Trojans galore

[antichevere]

Hi all.

I seem to have allowed trojans into my laptop. Right now I am running the following: svchost, ( which has lodgesd itself into my c: drive) and one clled MDM.exe. And those are the ones I have been able to identify. I am running Windows XP with the latest upgrades and Norton Antivirus with the latest virus definitions.

One of these trojans has proved very annoying since it changes my starting page on Internet Explorer to various german porn sites.

Thanks in advace for the help you might give me.

P.S. Forgot to mention I also run Spybot and it tells me my system is clean.

[!mitationRust]

Have you tried running TheCleaner yet? It's anti-trojan software. If something resides on the machine TheCleaner will likely find it.

http://www.moosoft.com/products/cleaner/

They have a trial version that works well.

[jinxy]

Svchost is not a trojan, it is a valid network process. Svshost on the otherhand is a problem. Notice the difference.

As imitationrust has said download the cleaner install and run it. Do this to be on the safe side. This is more likely to be a adaware/malware/spyware problem. Download and run this http://209.133.47.200/~merijn/files/HijackThis.exe

And this http://209.133.47.200/~merijn/files/CWShredder.exe

This should sort you out.

[Tedob1]

mdm is not a trojan either its microsofts debugger. this is not to say a trojan cannot be nammed mdm. search your computer for all instances of both files. right click on them, go to properties and check under version. they should all be in the system32 or i386 directory and have all ms's version information.

[Phonedog911]

i dont think scvhost is a trojan either. i've been running it and nothing detects it as a trojan. windows runs about 5 processes of it for me. its always been on my system since i bought it and did a clean install of windows xp home.

[antichevere]

Thanks to all those that replied.

I did what you recommended, I installed and ran "The Cleaner 4.1" and it weeded out the trojans that it detected.

But, after I rebooted I found myself with the same problem again. My startup page for Internet Explorer is some weird german site.

Also, I should point out that I have "Syste restore" off. I did this to allow Norton and any other security program to rewrite the registry without having it come back again with the malicious script.

Does anyone have any idea what can be done?

Nassef

P.D. I am running the cleaner again, but it is taking forever and I have no guarantee I will not suffer the same problem again after I reboot.

[!mitationRust]

Originally posted here by antichevere
Thanks to all those that replied.

I did what you recommended, I installed and ran "The Cleaner 4.1" and it weeded out the trojans that it detected.

But, after I rebooted I found myself with the same problem again. My startup page for Internet Explorer is some weird german site.

jinxy's suggestion should have done the trick for you, concerning this. You were able to run hijackthis (and TheCleaner, for that matter) with high enough privileges right? hijackthis may be too complicated for you unless you know precisely what you're looking for, given the fact that it shows you both the "good" and the "bad".

If that doesn't do the trick, just do it manually. Go to Tools-->Internet options--> General: and under homepage, set it accordingly. If that doesn't do it, try checking your hosts file.

good luck.

[antichevere]

Thanks for answering

Well I did run HijackThis!, but, as you said, it is too advanced for me. I really don´t know what to do there.

As for changing my startup, I have done that consistently for the past three days and it just changes back.

P.S. I would also like to add that this "thing" is adding links to my "Favorites" folder.

[antichevere]

Ok, so I am going to try my luck with HijackThis!, but since I do not know which processes to "clean" I would like for you guys to give me suggestions. Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 12:10:52 PM, on 11/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\carpserv.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Documents and Settings\Nassef\Configuración local\Datos de programa\System\svchost.exe
C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Documents and Settings\Nassef\Datos de programa\oaao.exe
C:\WINDOWS\System32\wcpcc.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\trojan cleaner\HijackThis.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir...0&plcid=0x0c0a
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 7
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [System] C:\Documents and Settings\Nassef\Configuración local\Datos de programa\System\svchost.exe /run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Rlts] C:\Documents and Settings\Nassef\Datos de programa\oaao.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09cc0249...dxIE601_es.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F0D827-8FAF-4A8F-A770-26C9468130EC}: NameServer = 80.58.4.33 80.58.34.97

[nihil]

Try starting SpyBot S&D in "advanced" mode and click on "tools" in the left column. Then look at BHOs, Browser pages etc and delete anything that relates to your malware problems.

Also, run the "immunize" option, and check the box (near the bottom) that protects your startpage.

Then manually reset your browser page.

Update Spybot and run it in safe mode. Whilst you are on the Spybot site get CWShredder and run that as well.

Good Luck