Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Virus


  • Please log in to reply
1 reply to this topic

#1 osmodiar

osmodiar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 27 June 2004 - 01:18 AM

Hello Everyone,
Im new here, but i think you can help me with this.
I'm running WinMe, and i have a problem with trojan horses on my computer. I ran a couple of scans with AVG, and it seemed to work, but i still get messages popups from AVG telling me i got trojans (Downloader.Winshow.AN, Downloader.Agent.Bf) when i open an explorer window, or other windows. the corrupted files are located in the C:\Windows, and C:\Windows\system.. Also, when i check the processes running, there's Sdkkp32, that's not supposed to be there.
Maybe it is good to mention i had a couple of viruses in my _RESTORE folder, but since i turned off the sys. restore, and deleted the folder, they all went out.
So Could any of you help me fix my problem?
thanks a lot!
Mike aka "osmodiar"

P.S. I've ran Hi Jack This, and here are the results :

Logfile of HijackThis v1.97.7
Scan saved at 1:58:36 AM, on 27/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\SDKKP32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\RAPHY\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {0B6346C5-DEFF-CDDA-A198-FC964A6CD089} - C:\WINDOWS\MFCLN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [WinSvc16.exe] C:\WINDOWS\SYSTEM\winsvc32\WinSvc16.exe
O4 - HKLM\..\RunServices: [SDKDK32.EXE] C:\WINDOWS\SYSTEM\SDKDK32.EXE
O4 - HKLM\..\RunServices: [IEST32.EXE] C:\WINDOWS\SYSTEM\IEST32.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\system\syshj.exe
O4 - HKLM\..\RunOnce: [netlr32.exe] C:\WINDOWS\system\netlr32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 PM

Posted 27 June 2004 - 07:14 PM

Press control alt delete and end task on the following:
sdkkp32.exe

Then run hijackthis and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {0B6346C5-DEFF-CDDA-A198-FC964A6CD089} - C:\WINDOWS\MFCLN32.DLL
\O4 - HKLM\..\RunServices: [WinSvc16.exe] C:\WINDOWS\SYSTEM\winsvc32\WinSvc16.exe
O4 - HKLM\..\RunServices: [SDKDK32.EXE] C:\WINDOWS\SYSTEM\SDKDK32.EXE
O4 - HKLM\..\RunServices: [IEST32.EXE] C:\WINDOWS\SYSTEM\IEST32.EXE
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\system\syshj.exe
O4 - HKLM\..\RunOnce: [netlr32.exe] C:\WINDOWS\system\netlr32.exe


Then reboot into safe mode and delete the following files:

C:\WINDOWS\SYSTEM\SDKKP32.EXE
C:\WINDOWS\MFCLN32.DLL
C:\WINDOWS\SYSTEM\IEST32.EXE
C:\WINDOWS\system\syshj.exe
C:\WINDOWS\system\netlr32.exe

Reboot into normal mode and download and install ad-aware. Run it, and before you scan update the program, then clean everything it finds when you scan.

Then reboot again and post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users