Author Topic: Having trouple with trojans,malware and stuff. (Read 1133 times)

tooke · « **on:** March 29, 2005, 06:00:22 PM »

Hi, I just found these forums while searching google for a fix to mocih trojan my computer was totall screwed and was seriously acting up.

Well, after reading a topic on these forums and following general advice I think I managed to get rid of most of the stuff, one thing I can't get rid of though is this wallpaper. It's not really wallpaper because it's clickable and I can't change it but I have no idea of how to remove it.

If you could help me out I would be very, very grateful.

edit: I didn't get rid of all the damn pop-up stuff and I suspect there is another trojan, stuff keeps getting installed onto my comp.

Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 00:36:37, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\aawe.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {65B149C1-D956-D8A1-77B4-8A2D15DEF99B} - C:\WINDOWS\System32\emquz.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Caua] C:\WINDOWS\System32\aawe.exe
O4 - HKCU\..\Run: [Rzqwaeib] C:\WINDOWS\System32\m?iexec.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #1 on:** March 29, 2005, 06:59:46 PM »

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {65B149C1-D956-D8A1-77B4-8A2D15DEF99B} - C:\WINDOWS\System32\emquz.dll

O4 - HKCU\..\Run: [Caua] C:\WINDOWS\System32\aawe.exe
O4 - HKCU\..\Run: [Rzqwaeib] C:\WINDOWS\System32\m?iexec.exe

O9 - Extra button: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)

O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer
Find and delete these files if found
C:\WINDOWS\System32\emquz.dll
C:\WINDOWS\System32\aawe.exe

Post back with a fresh Hijackthis log afterwards

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

Code: [Select]

dir C:\WINDOWS\System32\m?iexec.exe /a h > files.txt
notepad files.txt

Double click on Export.bat
A text file will open, copy and paste back the contents

Guest · « **Reply #2 on:** March 29, 2005, 07:30:57 PM »

Thanks so much for the advice.

I did all that and ran hijakthis again and it looked ok, but one thing didn't get removed.

Instead of my wallpaper is a big sign that you can click on that trys to get you to buy anti spyware stuff. Could you please tell me how to remove it ?

Here are the contents of the file you asked for:

---

Volume in drive C has no label.
Volume Serial Number is F8AC-23A5

Directory of C:\WINDOWS\System32

31/03/2003 13:00 64,512 msiexec.exe
28/03/2005 15:09 417,792 m?iexec.exe
2 File(s) 482,304 bytes

Directory of C:\Documents and Settings\Mark\Desktop

And here is the updated Hijakthis log:

Logfile of HijackThis v1.99.1
Scan saved at 01:29:53, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

tooke · « **Reply #3 on:** March 29, 2005, 07:35:09 PM »

hmm, the above post is me but for some reason I wasn't logged in.

guestolo · « **Reply #4 on:** March 29, 2005, 07:55:35 PM »

As you can see by the Export.bat a bad file does exist
31/03/2003 13:00 64,512 msiexec.exe <--legit file
28/03/2005 15:09 417,792 m?iexec.exe <--bad guy

Navigate to your C:\WINDOWS\System32 folder
and look for this file
m?iexec.exe
It may even be disguised as the legit version of msiexec.exe
Don't delete the legit version
Right click on each file and left click properties
The bad file has a Creation date of 28/03/2005
And an approximate size of 417 kb<< delete this one

Also look for these files and delete them
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\WEB\desktop.html <--file

Also, do the following steps
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out

Restart the computer and then post back a fresh hijackthis log

tooke · « **Reply #5 on:** March 29, 2005, 08:12:24 PM »

I did what you said, it look a little searching but I managed to find that file. I also deleted those others and fixed my desktop!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Here is the new log file:

Logfile of HijackThis v1.99.1
Scan saved at 02:05:40, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I hope everything is sorted, and I would just like to say that you sir are amazing! I would have been totally screwed if I'd not found this website with some kind soul to help me out

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

One more thing, can you give me any tips on steps to take to prevent myself getting this type of stuff as much as possible ? software to buy/DL or some such thing.

P.S If I can figure out how I will definately use paypal to donate

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

P.S.S This is my desktop with that crappy spyware junk:

http://img37.exs.cx/img37/4070/lamespyware3ui.jpg

this is it now:

http://img37.exs.cx/img37/6008/nightelf3mw.jpg

guestolo · « **Reply #6 on:** March 29, 2005, 08:17:37 PM »

Looks good

If everything is running better

You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

TheTechGuide Forum

News:

Author Topic: Having trouple with trojans,malware and stuff. (Read 1133 times)

tooke

Having trouple with trojans,malware and stuff.

guestolo

Having trouple with trojans,malware and stuff.

Guest

Having trouple with trojans,malware and stuff.

tooke

Having trouple with trojans,malware and stuff.

guestolo

Having trouple with trojans,malware and stuff.

tooke

Having trouple with trojans,malware and stuff.

guestolo

Having trouple with trojans,malware and stuff.