Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
225 Posts
Discussion Starter · #1 ·
Ive been told by a comp shop that there is a troj in my comp...tho its under a diff name...any1 kno what it is? * I dont wanna spend £40 to get it fixed :O*

Tho he did also say it could be worse....
 

·
Registered
Joined
·
2,146 Posts
A Google search for "online trojan scan" will give you several options. They will scan your computer for trojans and remove all they can.

If it's spyware they're talking about, do a Google search for Spybot or AdAware. Download one or both, install, immediately update and run one or both to remove spyware.
 

·
Registered
Joined
·
225 Posts
Discussion Starter · #7 ·
Logfile of HijackThis v1.97.0
Scan saved at 00:33:37, on 28/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 8.0A\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0A\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\SETUP.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\THE CLEANER\CLEANER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

F2 - REG:system.ini: Shell=
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [XtreamLok License Manager] C:\WINDOWS\SYSTEM\xl.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DesktopWengerCluster] C:\PROGRAM FILES\DESKTOP WENGER\SKINKERS.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.7326736111
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {18871EA7-1B30-46DE-9283-E96E707492BA} (Playcom_ATL_Object Class) - http://leela.vide.se/media/playcom/Playcom.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.jp.uo.com/fonts/TDSERVER.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

·
Registered
Joined
·
401 Posts
Your HT log looks clean to me!
Could you clarify this a little..
Ive been told by a comp shop that there is a troj in my comp...tho its under a diff name...any1 kno what it is?
What trojan were you told was on your pc? It's necessary for us to know what you suspect is wrong until we can help. Why was your computer being checked out in the shop, was there something going wrong? If these online scans come up clean then your problem isn't a viral or trojan one:

Symantec/Norton: http://security.symantec.com/defaul...FCSGFZVDTPSOERZ

Panda ActiveScan: http://www.pandasoftware.com/activescan/

Trend Micro HouseCall: http://housecall.trendmicro.com/

Hope this helps.

:D

Btw, in your location... less of the West Brit talk there mate. It's them lot that are the island beside Ireland. ;) :p
 

·
Registered
Joined
·
401 Posts
All I can think of if you've used the online scan [trend micro is my personal fav], is that whatever trojan the lads in the shop found, they removed for you.
Is your comp still crashing since you got it back? Maybe you need to cut down on the number of processes in start-up. Too many unneeded programs running all together can cause slow-up and crashing. You can use msconfig.
There's a tutorial here:
http://www.nwktc.org/tutorials/msconfig.html
 

·
Registered
Joined
·
401 Posts
Have you scanned with Trend online scan yet? It will settle the question of a trojan being there.
I'm still a little unsure what you mean when you say: "a troj in my comp...tho its under a diff name".
 

·
Registered
Joined
·
4,823 Posts
I have a feeling that at sometime, there has been a W32 Kbot infection hence the F2 entry

F2 - REG:system.ini: Shell=

I can't see any harm in removing that entry, especially if backed up
 

·
Registered
Joined
·
1,241 Posts
Hi Kurt,

Just a couple of things that I noticed, that really need verification by PAS.

The HJT log is v.1.97.0. The latest version is 1.97.2. The update happened becasue of a bug or something (can't remember precisely) :( that gave F2 and F3 references instead of F0 and F1 references. I think the dotzero version was only around a day or so.

Could you go and download the latest version please. That may give you the opportunity to remove that entry.

The other thing is that you have setup.exe running. This is the Windows installer program as far as I can remember.

Perhaps that is causing a conflict somewhere by running at startup?????????

Wait for confirmation from here first, but that could be the problem.

Just ideas.. :)

Cheers

Liam
 

·
Registered
Joined
·
4,699 Posts
Have HJT fix this item. And yes, please d/l the latest release of HJT :up:

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top