trojan dropper

Discussion in 'QnA (read only)' started by harmik, Dec 26, 2004.

Thread Status:
Not open for further replies.
  1. harmik

    harmik New Member

    Joined:
    Dec 19, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    0
    plz help me some1

    recently my comp. started getting hanged and had to be restarted sometimes
    but after restarting , sometimes the master hard disk wasnt recognised by the pc ( i hav 2 HDD's)
    I checked the wires in the cabinet also and then started and the comp. recognised the disk but still then the comp. hanged
    so i performed antivirus scan
    and a torjan dropper came up in C:\temp\installer2.exe
    the file was automatically deleted
    but i dont know where it came from
    and wanted to find out
    i checked regsitry and found an entry under
    My Computer\HKEY _LOCAL_MACHINE\SOFTWARE\Windows AdControl
    by the name download path and data as \temp (the folder which had the infected file)
    there's also a program in my program files as windows adcontrol

    i wanted to know wot this program is and wot it can do ( can it harm the comp. in some way?), did it download the virus??
    also, can there be some way in which ( by some log files maintained by widnows) u can find out which certain program download or installed a certain file into the C:\temp directory????

    there wer also several entries in the registry under............control set ... unser the name temp and data system root\temp

    or was it all just due to faulty wires in the cabinet coz a day earlier i had opened the cabinet and put in the dvd rom drive

    plz ppl. help me and give me an answer
     
  2. it_waaznt_me

    it_waaznt_me Coming back to life ..

    Joined:
    Nov 30, 2003
    Messages:
    2,023
    Likes Received:
    10
    Trophy Points:
    38
    Location:
    A bit closer to heaven
    Please post your HijackThis Logfile for better assesment of your problem.
     
  3. OP
    OP
    harmik

    harmik New Member

    Joined:
    Dec 19, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    0
    well, as the virus has been removed
    and everything cleared, i dont know wheteher the log will help or not


    but here it is

    Logfile of HijackThis v1.97.7
    Scan saved at 2:31:59 PM, on 12/27/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2479.0001)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\inetsrv\inetinfo.exe
    C:\PROGRA~2\MYWEBS~1\bar\3.bin\mwsoemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\mqsvc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Windows AdControl\WinAdCtl.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Windows AdControl\WinAdAlt.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\PROGRA~2\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\mdm.exe
    D:\New Folder\Security & Computer Updates\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
    O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~2\SEARCH~1\SEARCH~1.DLL
    O2 - BHO: MSN smart tags - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~2\MSN\smarttag\MSNBHO.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~2\FLASHGET\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FLASHGET\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\3.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [Kernel32] C:\WINNT\SYSTEM\Kernel32.dll
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\3.bin\mwsoemon.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Startup: Webshots.lnk = H:\Webshots\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8fbdbb52802d:92d63af79d5017ef95cb164cb01a51b9
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38085.9903009259
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9BB6CE0D-C113-4CF6-9331-AB9745145987}: NameServer = 202.138.97.193 202.138.96.2
     
  4. it_waaznt_me

    it_waaznt_me Coming back to life ..

    Joined:
    Nov 30, 2003
    Messages:
    2,023
    Likes Received:
    10
    Trophy Points:
    38
    Location:
    A bit closer to heaven
    First kill these process from Task manager ...

    And then Start > Run > Appwiz.cpl <Press Enter>
    And uninstall MyWebSearch ...

    Reboot .. Now run HijackThis and put a checkmark next to these entries and click on Fix Checked. Close all windows except HijackThis before doing so ..
     
  5. OP
    OP
    harmik

    harmik New Member

    Joined:
    Dec 19, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    0
    thx anyway mate but i formatted and reinstalled everything
     
Thread Status:
Not open for further replies.

Share This Page