1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan DSNX.A Norton missed it but

Discussion in 'Virus & Other Malware Removal' started by puter hater, Nov 30, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. puter hater

    puter hater Thread Starter

    Joined:
    Nov 12, 2000
    Messages:
    2,023
  2. SavvyLady

    SavvyLady

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    So I take it you was able to delete one ok w/ no problem... good

    Ok I'll see what I can come up with

    Savvy :)
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    If you post the startuplog created by running the Startuplog.com file from the site below, we can probably spot any registry entries that still need deleting.

    The trojan file itself does not need to be cleaned, just deleted.

    It might be a good idea to download the rx-pack. You may need to run the exefix08 file as well.

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    You can copy/paste the contents of startuplog.txt in a reply.
     
  4. SavvyLady

    SavvyLady

    Joined:
    Oct 14, 2001
    Messages:
    2,218
    Ok.. I found it... go here

    Get the program & delete that Trojan... keep the Trojan Remover nearby & run it often as well as keeping Nortons updated & running.


    Savvy :)
     
  5. puter hater

    puter hater Thread Starter

    Joined:
    Nov 12, 2000
    Messages:
    2,023
    Niether one have been removed. As of the post last night I had to quit( go to work) and wait for help after I couldnt fine the file. So I persume the above help will be for both files.:confused:
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Puter hater, there is no telling for sure whether any trojan removal program will work for a specific infection. If you want to try the one offered, great -- we like to get feed back on which ones can be relied upon, but it's always bit of a crap shoot.

    Identifying the infections is half the battle, if the cleaner doesn't do the job or you would rather not use it -- post the startuplog as suggested and I will try to give you click by click instructions for any registry editing that may be needed.
     
  7. puter hater

    puter hater Thread Starter

    Joined:
    Nov 12, 2000
    Messages:
    2,023
    I have scrubbed and clean I even came up with a new worm that was interesting "Brmer" But anyway here is the startuplog.txt
    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "VortexTray"="C:\\WINDOWS\\au30setp.exe 3"
    "HPSCANMonitor"="C:\\WINDOWS\\SYSTEM\\hpsjvxd.exe"
    "StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
    "Smart Keyboard"="C:\\Program Files\\Netropa\\Smart Keyboard\\Smartkbd.exe"
    "wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
    "SystemTray"="SysTray.Exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
    "LoadQM"="loadqm.exe"
    "~1\\NAVAPW32.EXE /LOADQUIET"
    "WinDSNX"="C:\\WINDOWS\\SYSTEM\\WINHQAI.EXE"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "msinit"="c:\\windows\\system\\msi24.exe"
    "TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON.EXE -service"
    "MiniLog"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\MINILOG.EXE -service"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    ;run=PWKSSO.EXE
    run=

    load=
    noload=c:\windows\system\wininit.exe

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
    SET BLASTER=A220 I2 D1 T4
    LH C:\WINDOWS\AU30DOS.COM
    REM [Header]

    REM [CD-ROM Drive]

    REM [Miscellaneous]


    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe
    C:\WINDOWS\Start Menu\Programs\StartUp\America Online Tray Icon.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder

    C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -====================-
    StubPaths - Registry (Partial Listing)
    -====================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"=""
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    LH AU30DOS.COM

    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, this is going to be fairly complex, but it looks like your antivirus program may have done some of the work.

    >> From Start, run regedit

    >> click in order:

    + Hkey_Local_Machine
    + Software
    + Microsoft
    + Windows
    + CurrentVersion
    RUN

    >> with RUN higlighted, in the right hand pane, right click and delete:

    "WinDSNX"="C:\\WINDOWS\\SYSTEM\\WINHQAI.EXE"

    >> Now navigate to:

    + HKey_Local_Machine
    + Software
    + Microsoft
    + Windows
    + CurrentVersion
    RunServices

    >> With RunServices highlighted, in the right hand pane, right click and delete:

    "msinit"="c:\\windows\\system\\msi24.exe"

    >> close the registry editor.

    >> from start, run win.ini (it will open in Notepad)

    >> remove these two lines:

    ;run=PWKSSO.EXE

    noload=c:\windows\system\wininit.exe


    Close the file and save as prompted.

    >> Look for wininit.exe in c:\windows\system
    delete it if you find it. Do NOT delete the one in c:\windows

    Reboot

    Do a Find Files search for (or have your AV delete if they are quarantined)

    WINHQAI.EXE
    msi24.exe


    You may need to replace your wsock32.dll, this is usually altered by Bymer; to do this use the System File checker:


    Using SFC to extract files

    1. Go to Start>Run and enter SFC and click OK
    2. Check "Extract one File"
    3. Enter the file name and click on "Start"
    4. In the "Restore from" field enter:: D:\WIN98 [if 'D' is not the letter of your CD-Rom drive, modify appropriately]
    5. Click OK

    {if you do not have a Windows system CD, try subsitituting c:\windows\options\cabs in the"restore from field"}

    Alternatively, you can use one of the files on this page for your operating system:

    http://www.claymania.com/wsock32-extraction.html

    Let me know if you get any error message about wininit.exe when you boot up. This file does not belong in c:\windows\system -- and I'm assuming your AV has quarantined or deleted it since it placed a noload for it in win.ini

    There SHOULD be one in c:\windows
     
  9. puter hater

    puter hater Thread Starter

    Joined:
    Nov 12, 2000
    Messages:
    2,023
    :eek: WOW! This is what I get for not looking or caring about trojans and virus. My head hurts. I will give what u say a shot.
    Here goes........:eek:
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60133

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice