| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 83561 | 2007-10-05 22:51:00 | Trojan infection | Chris Randal (521) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 598403 | 2007-10-05 22:51:00 | This is a similar problem to another thread, but with significant differences. WinXP SP2 - operator is blind so can't see any messages. I'm looking at it for her. In the last 6 weeks or so, system has been shutting down in random fashion. I discussed the problem with an IT guru at work yesterday, who suggested that it might be a smss.exe trojan and that it might be in System restore so I shut that down. The trojan has removed AVG7.5 resident shield after I reinstalled two days ago. Before it did that AVG found no viruses. I have downloaded Spybot and AVG Spyware. Whenever I start these two, the program gets so far and then shuts down - AVG Spyware when it is scanning the registry. Tried Housecall but that only gets so fare then the system reboots. I have found in My Documents four registry entries dating back to last year, one of them being 18kb in size. I cannot reboot into safe mode, as the system just reboots. My questions are: Should I try restoring the registry back to last year? If I do that are there dangers in doing so? Should I remove the programs I installed over the last two days? Do I just doubleclick on the registry entry in My Documents to make it work? It would appear that a boot disk has never been made - If I make one now, will it carry the trojan? I have a 98SE boot disk for my own machine will that work? Many thanks in advance folks. Chris Randal |
Chris Randal (521) | ||
| 598404 | 2007-10-05 22:55:00 | Have you tried downloading and running Trojan Remover and Rogue Remover from Speedy Gonzales signature? Worth a try. | Grimy (3041) | ||
| 598405 | 2007-10-05 23:00:00 | Try last known configuration whatever it is. After pressing F8. How can you restore it if it reboots? Well you cant now you disabled it, it would have deleted the restore points. Do these registry entires end in .reg?? I doubt theyre registry entries someone saved. Unless whoever saved them often. AFAIK, it wont do it automatically, unless you back up the registry yourself. I maybe wrong tho. Only other thing you could do, (If last known good config doesnt work), is slave it to a working system. Hopefully, that doesnt get infected too. Then do a scan with AVG/Avast/Trojan remover/whatever If the hdd was formatted in NTFS, then no a 98 disk wont read it. |
Speedy Gonzales (78) | ||
| 598406 | 2007-10-05 23:49:00 | Grimy - Every time I run a detector program the system reboots. I will try the two you suggest though. Speedy - isn't last known config the one when the machine was last shut down? The registry entries end in .reg It is a FAT32 file system Thanks |
Chris Randal (521) | ||
| 598407 | 2007-10-05 23:51:00 | what about hijack this - are you able to run that and get a log? | bevy121 (117) | ||
| 598408 | 2007-10-06 00:22:00 | Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:46:08 p.m., on 6/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\khooker.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\owner\Local Settings\Temporary Internet Files\Content.IE5\0XSTIVQT\HiJackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\RunServices: [Microsoft Configururation 35] microsolt.exe O4 - HKLM\..\RunServices: [Microsoft Configuration 77] microsot32.exe O4 - HKCU\..\Run: [Microsoft Configuration 77] microsot32.exe O4 - HKCU\..\Run: [Microsoft Configururation 35] microsolt.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [Microsoft Configuration 35] microsot1.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Configuration 35] microsot1.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - downloads.ewido.net O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - housecall65.trendmicro.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - advnt01.com O17 - HKLM\System\CCS\Services\Tcpip\..\{84A00F3E-2FFB-44E6-B2C5-3D539F18F721}: NameServer = 202.27.158.40 202.27.156.72 O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\gp2sl3f71.dll (file missing) O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\guard.tmp (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: JFWService - Freedom Scientific BLV Group, LLC - C:\JAWS451\JFW.EXE O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing) O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing) O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINDOWS\userinit.exe (file missing) -- End of file - 6769 bytes |
Chris Randal (521) | ||
| 598409 | 2007-10-06 00:47:00 | Put HJT in it own folder first then run it again then tick these entries, then tick fix checked. Close browser/s. Delete these files AFTER you tick these (after you reboot) O4 - HKLM\..\RunServices: [Microsoft Configururation 35] microsolt.exe O4 - HKLM\..\RunServices: [Microsoft Configuration 77] microsot32.exe O4 - HKCU\..\Run: [Microsoft Configuration 77] microsot32.exe O4 - HKCU\..\Run: [Microsoft Configururation 35] microsolt.exe O4 - HKUS\S-1-5-18\..\Run: [Microsoft Configuration 35] microsot1.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Configuration 35] microsot1.exe (User 'Default user') Safe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - advnt01.com O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\gp2sl3f71.dll (file missing) O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\guard.tmp (file missing) This look like they belong to trojans O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing) <--- delete this file if found. O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing) Safe O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe If you dont use Nero Home, tick this O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" If the version of Sun Java thats installed is earlier than 6 update 3. Uninstall it. Link is in my sig. If u can after, get trojan remover in my sig. |
Speedy Gonzales (78) | ||
| 598410 | 2007-10-06 01:04:00 | So I leave the ones marked safe and the Nero ones? | Chris Randal (521) | ||
| 598411 | 2007-10-06 01:12:00 | Yes, do that and update your Sun Java and then reboot and run another scan and post the logfile back here. | beeswax34 (63) | ||
| 598412 | 2007-10-06 01:38:00 | Sorry to be so dumb but where do I find the Java version? | Chris Randal (521) | ||
| 1 2 3 | |||||