Trojan Horse Help!!!

RemRod · 11-28-2005, 05:16 AM

I have tried Clamwin and AVG and cannot get a Trojan Horse off of my pc. I think I have isolated the location where it is spawning from but cannot delete it.

I have tried booting in dos mode but the directly does not exist when I try to go to it.

Windows XP Pro is my OS

Location of Virus

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5

It looks like it keeps creating the Content.IE5 over and over again.

If anyone has a solution please let me know.

Thanks for you help

-Chris

**Spatcher** · 11-28-2005, 02:15 PM

If you are sure it is a trojan then follow the instructions for HijackThis in my signature.

RemRod · 11-28-2005, 07:28 PM

Here it is.

Thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 9:26:51 PM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\winstall.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~3\MSSQL$~1\binn\sqlservr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Windows System32] System32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows System32] System32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows System32] System32.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [Windows System32] System32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O15 - Trusted Zone: http://download.verizon.net
O15 - Trusted Zone: noaccess.verizon.net
O15 - Trusted Zone: http://www2.verizon.net
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\cel3dv2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

RemRod · 12-01-2005, 06:29 AM

Still have a problem. Now I am getting the blue screen of death with a physical memory dump. Going to probably re-install windows.

**jnob** · 12-07-2005, 11:34 AM

have you tried removing the infection from safe mode?

RemRod · 12-07-2005, 08:36 PM

Yes, I tried in safe mode with no success. I went ahead and did a full re-image. I have since installed the Zone Labs Firewall and everything seems fine now.

Thanks for the advice

Col Colt · 12-16-2005, 03:33 PM

RemRod...If I were you, I'd invest in some good software to give peace of mind.

http://www.nsclean.com/boclean.html

http://www.winpatrol.com/

http://www.misec.net/

11-28-2005, 05:16 AM	#1 (permalink)
RemRod Registered User Join Date: Nov 2005 Location: Maryland Posts: 75 OS: XP Professional SP2	Trojan Horse Help!!! I have tried Clamwin and AVG and cannot get a Trojan Horse off of my pc. I think I have isolated the location where it is spawning from but cannot delete it. I have tried booting in dos mode but the directly does not exist when I try to go to it. Windows XP Pro is my OS Location of Virus C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5 It looks like it keeps creating the Content.IE5 over and over again. If anyone has a solution please let me know. Thanks for you help -Chris

11-28-2005, 02:15 PM	#2 (permalink)
Spatcher Henry Join Date: Apr 2005 Posts: 3,484 OS: Mac OSX	If you are sure it is a trojan then follow the instructions for HijackThis in my signature. __________________ JohnThePilot: Cenedl heb iaith, cenedl heb galon (a nation without a language is a nation without a heart) John Butler Trio: Go take a step outside, see what's shakin' in the real world - Good Excuse Paul Kelly: Just add a dollop of tomato sauce for sweetness and that extra tang - How to Make Gravy

11-28-2005, 07:28 PM	#3 (permalink)
RemRod Registered User Join Date: Nov 2005 Location: Maryland Posts: 75 OS: XP Professional SP2	Here it is. Thanks for your help Logfile of HijackThis v1.99.1 Scan saved at 9:26:51 PM, on 11/28/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RunDll32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ClamWin\bin\ClamTray.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\winstall.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\PROGRA~1\MICROS~3\MSSQL$~1\binn\sqlservr.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\mqsvc.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\mqtgsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Windows System32] System32.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunServices: [Windows System32] System32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows System32] System32.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\RunServices: [Windows System32] System32.exe O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home O15 - Trusted Zone: http://download.verizon.net O15 - Trusted Zone: noaccess.verizon.net O15 - Trusted Zone: http://www2.verizon.net O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\cel3dv2.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

12-01-2005, 06:29 AM	#4 (permalink)
RemRod Registered User Join Date: Nov 2005 Location: Maryland Posts: 75 OS: XP Professional SP2	Still have a problem. Now I am getting the blue screen of death with a physical memory dump. Going to probably re-install windows.

12-07-2005, 11:34 AM	#5 (permalink)
jnob TSF Enthusiast Join Date: Nov 2005 Location: CA Valley Posts: 692 OS: XP Pro, SP2 My System	have you tried removing the infection from safe mode?

12-07-2005, 08:36 PM	#6 (permalink)
RemRod Registered User Join Date: Nov 2005 Location: Maryland Posts: 75 OS: XP Professional SP2	Yes, I tried in safe mode with no success. I went ahead and did a full re-image. I have since installed the Zone Labs Firewall and everything seems fine now. Thanks for the advice

12-16-2005, 03:33 PM	#7 (permalink)
Col Colt Registered User Join Date: Dec 2004 Posts: 111 OS: WinXP	RemRod...If I were you, I'd invest in some good software to give peace of mind. http://www.nsclean.com/boclean.html http://www.winpatrol.com/ http://www.misec.net/