Trojan Horse virus - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware > HijackThis Logs (finished)
Click Here to Login
 
 
Thread Tools Display Modes
 
Old 05-17-2005, 07:34 AM   #1 (permalink)
Newb Techie
 
Join Date: May 2005
Posts: 4
Default Trojan Horse virus

I have a Trojan horse 19 virus. Any help to remove it would be very much appreciated. I had one of these last year and managed to remove it as a result of assistance on this website. I have unfortunately lost the instructions. I assume I need to do a Hijack scan but don't remember how to do that either. My apologies.

Regards,
Adrienne
__________________

__________________
blackberry is offline  
Old 05-17-2005, 07:41 AM   #2 (permalink)
Newb Techie
 
Join Date: May 2005
Posts: 4
Default

I just read how to do a Hijack scan and so below is my logfile. Any help appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:19 a.m., on 18/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Fmctrl.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Accessories\WinZip\WZQKPICK.EXE
E:\SpySubtract\SpySub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\ACCESS~1\WINZIP\winzip32.exe
C:\Documents and Settings\Adrienne\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - (no file)
O2 - BHO: (no name) - {6CFB9E4B-0183-4A14-8D0F-FC967338AACA} - C:\WINDOWS\System32\lcjc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [fwservice] C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe -startup
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = E:\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Accessories\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpySubtract.lnk = E:\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095232863776
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E0C46A-515D-4DAD-AC11-BD302C9A04B9}: NameServer = 202.180.64.2 202.180.64.9
O18 - Filter: text/html - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll
O18 - Filter: text/plain - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
__________________

__________________
blackberry is offline  
Old 05-18-2005, 05:00 PM   #3 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Here is your log, please read thru them first and delete at your own risk.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html This entry should be fixed by HijackThis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank This page could possibly be nasty.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank This page could possibly be nasty.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank This page could possibly be nasty.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank This entry should be fixed by HijackThis!

O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - (no file) Entries found in this registry zone are potentially nasty. This application ([2E65A557-173C-4DE9-860B-28FC5CACA542] - Result: 2E65A557-173C-4DE9-860B-28FC5CACA542) has been checked

O2 - BHO: (no name) - {6CFB9E4B-0183-4A14-8D0F-FC967338AACA} - C:\WINDOWS\System32\lcjc.dll Entries found in this registry zone are potentially nasty. This application ([6CFB9E4B-0183-4A14-8D0F-FC967338AACA] - Result: ) has been checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E0C46A-515D-4DAD-AC11-BD302C9A04B9}: NameServer = 202.180.64.2 202.180.64.9 If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.

O18 - Filter: text/html - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.

O18 - Filter: text/plain - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
__________________
Osiris is offline  
Old 05-19-2005, 05:12 AM   #4 (permalink)
Newb Techie
 
Join Date: May 2005
Posts: 4
Default

Hi Warez,

Thank you for your suggestions. I am not able to delete the second file and that is where the trojan is - from what I can see. I don't know how to fix the other things that you mention 'should be fixed'. Do you have any further information.

Regards,
Adrienne
__________________
blackberry is offline  
Old 05-19-2005, 05:33 AM   #5 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Did you run any antivirus that is updated with the current virus file definitions? What about spybot search and destroy and adaware se personal?
__________________
Osiris is offline  
Old 05-20-2005, 03:50 PM   #6 (permalink)
Newb Techie
 
Join Date: May 2005
Posts: 4
Default

Yes, I run AVG, and the other programs you suggest. AVG picks the virus up but can't remove it.

Regards, Adrienne
__________________
blackberry is offline  
Old 05-20-2005, 04:30 PM   #7 (permalink)
Field Engineer
 
SHAWN's Avatar
 
Join Date: Nov 2004
Location: Long Island, NY
Posts: 4,695
Send a message via AIM to SHAWN
Default

See sig for free online scan. Its a Trend site. Try that
__________________
A+, Network + , HP Certified Tech and MCP

Specs: AMD Phenom II X6 1095T, Asus M477TD, 8GB GSkill Ripjaws DDR3 1600 7-8-7-24 1T, 128GB Crucial M4 SSD, ATi HD4650, W7, 27" HL272 Monitor
SHAWN is offline  
Old 05-20-2005, 05:08 PM   #8 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Do you know the name of the trojan?
__________________

__________________
Osiris is offline  
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 02:45 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.