Tech Support Forum - View Single Post - Trojans

jgvernonco · 09-02-2004, 03:04 PM

Greetings,

It is difficult to tell whether Ad-aware is working, again, or Spybot did some good work. Once the machine is clean, if Ad-aware functions, it's ok.

Please go to add/remove programs and uninstall Messenger Plus. This is one of the most insecure messengers available today, like putting out a welcome mat for malware. Google for Trillian, which is a much more secure (and free) application.

The first thing that we need to do is fix your winsock layer (all those 010's). Please download and run Winsock2 Fix .

Then...

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box where it says “Turn off System Restore”. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Then, open Hijack this and click the “config” button in the “other stuff” area. Then, click “misc tools”, then “open process manager”. Please “kill” the following processes (you must kill them one at a time):

wnsintcc.exe
tsm.exe
ts.exe

Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

C:\WINDOWS\System32\wnsintcc.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://dancecam.as.ua.edu/activex/AxisCamControl.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab

Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders , which I have put in bold type, according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\wnsintcc.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe

Then please reboot back into normal mode and go here
and run the online virus scan. Please select the Autoclean option when prompted.

Then please reboot once more and post a new log.

09-02-2004, 03:04 PM	#14 (permalink)
jgvernonco Admin Emeritus (Retired) Join Date: Sep 2003 Location: Northern Arizona Posts: 7,954 OS: Vista Home Premium, SP 27	Greetings, It is difficult to tell whether Ad-aware is working, again, or Spybot did some good work. Once the machine is clean, if Ad-aware functions, it's ok. Please go to add/remove programs and uninstall Messenger Plus. This is one of the most insecure messengers available today, like putting out a welcome mat for malware. Google for Trillian, which is a much more secure (and free) application. The first thing that we need to do is fix your winsock layer (all those 010's). Please download and run Winsock2 Fix . Then... Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box where it says “Turn off System Restore”. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Then, open Hijack this and click the “config” button in the “other stuff” area. Then, click “misc tools”, then “open process manager”. Please “kill” the following processes (you must kill them one at a time): wnsintcc.exe tsm.exe ts.exe Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any): C:\WINDOWS\System32\wnsintcc.exe C:\PROGRA~1\COMMON~1\tsa\tsm.exe C:\PROGRA~1\COMMON~1\tsa\ts.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://dancecam.as.ua.edu/activex/AxisCamControl.cab O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders , which I have put in bold type, according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\System32\wnsintcc.exe C:\PROGRA~1\COMMON~1\tsa\tsm.exe C:\PROGRA~1\COMMON~1\tsa\ts.exe Then please reboot back into normal mode and go here and run the online virus scan. Please select the Autoclean option when prompted. Then please reboot once more and post a new log. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt