Trojans galore
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Trojans galore

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    6

    Question Trojans galore

    Hi all.

    I seem to have allowed trojans into my laptop. Right now I am running the following: svchost, ( which has lodgesd itself into my c: drive) and one clled MDM.exe. And those are the ones I have been able to identify. I am running Windows XP with the latest upgrades and Norton Antivirus with the latest virus definitions.

    One of these trojans has proved very annoying since it changes my starting page on Internet Explorer to various german porn sites.

    Thanks in advace for the help you might give me.

    P.S. Forgot to mention I also run Spybot and it tells me my system is clean.

  2. #2
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Have you tried running TheCleaner yet? It's anti-trojan software. If something resides on the machine TheCleaner will likely find it.

    http://www.moosoft.com/products/cleaner/

    They have a trial version that works well.

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Svchost is not a trojan, it is a valid network process. Svshost on the otherhand is a problem. Notice the difference.

    As imitationrust has said download the cleaner install and run it. Do this to be on the safe side. This is more likely to be a adaware/malware/spyware problem. Download and run this http://209.133.47.200/~merijn/files/HijackThis.exe

    And this http://209.133.47.200/~merijn/files/CWShredder.exe

    This should sort you out.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    mdm is not a trojan either its microsofts debugger. this is not to say a trojan cannot be nammed mdm. search your computer for all instances of both files. right click on them, go to properties and check under version. they should all be in the system32 or i386 directory and have all ms's version information.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Posts
    317
    i dont think scvhost is a trojan either. i've been running it and nothing detects it as a trojan. windows runs about 5 processes of it for me. its always been on my system since i bought it and did a clean install of windows xp home.

  6. #6
    Junior Member
    Join Date
    Apr 2004
    Posts
    6
    Thanks to all those that replied.

    I did what you recommended, I installed and ran "The Cleaner 4.1" and it weeded out the trojans that it detected.

    But, after I rebooted I found myself with the same problem again. My startup page for Internet Explorer is some weird german site.

    Also, I should point out that I have "Syste restore" off. I did this to allow Norton and any other security program to rewrite the registry without having it come back again with the malicious script.

    Does anyone have any idea what can be done?

    Nassef

    P.D. I am running the cleaner again, but it is taking forever and I have no guarantee I will not suffer the same problem again after I reboot.

  7. #7
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Originally posted here by antichevere
    Thanks to all those that replied.

    I did what you recommended, I installed and ran "The Cleaner 4.1" and it weeded out the trojans that it detected.

    But, after I rebooted I found myself with the same problem again. My startup page for Internet Explorer is some weird german site.

    jinxy's suggestion should have done the trick for you, concerning this. You were able to run hijackthis (and TheCleaner, for that matter) with high enough privileges right? hijackthis may be too complicated for you unless you know precisely what you're looking for, given the fact that it shows you both the "good" and the "bad".

    If that doesn't do the trick, just do it manually. Go to Tools-->Internet options--> General: and under homepage, set it accordingly. If that doesn't do it, try checking your hosts file.

    good luck.

  8. #8
    Junior Member
    Join Date
    Apr 2004
    Posts
    6
    Thanks for answering

    Well I did run HijackThis!, but, as you said, it is too advanced for me. I really don´t know what to do there.

    As for changing my startup, I have done that consistently for the past three days and it just changes back.

    P.S. I would also like to add that this "thing" is adding links to my "Favorites" folder.

  9. #9
    Junior Member
    Join Date
    Apr 2004
    Posts
    6
    Ok, so I am going to try my luck with HijackThis!, but since I do not know which processes to "clean" I would like for you guys to give me suggestions. Here is my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:10:52 PM, on 11/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Archivos de programa\Apoint2K\Apoint.exe
    C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
    C:\ARCHIV~1\NORTON~1\navapw32.exe
    C:\Documents and Settings\Nassef\Configuración local\Datos de programa\System\svchost.exe
    C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Documents and Settings\Nassef\Datos de programa\oaao.exe
    C:\WINDOWS\System32\wcpcc.exe
    C:\Archivos de programa\Apoint2K\Apntex.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\trojan cleaner\HijackThis.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir...0&plcid=0x0c0a
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 7
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [System] C:\Documents and Settings\Nassef\Configuración local\Datos de programa\System\svchost.exe /run
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [Rlts] C:\Documents and Settings\Nassef\Datos de programa\oaao.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe
    O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09cc0249...dxIE601_es.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F0D827-8FAF-4A8F-A770-26C9468130EC}: NameServer = 80.58.4.33 80.58.34.97

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Try starting SpyBot S&D in "advanced" mode and click on "tools" in the left column. Then look at BHOs, Browser pages etc and delete anything that relates to your malware problems.

    Also, run the "immunize" option, and check the box (near the bottom) that protects your startpage.

    Then manually reset your browser page.

    Update Spybot and run it in safe mode. Whilst you are on the Spybot site get CWShredder and run that as well.

    Good Luck
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides