i have a trojan problem...can you help??

kscouple · Jul 10, 2006

Hello, I read through all the information that I need to do to post a log, but...there is only one problem. This trojan has made it so that I cannot download any new information to my computer. I can run online scans, but when I go to click to clean the infected files, my page gives me an error messages and closes itself. I have read how to try to detect files, but I cannot find anything. The ewido said it's a RECYCLER trojan. I tried to do the SEARCH feature and I couldn't find the recycler file and I just don't know where to go or what to do next. It has knocked out the capabilities of running floppies and CD's. So I can't even open the CD door. I can only be on the net for about an hour before I get an error message and I have to restart my computer so that I can be online again. If someone could please help me, I would greatly appreciate it. I have ran Adaware-SE which I had already on my computer and it found nothing. I ran Windows Defender and it found nothing. I ran Trend Micro and it found nothing. I ran Symantec Security Check online scan and it found nothing. I ran ewido anti-spyware and it finally found the Recycler Trojan. BUT...when I go to clean it, my window closes out and I get an error message. I finally got the Kaspersky online thing to find all the stuff wrong, but it won't get rid of it, so...I guess this is the only log I can get you since I can't download the hijack this log. Sorry....but I hope someone can please help me....

TIA!!!
Tonya
HERE IT IS:

kscouple · Jul 10, 2006

Ok, so I did another scan with kaspersky and it even found more!!!! Ok, so here is the newest log:

DavidGP · Jul 10, 2006

I know you cannot download anything to your PC, but try to follow the guide as much as possible, if you can get a friend to download some of the tools needed then great as they can burn the software to a cd for you as you may need some of the specified software to clean your PC.

How many AntiVirus applications do you have installed as some of the references are to the Quarantine folder of Norton Enterprise and AVG?

adn the majority are housed in your System Restore points, in which turning off System Restore will flush those points, but before you turn off system restore and SO Chaslang or Shadow can have a look, do try and complete some of the guide or as much as you can.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Click to expand...

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

Bitdefender

Panda Scan

HijackThis

kscouple · Jul 11, 2006

I did all of this except starting in safe mode because I cannot get any of these things to download. As stated before, I cannot download and my D and A drives are not working. The trojan has made it so they won't even open up or work or anything, so I cannot get info from a friend, because, I cannot download it, and I cannot install it with CD or floppy....so, now what? I gave you the Kapersky record. Will that help you at all??
Tonya

chaslang · Jul 12, 2006

You Kaspersky logs are not of any use. What I can tell you from that log is that you have too many antivirus programs installed. You must use only one antivirus. I see AVG and Symantec. Uninstall ALL but one AV and also empty the quarantine folders for all AV programs.

Kaspersky did not find anything of interest. Only stuff in your Quarantines and in System Restore.

Also empty your Recycle Bin and your Norton Nprotect folder (if you have one).

Have you tried installing things onto the infected PC in safe mode?
Do you have HijackThis on the PC?

Did you try running System Restore to return to a date before the infection (if you have an infection) occurred.

kscouple · Jul 13, 2006

I restored it to way before the infection and it is still all messed up. I guess I am going to have to take it some where. Thanks,
Tonya

chaslang · Jul 14, 2006

That's your decision to make. We just need more information than you are able to give us thus far. Get HijackThis onto the problem PC by downloading it to another PC and then copying to your problem PC by any method you have available (CD burner, USB flash drive, floppy drive etc). Then get a log and upload it here.

kscouple · Jul 14, 2006

I would love to be able to do any of that, but I cannot. I cannot download. My CD and floppy drive have been disabled and my plug n play has been disabled, so I cannot hook up a foreign device because the computer won't read it.

I know it's not your fault. Thanks for all the help, I just don't think that there is any way to solve this except by taking it in because of the severity of the damage.

Thanks to you all!
Tonya

kscouple · Jul 14, 2006

I might have had a break through. I did one last scan, and for some odd reason, my CD is now working. I have a friend that is going to download hijack this for me and we will see if I can get it on my puter! *doing happy dance*
Thanks to all! I will let you know when I get it!
Tonya

chaslang · Jul 15, 2006

Okay! But don't get your hopes up to high! From the information you have been giving us, your problems do not sound like malware so HijackThis may not show any malware We shall see.

kscouple · Jul 31, 2006

Finally got the hijackthis log...I hope someone can help me! I had AVG and I have tried to delete it several times, and I notice it keeps showing up. Anyway...here ya go and TIA!!! Thanks so much!
Tonya

Logfile of HijackThis v1.99.1
Scan saved at 3:32:31 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator.TONYAS-PUTER.000\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://groups.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Program Files\Palm\FireConverterBrowserHelperObject.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [System Remote Support32] winspre64.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137799331093
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - https://www.sbcwebsupport.com/webline/applets/msie40x.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

chaslang · Jul 31, 2006

Your HJT log was from safe mode. We need logs from normal boot mode. Are you unable to boot in normal mode? Do not repost one yet though! Also you really need to install HJT properly per step 7 of the READ ME (and rename the EXE file too). You have it running from here:

C:\Documents and Settings\Administrator.TONYAS-PUTER.000\Local Settings\Temp\HijackThis.exe

This is exactly where we specify not to install it.

Uninstall one of your antivirus applications as instructed in step 3 of the READ ME. You have AVG7 and Symantec install. I would uninstall Symantec. DO THIS now and then continue to the below.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [System Remote Support32] winspre64.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\winspre64.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

kscouple · Aug 1, 2006

Ok, so in response to your post...this is what I could and couldn't do...
I installed HJT where I was supposed to and deleted what you told me too and I have a new log to post.

I do have AVG7, but it isn't working. I have tried to delete it, but I cannot. It won't uninstall. I have tried to send it to the recycle bin and I cannot do that either.

I made sure all hidden files are shown and in the program files, there is a hidden folder named: RECYCLER. I cannot get it to delete.

WHen I booted in safe mode, I could not find file C:\windows\system32\winspre64.exe
SO...I couldn't download it

I did delete all files in the Prefetch folder.
I can't run Ccleaner because I cannot download it to my computer.

I reset all of the IE settings and rebooted into regular mode.

AND...finally, here is the new HJT log!
Thanks so much again for all of your help!

Log in or Sign up

i have a trojan problem...can you help??

kscouple Private E-2

Attached Files:

KAV log.txt

kscouple Private E-2

Attached Files:

KAV log.txt

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

kscouple Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kscouple Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kscouple Private E-2

kscouple Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kscouple Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

kscouple Private E-2

Attached Files:

hijackthis.log