Need help with Trojan That has me Stumped

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JimTanner, Nov 28, 2004.

  1. JimTanner

    JimTanner Private E-2

    I have a trojan virus that has blocked me from removing it by taking away my permissions from running any thing on the system. I can't get into the control panel or execute any removal software. HELP!
     
    JimTanner, Nov 28, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Jim,

    Are you able to run any of the online scans in our Cleanup Tutorial?

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    See if you can do those, then send us a HijackThis Log as per the instructions below.

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    Somebody will take a look when they get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Nov 28, 2004
    #2
  3. JimTanner

    JimTanner Private E-2

    PP;

    Yes I tried that but it will not let run anything i get the error that windows is unable to find the .exe file. At this point I am unable to run anything. :rolleyes:
     
    JimTanner, Nov 28, 2004
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Hi Jim,

    How do you know that a Trojan is causing the problem?

    So you are saying that you are unable to scan with HijackThis as well?

    Can you do anything in Safe Mode?

    PP :)
     
    PhilliePhan, Nov 28, 2004
    #4
  5. bre

    bre Private E-2

    HI JIM WAS WORKING ON ONE OF MY COMPUTERS. I MANAGE TO DO A HIJACK LOG. TRIED TO INSTALL NORTON NOW IT SAYS "SYMATIC SHARED/CCSETHX.EXE." STATES NOT THERE? HERE IS LOG:


    THANKS FOR LOOKING AT IT
     

    Attached Files:

    Last edited by a moderator: Nov 29, 2004
    bre, Nov 29, 2004
    #5
  6. PhilliePhan

    PhilliePhan Guest

    Hi Bre,

    Your HijackThis is way out of date. If possible, please try to get a new scan with the up-to-date version.

    HijackThis 1.98.2

    Also, please download this tool: http://www.cexx.org/lspfix.zip

    You may need to run it if you lose internet access after dealing with New.net.

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Your current log shows a lot of issues. Are you still not able to run the Cleanup Tutorial that I linked above? It looks like one of the online scans was at least attempted.

    ANYHOO:
    Please look in Add or Remove Programs and Uninstall the following, if found:

    New.net

    My Way
    MyBar
    WebRebates
    My Search

    Look for and note other suspicious entries.

    Then, send us a fresh HJT Log using the up-to-date version of HijackThis (if possible) and we will attack all of the other issues that remain.

    Best luck :)

    PP
     
    PhilliePhan, Nov 29, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to do the stuff PP requested right away and after uninstalling those programs and getting the new HJT installed correctly, do the below (this is not a complete fix because I do not know the results of your new log and the uninstalls but I'm trying to get you past some of your problems).

    First a question: Do you recognize this IP address. Appear to be some kind of web hosting site. They have hijacked your default prefixes.
    69.50.191.50 = [ ]

    OrgName: Atrivo
    OrgID: ATRIV
    Address: 200 Paul Avenue
    City: San Francisco
    StateProv: CA
    PostalCode: 94124
    Country: US
    NetRange: 69.50.160.0 - 69.50.191.255
    CIDR: 69.50.160.0/19
    NetName: ATRIVOTECHNOLOGIES
    NetHandle: NET-69-50-160-0-1
    Parent: NET-69-0-0-0-0
    NetType: Direct Allocation
    NameServer: MAIL.ATRIVO.COM
    NameServer: PAVEL.ATRIVO.COM
    Comment:
    Comment: Comments listed here will appear in ARIN's WHOIS database.
    RegDate: 2003-06-04
    Updated: 2003-08-21
    NOCHandle: EKA4-ARIN
    NOCName: Kacperski Emil
    NOCPhone: 1-925-550-3947
    NOCEmail: abuse@atrivo.com


    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below processes and if you find any of them, end them:
    svchost
    HHMS
    WINMM64
    PEHH
    rces.exe
    PEOR.EXE
    S-S-ORMSSP
    PENTPESY
    S-S-ORSP
    ydasjd
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
    O2 - BHO: (no name) - {62AF637B-9143-55E0-875E-64550FF62B38} - C:\WINDOWS\SYSTEM\NEIXDDLA.DLL (file missing)
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\2.BIN\S4BAR.DLL
    O2 - BHO: (no name) - {60F8377C-9017-0BB6-875E-64550FF42E62} - C:\WINDOWS\SYSTEM\ZCSNP.DLL
    O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\2.BIN\S4BAR.DLL
    O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [HHMS] C:\WINDOWS\SYSTEM32\HHMS.EXE
    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
    O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\SYSTEM32\WINMM64.EXE
    O4 - HKCU\..\Run: [HHMS] C:\WINDOWS\SYSTEM32\HHMS.EXE
    O4 - HKCU\..\Run: [PEHH] C:\WINDOWS\SYSTEM32\PEHH.EXE
    O4 - HKCU\..\Run: [Waea] C:\WINDOWS\Profiles\Joe\Application Data\rces.exe
    O4 - HKCU\..\Run: [PEOR] C:\WINDOWS\SYSTEM32\PEOR.EXE
    O4 - HKCU\..\Run: [S-S-ORMSSP] C:\WINDOWS\S-S-ORMSSP.EXE
    O4 - HKCU\..\Run: [PENTPESY] C:\WINDOWS\PENTPESY.EXE
    O4 - HKCU\..\Run: [S-S-ORSP] C:\WINDOWS\S-S-ORSP.EXE
    O4 - HKCU\..\Run: [Rhzsjh] C:\WINDOWS\SYSTEM\ydasjd.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Boot into safe mode and use Windows Explorer to delete:
    C:\PROGRAM FILES\MYSEARCH <--- the whole directory
    C:\WINDOWS\SYSTEM\ZCSNP.DLL
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\SYSTEM32\HHMS.EXE
    C:\PROGRAM FILES\COMMON FILES\CMEII <--- the whole directory
    C:\WINDOWS\SYSTEM32\WINMM64.EXE
    C:\WINDOWS\SYSTEM32\HHMS.EXE
    C:\WINDOWS\SYSTEM32\PEHH.EXE
    C:\WINDOWS\Profiles\Joe\Application Data\rces.exe
    C:\WINDOWS\SYSTEM32\PEOR.EXE
    C:\WINDOWS\S-S-ORMSSP.EXE
    C:\WINDOWS\PENTPESY.EXE
    C:\WINDOWS\S-S-ORSP.EXE
    C:\WINDOWS\SYSTEM\ydasjd.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 29, 2004
    #7
  8. bre

    bre Private E-2

    No i do not know that ipp address should I remove it or change it? If so how?


    i did everything you posted except delete in safe mode for some reason it won't let me open in safe mode. Any suggestions. Here is new log. Thanks



     

    Attached Files:

    • hjt.txt
      File size:
      2.9 KB
      Views:
      1
    bre, Nov 30, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 30, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How are you attempting to get into safe mode? Try the methods given here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Did you delete those previous files I gave you in normal mode? Or did you not delete them at all. They need to be deleted.

    Did you look in Add/Remove programs for Ezula and Weboffer and uninstall them if found? If not, do so before continuing with below. If that works some lines I give below will no longer be found.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-advert
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/668/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-advert
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-advert
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-advert
    O2 - BHO: (no name) - {60F8377C-9017-0BB6-875E-64550FF42E62} - C:\WINDOWS\SYSTEM\ZCSNP.DLL
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O13 - DefaultPrefix: http://69.50.191.50/?
    O13 - WWW Prefix: http://69.50.191.50/?

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\SYSTEM\ZCSNP.DLL
    C:\PROGRA~1\ezula <--- the whole directory
    C:\PROGRA~1\Web Offer <--- the whole directory


    Now reboot normal and post a new HJT log. Tell me how things are working.
     
    chaslang, Nov 30, 2004
    #10
  11. bre

    bre Private E-2

    Well it looks like you did wonderful again. I just have to run my norton but it installed great. Here is my log. Thanks again for everything.
    \

    EDIT by chaslang: Inline log changed to an attachment.
     

    Attached Files:

    • hjt.txt
      File size:
      3.3 KB
      Views:
      1
    Last edited by a moderator: Nov 30, 2004
    bre, Nov 30, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post logs inline. They must ALWAYS be as an attachment and must only be posted as requested (as in this case).

    Your log is clean. You're welcome.
     
    chaslang, Nov 30, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds