1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[solved]Trojan Dropper

Discussion in 'Virus & Other Malware Removal' started by xibalbaa, Sep 3, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. xibalbaa

    xibalbaa Thread Starter

    Joined:
    Sep 3, 2004
    Messages:
    3
    Hi PC GURUZ,

    Inspite of the fact that i'm very good with computers and security i still can't figure out what's wrong with my box...now the problem is this that the min i turn off my firewall i get hit by trojans/worms like W32.Randex or W32.spybot and on and on ...... i have Symantec antivirus corporate edition and i ran it several times but it doesnt seem to detect anything, ran updated spybot but still nada. ran updated adaware 6.0 but still nuthing, ran all the available tests i know of including CWshredder and hijackthis but still cant figure out why only those trojans get downloaded when i turn off my firewall...to wut i think i have a trojan dropper then again i might be wrong too.....good thing is the min those trojans/worms r downloaded on my pc, symantec antivirus detects it and qurantines it but how do i stop those automatic downloads of trojans/worms? Below i'm posting ma hijackthis logs....
    btw just for the record...all my seciruty softwares r completely updated till 1st of sept including my windows2000 patches/hotfixes.


    Logfile of HijackThis v1.98.2
    Scan saved at 5:53:10 PM, on 9/3/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\mHotkey.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Paltalk\pnetaware.exe
    C:\WINNT\system32\CMMON32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\X-Files\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eim.ae
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Emirates Internet & Multimedia
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.eim.ae
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6483F82-0B03-4A99-934E-28EE6E0B6845}: NameServer = 213.42.20.20 195.229.241.222

    I wud truly appreciate all the help that i can get from u good samaritans :)

    Waiting for ur reply in anticipation

    X
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  3. xibalbaa

    xibalbaa Thread Starter

    Joined:
    Sep 3, 2004
    Messages:
    3
    Hi CyberTech,

    True as to why i wanna turn off my firewall but still bruv the trojan dropper shud be removed some way or the either with the firewall enabled or disabled...rite ? and true once again that paltalk is an adware but can paltalk act as a trojan dropper? to my knowledge it cant...then again i might be wrong ..... so i removed paltalk for a day and disabled my firewall and i faced the same problem..W32.randex got quarantined by Symantec Antivirus ...... bruv plz help me outta this trojan dropper mess...wud truly appreciate all ur efforts :)

    Laterz
    X
     
  4. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    I know that you said all of your Security patches are uptodate, but it would be worthwhile checking to ensure that these are actually installed.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Randex spreads over a network by copying itself to the Windows system32 folder of C$, IPC$ and Admin$ shares. It looks for simple passwords so you could try creating a more difficult password, but I suggest not turning off your firewall.
     
  6. xibalbaa

    xibalbaa Thread Starter

    Joined:
    Sep 3, 2004
    Messages:
    3
    Hi PC Guruz,

    Thankew so much for ur prompt reply, and yes all my windows updates are installed, moreover its true that randex spreads over a network by copying itself to the windows system32 folder...i guess the only solution which i have is not to turn off my firewall at any cost....once again thankew so much for ur help and ur kind suggestions :)

    Laterz

    X
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269695

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice