Trojan Horse

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Trojan Horse, virus, hijack this log

Options

mausoleum View Member Profile	Oct 3 2006, 07:08 PM Post #1
New Member Group: Members Posts: 1 Joined: 3-October 06 Member No.: 88,360	I tried to wipe a few files with norton wipe..but the wipe was denied. Two notifications popped up, of trojan horses, one after the other. Here is my Hijack This log file from just now. Thank you very much for any help you can give, I appreciate it so much. If you could give me instructions, that would be wonderful. Thank you so much! Logfile of HijackThis v1.99.1 Scan saved at 7:54:29 PM, on 10/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\actsrv.exe D:\Program Files\Norton Antivirus\navapsvc.exe C:\WINDOWS\system32\netmsg.exe D:\Program Files\NMSAccess.exe D:\PROGRA~1\NORTON~2\NPROTECT.EXE D:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe D:\Program Files\Norton Antivirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\Password Manager\AcctMgr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe D:\Program Files\HP Software Update\HPWuSchd2.exe C:\Program Files\QuickTime\qttask.exe C:\programfiles\itunes.exe\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Digital Imaging\bin\hpqtra08.exe D:\Program Files\Digital Imaging\bin\hpqimzone.exe D:\Program Files\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\Avant Browser\avant.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Common Files\Symantec Shared\NMain.exe C:\DOCUME~1\Joslin\LOCALS~1\Temp\_PA532\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Antivirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\programfiles\itunes.exe\iTunesHelper.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite Edition\AresLite.exe" -h O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Add to AD Black List - D:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Block All Images from the Same Server - D:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Highlight - D:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Open All Links in This Page... - D:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Open In New Avant Browser - D:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Search - D:\Program Files\Avant Browser\Search.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Antivirus\navapsvc.exe O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe O23 - Service: NMSAccess - Unknown owner - D:\Program Files\NMSAccess.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~2\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe This post has been edited by mausoleum: Oct 3 2006, 07:09 PM

John_McKenna View Member Profile	Oct 5 2006, 10:21 AM Post #2
World Class Hairy Chest Group: HJT Team Posts: 488 Joined: 5-January 05 From: Liverpool Member No.: 8,685	Hi mausoleum and welcome to Bleeping. Can you please submit a file for analysis by CLICKING HERE. No registration required, just follow the instructions in the sticky topic at the top of the forum. Please submit the file C:\WINDOWS\system32\actsrv.exe The sample will be forwarded to various anti-malware companies so they can update their definitions. ==== You may wish to save these instructions to notepad or print them out for use while in Safe Mode. Step # 1 Re-configure Windows Explorer to show hidden files & folders: How to Show Hidden Files & Folders Ensure you're familiar with rebooting into Safe Mode: How to Boot into Safe mode Download and install the trial version of AVG Anti-Spyware. The program should launch automatically after installation. If not, double-click the desktop icon. Deactivate the Resident Shield - Before proceeding, deactivate AVG's "Resident Shield" as it may prevent changes to the registry. - To do this, click "Change State" to the right of the Resident Shield option in the main window. - You will clearly see the status change to Inactive if you have done this correctly. - Then go to Start > Run and type services.msc - In the Services window, scroll down to AVG Anti-Spyware Guard and double click it to bring up another window. - Hit the [Stop] button and change the "startup type" to disabled using the drop down menu. - Exit the services page. Update AVG's Definitions - AVG automatically updates the spyware definitions if you are connected to the net during installation. - As a precaution, click the "Update" icon from the main menu. - Then click the "Start Update" button. - When you receive the "Update successful" prompt, close AVG. - Note: If you have any problems with the updater, you can update AVG Manually. Step # 2 Clean your Cache and Cookies in IE: Go to Control Panel > Internet Options > General tab. Click the "Delete Cookies" button and then the "Delete Files" button next to it. When prompted, place a check in: "Delete all offline content", click OK. Clean your Cache and Cookies in Firefox (if you also have Firefox installed): Go to Tools > Options. Click Privacy in the menu on the left side of the Options window. Click the Clear button located to the right of each option (History, Cookies, Cache). Click OK to close the Options window. Alternatively, you can clear all information stored while browsing by clicking "Clear All". A confirmation dialog box will be shown before clearing the information. Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them. Step # 3 Reboot into Safe Mode now please. With only the HijackThis program open, scan and place a checkmark in the boxes before the following entries (if still present):- O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe Then click the "Fix Checked" button. Step # 4 Use Windows Explorer to locate & delete the following files in bold: C:\WINDOWS\system32\actsrv.exe C:\WINDOWS\system32\netmsg.exe Right click the file and select delete. Step # 5 Scanning with AVG* - Open AVG Anti-Spyware and click the "Scanner" icon from the main menu. - Click "Complete System Scan" to start scanning. - When scanning completes, click "Recommended action" beneath the results window and select Quarantine. - Then click the "Apply all actions" button to quarantine everything detected. - Then click Save report > Save report as and save the Report-Scan.txt to your desktop and restart your machine. Step # 6 Download Dr.Web CureIt to your desktop: Double-click the drweb-cureit.exe file and allow it to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, select the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first infection, select 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found: Then click the green cup icon right below and select Move incurable as you'll see in next image: This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples). Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot. After the restart, post the contents of the Dr.Web.csv log file which you saved. Step # 7 Then post the following in your next reply please: New HijackThis log. AVG Report-Scan.txt. Dr.Web.csv log file. Any problems you encountered. -------------------- Want to fight back? Click HERE and learn how to remove spyware. How can I protect myself on the internet? Help removing malware is a free service but donations towards research are always appreciated.

John_McKenna View Member Profile	Oct 18 2006, 03:28 PM Post #3
World Class Hairy Chest Group: HJT Team Posts: 488 Joined: 5-January 05 From: Liverpool Member No.: 8,685	Due to a lack of feedback, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Want to fight back? Click HERE and learn how to remove spyware. How can I protect myself on the internet? Help removing malware is a free service but donations towards research are always appreciated.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 02:23 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides