1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: TrojanHorse found, deletes files while ss runs!

Discussion in 'Virus & Other Malware Removal' started by PVJena, Jan 24, 2006.

Thread Status:
Not open for further replies.
  1. PVJena

    PVJena Thread Starter

    Jan 24, 2006

    I really need help with this. My girlfriend's laptops gotten badly infected.
    She has XP MCE, SP2, Webroot spysweeper and Norton on it.

    Webroot is detecting the following:

    Trojan Horse : trojan-backdoor-keylog-sters
    Trojan Horse : trojan-backdoor-sapilayr
    Trojan Horse : trojan-downloader-2pursuit
    System Monitor: pcsentinels smoking gun
    Adware : cas
    Trojan Horse : komforochka smtp relay

    So webroot tried to clean it and seemed to crash, showing no progress at all. It found
    129,360 traces. The computer wouldnt respond to ctrl+alt+del either, so I shut it off
    and googled up the problem on my PC. This is what I found in a discussion forum
    from today:

    However, it seems that spysweeper has only found traces of these things, not actual executables or anything (albeit 15000 for komforochka and 40000 for smoking gun). The wierd thing is though, that it freezes whenever I tell spysweeper to clean these things. Either that, or it just takes uber long. I waited for about 7 minutes, and it just seemed to stop responding and I couldnt open any other programs.

    dont get it... I ran it for 30 minutes and it didnt do anything. It just froze...

    Edit: OK, I tried running it in safe mode again. It went to a few different items, so I thought it was slowly working. However, then the whole comp just locked up and then it didnt want to boot into safe mode. I go back into regular windows, and everything is still there! What the heck is going on? I'm gonna try to run spybot and see what it does.

    Alright, this was ridiculous. I ran spysweeper overnight, figuring that it was just going slow for some reason and that everything would be good in the morning. Well, I woke up and checked it... it was frozen but the progress bar was mostly full, so I figured it had at least gotten rid of most of the items. Well, it sure got rid of most of something. I looked at my desktop, and noticed that all my icons were the default white ones.... strange. Upon clicking them, none of the exes could be found! I looked in the program files folder, and nearly all of the folders of programs that werent active were 100% gone. Crap. Seeing that my hard drive had been almost completely wiped clean, I tried a system restore. While that was able to recover some items, there are still way too many things missing, including windows dlls and stuff. I can get into windows, but it can barely do anything. It cant burn CDs, it cant connect to my wireless network, etc. I guess I have to reinstall Nero, backup the important stuff, and re-format. This has gotten way out of hand. It's freakin ridiculous.

    So this is horrible. I restarted the PC, ran norton which didnt detect anything, ran
    spysweeper which detected the same things again, only this time the number of
    traces has gone up to 132k. I have access to my PC, external hard drive, usb stick.

    I backed up some imp. stuff she did today and quicken on a memory stick that's not
    showing up any viruses in a scan.

    Please help, I'm not sure what to do. But the guy's comments seem to make it sound
    like an actual damaging spyware. The keylogger scares me as there's plenty of
    financially important stuff on the laptop as well.

    I'd appreciate any help, thanks a lot.

  2. PVJena

    PVJena Thread Starter

    Jan 24, 2006
    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:36 PM, on 1/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus -
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
    Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch
    Buttons\EabServr.exe /Start
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =
    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
    Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50}
    - C:\Program Files\Common Files\Microsoft Shared\Encarta
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
    - C:\Program Files\Common Files\Microsoft Shared\Encarta Search
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft
    SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script
    Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    Advantage Validation Tool) -
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
    scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
    Utility Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
    - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136664357875
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
    Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner -
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec
    O23 - Service: Diskeeper - Executive Software International, Inc. -
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development
    Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: LiveUpdate - Symantec Corporation -
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
    Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program
    Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec
    Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
    (default)) - Analog Devices, Inc. - C:\Program Files\Analog
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot
    Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\Security
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) -
    TuneUp Software GmbH - C:\Program Files\TuneUp Utilities
  3. PVJena

    PVJena Thread Starter

    Jan 24, 2006
    An update,

    I'm running Kaspersky's online anti virus and its detected one virus and 4 suspicious
    objects so far. It'll take about 90 minutes more to scan.

    I found the same problem listed at caste cops with no solution yet. I've also put in a help
    ticket with Webroot.

    Please let me know any suggestions you may have.


  4. PVJena

    PVJena Thread Starter

    Jan 24, 2006

    going to bed now. So far, Kaspersky is 40% done and its detected 11 viruses, 19 infected
    files and 13 suspicious objects.
  5. PVJena

    PVJena Thread Starter

    Jan 24, 2006

    All the viruses that Kaspersky detected were in either Spybot's Recovery directory
    or Norton's Quarantine list. Also, none of them are the ones that Spy Sweeper was
    detecting. So I'm not sure what to do next.

    Please let me know what steps I should take.


  6. PVJena

    PVJena Thread Starter

    Jan 24, 2006
    ttt. I'd like some help, please.
  7. PVJena

    PVJena Thread Starter

    Jan 24, 2006
    So Webroot contacted me and asked me to run SS in safe mode.
    I'm doing that and it keeps finding the trojans but after hours of scanning, cant
    remove them as access is denied and it cant change the registry keys.

    Does anyone have any suggestions?
  8. cybertech

    cybertech Retired Moderator

    Apr 16, 2002
    Download Cleanup from Here
    • A window will open and choose SAVE, then DESKTOP as the destination.
    • On your Desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree"
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK

    Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.

    Click here for info on how to boot to safe mode if you don't already know how.

    Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

    Restart your computer into safe mode now. Perform the following steps in safe mode:

    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop

    Run Cleanup:
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program.

    Do a Panda Active Scan. Be sure to save the log it creates.

    Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
  9. PVJena

    PVJena Thread Starter

    Jan 24, 2006
    Hi Cybertech,

    thanks for your advice. It turned out however that Webroot's update had somehow
    corrupted their definition files so it kept detecting things that werent there. I was instructed
    to download the full definitions and it all worked out.

    I dont know why the other guys files got corrupted though.


  10. cybertech

    cybertech Retired Moderator

    Apr 16, 2002
    Thanks for passing that on! (y)
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436749

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice