Trojan Problem

Can anyone advise if anything on the attached Hijackthis file needs removing as i have a trojan i cannot get rid of many thanks

 

Looks like you have a handful of problems, including a CWS variant. The first thing to do is run through the steps in the following sticky thread:


READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you currently have any of the programs that are listed to download, be sure it is the updated version that is offered by this site. These links remain updated, so the updated version of all of the downloads are available through the links on the thread above.

Try to make it through all the steps in the tutorial and make notes of the results of each scan. If you have problems with any of the steps in the tutorial, make note of that as well in your next reply. After going through all of that, reply here and describe any symptoms that remain on the machine and you will be advised as to the next step.

Next, about your HijackThis, you are running the program from the desktop, it needs to be in its own secure folder (ex. c:\Program Files\HJT\). Also, it is important that you close all running programs (including internet explorer) before running a scan. These tips and more are covered in the tread below.

NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

After going through the above threads, go ahead and post another HijackThis log as an attachment.

Good luck.

 

Scooby


I see quite a few problems. Good luck on the TUTORIAL and be sure to do what Publius said.

 

Followed guide Publius with the following errors.

Could not run IE in Safe Mode with Networking so online scans were done in normal mode.

All other scans done in safe mode

Have moved Hijack This to C:\ as indicated new scan attached.

As soon as I log on to internet i get warning from Systemsuite 5 that the following Trojan has been found

TROJ_STARTPGE.KR
C:\PROTAS.EXE

THEN AGAIN AS WINDOWS.PROTECTOR_UPDATE.EXE

THANKS FOR HELP SO FAR.

 

Scooby

You are really infected.
First thing you should do is run the following program in safe mode.
Elite Remover

After doing that you should do the following. The tool above may get rid of alot of this. Run it a couple of times and read the read me that is with it.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

WildTangent

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

javaaw.exe
sysmx32.exe
oigmw.exe
?ttrib.exe
htt.exe
wkhgth.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pvcvd.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: (no name) - {9B7C2335-0843-5E5B-788F-008A17712626} - C:\WINDOWS\system32\sysua.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [sysmx32.exe] C:\WINDOWS\sysmx32.exe
O4 - HKLM\..\Run: [eugtogymkqhgrottaakymx] C:\WINDOWS\system32\wkhgth.exe
O4 - HKCU\..\Run: [Iblsnk] C:\WINDOWS\system32\?ttrib.exe
15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
O21 - SSODL: eplrr - {99927D48-49B1-439A-BAAF-442916052167} - C:\WINDOWS\system32\eplrr3.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\WINDOWS\javaaw.exe
C:\WINDOWS\sysmx32.exe
C:\WINDOWS\system32\oigmw.exe
C:\WINDOWS\system32\?ttrib.exe
C:\Documents and Settings\BARRIE\ <--the whole folder
C:\WINDOWS\system32\wkhgth.exe
C:\WINDOWS\system32\wnim.dll
C:\WINDOWS\EliteSideBar <--the whole folder
C:\WINDOWS\system32\eplrr3.dll
C:\WINDOWS\system32\sysua.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Make sure you go back to normal mode, after doing the Elite remover, before doing the rest of my suggestions. Of course go back to safe when instructed.