1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojans-please help

Discussion in 'Virus & Other Malware Removal' started by kevsatim, Sep 4, 2004.

Thread Status:
Not open for further replies.
  1. kevsatim

    kevsatim Thread Starter

    Joined:
    Jul 10, 2003
    Messages:
    10
    can anyone please help-I seem to have the following trojans, how do i get rid of them
    troj-delf.ar
    troj-delf.a
    troj-agent.eg
    troj-alchemic.a
    troj-dload.a
    html-mhtredir.a
    Logfile of HijackThis v1.97.7
    Scan saved at 07:18:35, on 04/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\program files\altnet\points manager\points manager.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\freeserve\freeserveconnectionkit\atdialler1.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\kevin noble\Desktop\HijackThis.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [mfsnizmr] C:\WINDOWS\mfsnizmr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Popup Killer Options (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Killer (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
    O16 - DPF: ChatSpace Java Client 2.1.0.90N - http://freeserve-a4.chatspace.com/Java/cs4msn090.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E25CA6C-52AE-47E0-BF44-BC5B3A0403F4} - http://www.anywebcam.com/awc/SGT.ocx
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1073214433701
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {3CA95C27-2150-4E4A-93A3-D557C88EBF2D} - http://beta.anywebcam.com/awc/MGT.ocx
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {7C643E9A-FDE6-4854-89A6-AA014AD6A63D} (Project1.UserControl1) - http://beta.anywebcam.com/awc/BMC.ocx
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37953.6051388889
    O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} (GUNID.UNID) - http://www.anywebcam.com/awc/GUNID.CAB
    O16 - DPF: {BDA25AB2-5805-49CE-9C98-29FCDDF652EB} - http://beta.anywebcam.com/awc/GM.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E8E72919-8219-4337-9260-7DD62C782AEF} - http://beta.anywebcam.com/awc/MGET.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7E33AD-85DA-4FEA-8BCB-7E7706845EAC}: NameServer = 195.92.195.94 195.92.195.95
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0C7E33AD-85DA-4FEA-8BCB-7E7706845EAC}: NameServer = 195.92.195.94 195.92.195.95
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    I EDITED THE POST. PLEASE REREAD

    Remove these entries by placing checks by them and clicking on fix (make sure that all other windows are closed)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
    O4 - HKLM\..\Run: [mfsnizmr] C:\WINDOWS\mfsnizmr.exe
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O16 - DPF: {0E25CA6C-52AE-47E0-BF44-BC5B3A0403F4} - http://www.anywebcam.com/awc/SGT.ocx
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {3CA95C27-2150-4E4A-93A3-D557C88EBF2D} - http://beta.anywebcam.com/awc/MGT.ocx
    O16 - DPF: {7C643E9A-FDE6-4854-89A6-AA014AD6A63D} (Project1.UserControl1) - http://beta.anywebcam.com/awc/BMC.ocx
    O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
    O16 - DPF: {B5ED2DB1-5728-4355-94F0-4A1C856B88F2} (GUNID.UNID) - http://www.anywebcam.com/awc/GUNID.CAB
    O16 - DPF: {BDA25AB2-5805-49CE-9C98-29FCDDF652EB} - http://beta.anywebcam.com/awc/GM.ocx
    O16 - DPF: {E8E72919-8219-4337-9260-7DD62C782AEF} - http://beta.anywebcam.com/awc/MGET.ocx

    Reboot to safe mode and enable viwing of hidden/system files (instructions below) and delete this file:

    C:\WINDOWS\mfsnizmr.exe

    and this folder:
    C:\freeserve

    Next, reboot back to normal mode.

    1. Download Ad-Aware SE 1.03 from http://majorgeeks.com/download.php?det=506/
    2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads SE1R6 30.08.2004 (or higher number/date). If it does not then make sure to run web update and download the new reference file.
    3. Make sure the that all settings under the Scanning Button are turned to ON
    4. Finally Click Proceed to save your settings.
    5. When scan completes, remove all items.


    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

    In internet explorer, click Tools>Internet Options and then click Delete Files

    Reboot and post another new hijackthis log [your version of hijackthis is outdated. the please download the new version from http://www.download.com/redir?pid=1...6&ontId=8022&destUrl=/3001-8022-10307556.html ]. Post a log from the new version please.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269980

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice