1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trogan.net MSV/VPS (Dell2350)

Discussion in 'Virus & Other Malware Removal' started by akmark5000, Apr 5, 2008.

Thread Status:
Not open for further replies.
  1. akmark5000

    akmark5000 Thread Starter

    Joined:
    Aug 24, 2007
    Messages:
    13
    Trogan.net MSV/VPS Virus.

    Hi. First let me say thanks to all you folks here at Tech Support Guy. I've had a few problems resolve here and my HTJ analysis has gone from nothing to beginner!

    Ok, so I have my dad's Dell 2350 sitting in front of me. It caught a Trogan.net MSV/VPS Virus.

    The desktop had 3 new shortcuts and a warning kept popping up about security risk and to download something. The task manager didn’t work either. It said something about being disabled by the administrator. Oh, and the monitor keeps ‘auto adjusting” upon every reboot and startup… no idea what that one is about.

    Anyway, I deleted the shortcuts and just xed out of the pop up windows and rebooted and started up into safe mode and ran Superantispyware, which found the Trogan.net MSV/VPS and 3 related registry keys and they were quarantined. Then I ran Norton, which fond nothing.

    I rebooted and started up normally, but appearently that didn't do much. The desktop had those same three shortcuts and a warning kept popping up about security risk and to download something.

    I then rebooted and restarted into safe mode and uninstalled the Hi. First let me say thanks to all you folks here at Tech Support Guy. I've had a few problems resolve here and my HTJ analysis has gone from nothing to beginner!

    Ok, so I have my dad's Dell 2350 sitting in front of me. It caught a Trogan.net MSV/VPS Virus.

    The desktop had 3 new shortcuts and a warning kept popping up about security risk and to download something. Anyway, I deleted the shortcuts and just xed out of the pop up windows and rebooted and started up into safe mode and ran Superantispyware, which found the Trogan.net MSV/VPS and 3 related registry keys and they were quarantined. Then I ran Norton, which fond nothing.

    I rebooted and started up normally, but apparently that didn't do much. The desktop had those same three shortcuts and a warning kept popping up about security risk and to download something.

    I then rebooted and restarted into safe mode and uninstalled the internet explorer browser and restarted normally.

    The same old three shortcuts appeared along with that warning pop up. Plus, the internet explorer browser did not get uninstalled, but did not show up in the install/uninstall programs menu.

    So, I rebooted and restarted into safe mode once again and did a system restore to yesterday… that seemed to work! After restarting normally those three icons were there, but blotted out (unrecognized) and no more pop up warning.

    I am still not sure whether or not the thing is gone. I am also bothered by the fact that the internet explorer browser is on the system, but still does not appear in the install/uninstall programs menu.

    Here’s the HJT log...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:53:47 PM, on 4/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dreamscape.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DwlClient] "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123887377312
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
    O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

    --
    End of file - 6695 bytes
     
  2. akmark5000

    akmark5000 Thread Starter

    Joined:
    Aug 24, 2007
    Messages:
    13
    Three days and no answer… solved it with help elsewhere. Here’s a summery of what I did that might help someone out.

    The three tools used:

    1. SD Fix
    2. Smit Fraud Fix
    3. Combo Fix

    After each of these three tools are used, I would recommend running and logging another Hijack This and an online web based scan such as:

    http://usa.kaspersky.com/products_services/free-virus-scanner.php
    http://housecall.trendmicro.com
    http://www.pandasoftware.com
    http://www.bitdefender.com

    The details:

    Detail 1. -

    Download SDFix and save it to your desktop.
    Double click SDFix.exe and it will extract the files to %systemdrive%
    (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

    Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.cmd to start the script.

    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    * Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

    Detail 2. –

    Also download smitfraud fix
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    follow the directions here
    http://siri.geekstogo.com/SmitfraudFix.php

    Detail 3. –

    Download combofix.exe and save it to your desktop
    Close any open browsers.
    Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
    Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/700669

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice