I have been chasing trojans for 2 days...

Hi,
I have been chasing trojans for 2 days, then I found your site. This started with dialer.dialplatform, and adware.purityscan, and what every else comes with it. I have on my XP: Nortons 2006 AV, Spy Sweeper, Ad-Aware SE Plus, Mcafee firewall, and a few other big ones, and nothing caught this! I would kill one trojan and another would pop up, then I found this website that I thought was an anti virus site and that is when the fun started
it was the one that plants the spyaxe and somewhere in there planted winlogonhook ... etc....
ack! I then found YOUR site and used Ewido, BitDefender Online Scanner (awesome proggy!) found a few hundred files and killed 'em all!
It seems now, maybe, all that I am left with is something hijacking my browser, 2 files that spybot S&D just found
called ncompat.tlb and ts.ico, which I understand is from a bogus codec program called Vcodec and this winlogon.exe.
I have run ALL my other scanners and they are all clean! I will post my latest hijack this log. Thank you in advance!

 

Logfile of HijackThis v1.99.1
Scan saved at 1:09:58 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Edit by chaslang: Inline log removed! Cleaning steps not followed.

 

Hello again..
I have a question/statement .. I only added the 1 or 2 extra virus scans after Norton as it did not do its job. No, Nortons does not have a firewall with the software I own. Yes I have MS firewall disabled. Yes I did run all of your steps way before I even thought about posting here. The BitDefender stalled out at 5 am and unfortunatly the log got overwritten. It cleaned almost of the stuff out. Over 600 files.
I will try to use panda scan again, it would not permit me before as I have the Nortons.
I also can not boot to safe mode, as every time I try to boot up windows asks me to check my other harddrives. The program sits and sits at 0, so I wind up rebooting and passing it by right to windows XP.

So where should I go from here? Thanks again!

 

I only now have the nortons. It is NOT the internet security, it is the Norton SystemWorks.
I am re-running bitdefender as we speak.
and

Sorry, the progress bar stays at 0. I am very sleepy, only 3 hrs sleep. There were nO error messages as this was at the top of a reboot. I did, however right click to properties on each harddrive to try and force the error checking to work.


This BitDefender stalled out again. It's prolly cause of my iSP good ole bellsouth. It was at a point where it deleted 10 more files, so I will stop it. Let windows try and do it's thing, then restart it and hopefully it wont say 10 hours left on an ADSL connection... sheesh LOL
I'll BBL. Thank you chaslang!!

 

ok here we go. 1st I would like to address the file called symlcsvc.exe. What that actually is, in Norton SystemWorks is the control panel that shows all of the SystemWorks are working correctly. (btw: symlcsvc.exe also can show as a BHO according to those sites. I will re check the registry tomorrow) I do NOT have a Norton firewall on my machine.
Now for da meat LOL ...
I finally got the checkdsk to work with that force. It was my D drive that needed attention. All is well now
I ran the ewido and the spysweeper, and they both show clean YEA! but...something is still hijacking my IE6 browser, as my real homepage is http://www.google.com/ NOT the http://securityresponse.symantec.com/avcenter/fix_homepage/
After all this is done, the 'new' scanning proggys that I downloaded will be removed.
OH one more item... in the original HJT log, I did not have the msconfig set to 'normal'. I had it at selective. I do now have it fully loaded.
Once again, thank you sooooo much chaslang!

 

I'm not sure I did thie correctly, I need zzzzzz's

 

Afternoon all!
Today is a much better day than the past 2. I also wanted to let you know that I added the http://stats.adultrevenueservice.com to the trusted zone as I do business with them (couldn't check my stats). One of the host files as I finally found out was blocking them and some others that I use. I no longer need it now in the zone, since I know how to fix it
--
All programs are now showing 100% clear, BUT.....(there is always a butt)..My IE homepage is STILL being hikacked to
http://securityresponse.symantec.com/avcenter/fix_homepage/ of all things. My normal homepage is http://www.google.com . I have tried changing it in the registry, where ever that symantec URL is, I changed it. I tried changing it in spysweeper too, and as soon as I close the tools/internet options/homepage menu and hit homepage in IE it reverts back to the symantec URL. We are missing something here (scratchin head!).

I also would like to know what is recomended by you to clear wayward entries in the registry? There have been a few proggys that have come and gone, and I know there are still traces that have not been removed.

and lastly... I want to say a big {{{ THANK YOU }}} to chaslang for being such a super and patient help to me. I have been on computers/net since 1997 and this was my very 1st virus ever ... and hopefully my last! So again.... thanks!

 

ps:: I just tried, "amust registry cleaner" the online scanner, and there were a few things that needed to be removed, but these stands out...
Invalid Program Identifier: context.text
Invalid Program Identifier: context.text.1

and especially this???
Invalid Program Identifier: Symantec.NavSniff.1

 

hummm...
something new just came up. I was doing a bit of work, and heard the XP "error sound" I went to look in the administrative tools, and under event viewer/system/ There were entries from Windows Defender, all this afternoon saying that the HOST FILES had a problem.
there are about 10 entries most with different numbers inside the { }.
Here is a very short summery of what it says:
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 4/23/2006
Time: 3:44:36 PM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has detected spyware or other potentially unwanted software.
Scan ID: {3C652FF4-C297-438E-A32A-D1BC6AC19065}

OR

Event Type: Information
Event Source: WinDefend
Event Category: None
Event ID: 3005
Date: 4/23/2006
Time: 3:40:10 PM
User: N/A
Computer: THEBEAST
Description:
Windows Defender Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.
Scan ID: {A18E7E9B-27BF-473B-9610-16B5B3E6217F}
They seem to altername for about 10 or so times since noon today.
WindowsDefender found this too:
I wish they had a dern log
Im typing this next thing longhand:
Resources:
ie main:
HKCU@S1-5-21-1085031214-706699826-1343024091-1004\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchBar

Should I change my host files just to reflect 127.0.0.1 with NO sites listed?
I can't type anymore..thanks again!

 

I uninstalled all but the ones I paid for, webroot spysweeper, and adaware. The rest are either free ware shareware that I got for this specific purpose. They all did have their own special function.

I have been playing mildly in the registry since 1997. If anything major has to be done I don't touch it. So far I have not had THAT kind of problem whew!
I will look into the reg. programs that you recommend, thanks!

These are strange!

My anti-spyware programs made my host file an abortion. I wanted to get it back to the default. I just did it and it is now default.. kewl. now I can check my stats! LOL

I am going to end this on a wonderful note...
I was able to finally get into safe mode YIPEE! I was able (keep fingers xx'ed) to get my homepage to stick!
thank you thank you thank you!

 

That is exactly why I needed the default HOST! It took me 4ever to figure out what was preventing me from accessing some of the sites that I deal with. I went back and forth with webroot too. They were as useless as t*ts on a boar. LOL I finally saw that when I clicked the host files in ss the host files changed, so I just kept it unclicked and delete the addresses from the host file.
I JUST renewed my subscription with them too ... OH WELL

This was a very interesting weekend for me, and I have learned alot. Not the most fun at all but interesting!
Thanks again chaslang! This is going to be my last post as I scanned this AM and I am totally clean

ciao!

 

I like SS better than adaware. The big A used to be great, but its lost its UMPH this past year. Their support forum disappeared too. They used to post where on your site (lol) where to find the new ref files and sites.txt. No more OH WELL...
boy it sure is nice being able to run around the web quickly yipeeeeeeeeeee!
May I ask you a personal question??? You don't have to answer if you dont want to LOL ... How old are you?
The reason I ask is cause teenaged geeks make me go nutz. I'll talk to them on the net and they will talk geekspeak and then they say "I'm 14 years old" ... DOH! It's to funny.

OH I think I found out what the sniffer thingy is: That new home page that was created from symantec referred me to a certs page:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

there is a link on that page that referrs to another page, where this is:

Look for signs of a network sniffer
When a system compromise occurs, intruders could potentially install a network monitoring program on UNIX systems, commonly called a sniffer (or packet sniffer), to capture user account and password information. For NT systems, remote administration programs would be more commonly used for the same purpose.
The first step to take in determining if a sniffer is installed on your system is to see if any process currently has any of your network interfaces in promiscuous mode. If any interface is in promiscuous mode, then a sniffer could be installed on your system. Note that detecting promiscuous interfaces will not be possible if you have rebooted your machine or are operating in single user mode since your discovery of this intrusion.

Interesting