[SOLVED] Trojan Horse Delf.c

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
Hi,

I am new here and I had the SoBigE virus which I was able to clear (so it seems) from reading a few links.

I also have a Trojan Horse virus that AVG finds and says that it heals, but everytime I login it says that it finds it and that I need to run the AVG for Windows.

The message is

Virus
Trojan horse Delf.C

is found in file
c:\WINNT\System32\hnsys32.dll

to remove this virus, please run AVG for Windows

What can I do to fix this problem permanently.

I have ad-aware on the system and run it regularly. I also have AVG.

Do I need something like spybot also?

I ran Hijack This and this is what I found

Please let me know what I should clean up.

Logfile of HijackThis v1.97.2
Scan saved at 12:46:38 PM, on 9/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\System32\mmtask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\system32\SMCSTA.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\Cmgrdian.exe
C:\WINNT\system32\cgtask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\Bin\HPOstr05.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\HPOVDX05.EXE
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\ActEmail.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jolichwier\Application Data\Mozilla\Profiles\default\ibaoeebt.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\Cmgrdian.exe" /SU
O4 - HKLM\..\Run: [Cgtask Services] C:\WINNT\system32\cgtask.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: QuickBooks Delivery Agent.lnk = QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\Bin\HPOstr05.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = QuickBooks Pro2002\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.2476273148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab


Thanks,

Jeff
 

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
Well, since it was a .dll and I wasn't sure if it was a necessary file I didn't try that.

I wasn't sure if the file was an infected file that I needed for other operations or if the file was added and should just be deleted.

It sounds like it is a file that was added and should be deleted.

Thanks for your quick response.

So, should I try to delete it?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Yes, you should.

And in fact you have MUCH more malware.

Check, and have Hijack This fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/

O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll (file missing)

O4 - HKLM\..\Run: [Cgtask Services] C:\WINNT\system32\cgtask.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/v3/download...ptdmgainads.cab


Now restart your computer, and delete the following files:

C:\WINNT\system32\cgtask.exe
C:\WINNT\System32\mmtask.exe
C:\WINNT\System32\msrexe.exe


And run an online virus scan at Trend Micro HouseCall or Panda Active Scan

Cheers,
 

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
I was able to delete cgtask.exe

mmtask.exe could not be deleted (access denied, may be in use error msg)

There is also a mmtask.tsk file in this folder, should it be deleted?

msrexe.exe was not in that folder.

I ran Housecall and it found two email files that were infected with sobige and I deleted those.

What should I do now?

Also, since this happened the drivers for the HP Officeject 720 either take long to load or time out, any suggestions on that?

Thanks for all your help!
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Don't touch Mmtask.tsk: It's the Windows Multimedia Background Task Support Module.

Mmtask.exe is a trojan though.
Try this:

Have HT fix the item again.
Now do a Ctrl-Alt-Delete to bring up Task Manager, and end task on the mmtask process.

Next, delete the file.

Alternatively, start your computer in Safe Mode

You'll be able to delete the file there.

Subsequently, still in Safe Mode, run Hijack This, and have it fix that O4 HKLM\..\Run item.

Good luck,
 

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
Couldn't stop the process so I rebooted in safe mode.

I was able to delete the file that way.

I ran hijack this each way (in safe mode and before entering safe mode) and neither time did that mmtask.exe appear for me to run the fix.

I think that I am okay now. Here is a copy of the latest hijack this scan. Is there anything else I need to do?

Logfile of HijackThis v1.97.2
Scan saved at 4:12:19 PM, on 9/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\system32\SMCSTA.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\Cmgrdian.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\Bin\HPOstr05.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\HPOVDX05.EXE
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\ActEmail.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\jolichwier\Application Data\Mozilla\Profiles\default\ibaoeebt.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\Cmgrdian.exe" /SU
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: QuickBooks Delivery Agent.lnk = QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\Bin\HPOstr05.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = QuickBooks Pro2002\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37589.2476273148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab

Thanks again for your help!
 

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
I have AVG run a scan at night for me and it found
C:\recycled\DC2.dll

I have a couple of questions, first, I do not see that file (or the hnsys32.dll file that I deleted) in the recycle bin. Is that typical? I thought that I should see it.

Second, would (could?) it have changed its name from hnsys32.dll to dc2.dll?

I have not rebooted since the scan ran and found it.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Firstly, empty the recycle bin......then scan once more.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START

Do you know what that is for?
 

jolichwier

Thread Starter
Joined
Sep 29, 2003
Messages
65
I believe that is for an SMC wireless router we had, now that I am "hardwired" I suppose that I can go in and remove that.

Should I use hijack this to fix it?
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Either that or start, run, msconfig, startup tab. If there is any added software via add/remove programs, you might uninstall too.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

That doesn't need to run on startup either, you can load that when you need it.

Also, do you use Earthlink for anything???
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top