having trouble "healing" it on its own... if this .exe file is expendable i sure would like to give it to the eraser hehe :D
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi billE

    Welcome to TSG! :)

    Some trojans will infect or disable other files, but not this one. However there will likely be other files and reg entries associated with it that need removing.

    You can boot to safe mode and delete the C:\Windows\system\msconfd.exe file.

    Also please do this:

    Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. billE

    billE Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    32
    hehe a quick search and i found out how to enter safe mode without asking... a note to future searchers (its the f8 key when booting...) the eraser did work in safe mode and made quick work of the exe file (8Xs even heh, just to make sure). i use the eraser instead of the recycle bin or the incinerator because my recycle bin is broke (perhaps a future question in the win98 section) and the trial period on the incinerator is expired (no progs i have tried will change its attris or remove it from my desktop to great frustration to me, again perhaps a future question in another section). i appreciated the extra note you left on putting the hack this exe file into mydocs because i had ran it before and simply opened it and ran it and watched it dissappear into oblivion =o) so without further ado...
    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:39 AM, on 4/13/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\MXTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://security.kolla.de/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = suck it!
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\PROGRAM FILES\SYSSHIELD TOOLS\INTERNET ERASER\PKEXT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: SystemSuite.lnk = C:\Program Files\Ontrack\SystemSuite\MXTask.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: AbsoluteShield Internet Eraser (HKCU)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.2352893519
    O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

    a few notes and questions on this print of my system...
    on the running procs... i recently learned that ptsnoop was a dialup modem prog, so now that i am on dsl, may i shut it down in my startup?
    also, do any others such as WINMODEM.101\wmexe.exe qualify as unneccessary?
    and... my buddy chuck asked me why i have msoffice start as well, isn't that what gives me my notebook and cutnpaste capabilities?
    the \SYSTEMSUITE\MXTASK.EXE i believe is my memcheck and is redundant now that i have avg to handle my virus checks? heh

    on the R1's ...yes, my windows header no longer says explorer and yes, i did change it to say suck it hehehe so yes, the current header reads: tech support guy forums - reply to topic - suck it! lol

    on the o10, broken connection sounds scarey...
    O14 ...aol is evil and i wish i could purge them from my system, whatever this link is for, i'd like to kill it and i wish i could get their silly symbol off my explorer header, it appears to be a moving gif file and as weak as my ressources are, i'm sure it prolly slows me. i have tiled gifs before as my background and those absolutely killed me and made me crawl.
    yes my system is slow naturally, being a pentium ...no #'s just pentium. i believe its 120 speed. i do have dreams of building a compy on the underside of my coffee table and having it connected to a huge plasma wall tv (copyrights and patents pending) hehe and of course it would be athlon based w/the dual ram bouncing off each other for the ultimate sniper machine. but alas i am but a poor man and until i win the lotto all i have is my xboxlive ([email protected]'s account has been suspended in protest due to the setback of the release date of halo2). =o)
    LOL all you wanted to know and more...
     
  4. billE

    billE Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    32
    oh yeah, btw, the avg scans on boot and identifies a sector as damaged (due to the trojan?) and wants to restore those files on a nice part of the hd. now that i have erasered it 8x's i feel safe that the trojan cannot be restored by this and am considering letting it rebuild or cordon off that sector
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see anything bad in the log.

    This one, O10 - Broken Internet access because of LSP provider 'wps.dll' missing, is supposed to be a Sygate firewall file. I see you have Zone Alarm. Did you at one time have Sygate?


    Read here for more info on ptsnoop.exe:

    http://www.sysinfo.org/startuplist.php?filter=ptsnoop.exe&count=&type=



    More info on wmexe.exe:

    http://www.sysinfo.org/startuplist.php?filter=wmexe.exe&count=&type=


    This does not need to start:

    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

    It is a resouce hog. Uncheck that one in msconfig.


    As far as Mxtask.exe goes, yes it is redundant and if you are using AVG now you need to disable System suite. Having them both running will cause conflicts and actually reduce your protection.


    Go ahead and fix this one with Hijack This:

    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

    Restart your computer.
     
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - Startup: PowerReg Scheduler.exe

    Mark? That one should go too, no?
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes Candy! (y)

    Fix that one too.
     
  8. billE

    billE Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    32
    oh my brain hurts trying to remember hehe... as far as firewalls... i started out with system suite 4.0 and all was working fine... until! i was updating my virus defs and was informed that i would have to pay additional money to upgrade to the newest ver. 5.0 and that the earlier versions would no longer be supported. i believe a malicious bit was introduced into my system at that time because after that i could no longer get online and it was running slloooooowww. i tried everything i could think of, including shutting the suite down and attempting to get on bare nekkid. **remembers candy being around and blushes and giggles** imagine my embarrassment when i called charter (my isp) and told them it had to be their modem and that they would have to send a guy out. he spent all of 5 mins in my home and shut down the firewall and viola! *poof* interconnectivity restored (i swear i tried that-but maybe i hadn't restarted with it off). i'd sworn then that i would remove the suite prog in its entirety and find another way to do the same stuff. i tried a trial version of the prog group that had a firewall and panda virus and the incinerator i believe it was system mechanic. **swears and %$#@@$$#'s the incinerator and remembers candy and promises to mind his manners** so if the system mechanic came with sygate then yes. now some months have gone by and there are several aspects of the panda and incinerator and now you say sygate that still linger within my sys although i used all the proper uninstalls. i find i can still use certain aspects of the system suite (prettier defrag and uninstaller and regfixer), so i am still clinging to it for the $50 i originally dropped on it. i will drop the mxtask associated with it from the start up, i think it maybe a scheduler. and i have now found this place as well as the zone alarm and avg after finding merijn's site. so i have quite a few tasks left to clean *whew*
     
  9. billE

    billE Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    32
    let us remember cluster #121,622 it stored \system files with its upmost ability for as long as it could. may whichever of its 2,435,102 brothers be as vigilant and capable.

    i guess the ultimate goal of any malicious trojan, worm, or virus is destruction and we can only guess at the motives of the peoples who make them.

    i've rerun avg and the trojan is no more. so again, my thanks to you mark(?) and additional thanks to candy =o) i'll search around and try to find why ptsnoop keeps reinserting itself into my startup. =o) but obviously the winmodem doesn't affect my onlinability heh
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Glad we could help! (y)

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  11. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    PTSnoop can be turned off via the bios setup.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219950

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice