Trojan issue...

[JimJ 5,000+ posts]

I'm up to 23 infected files...whatever it was, it got worse in a hurry.

 

[DBfan187 5,000+ posts]

Logfile of HijackThis v1.99.1Scan saved at 11:23:30 PM, on 10/16/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\twinmpes.exe

c:\windows\system32\oldsregl.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\SmltIEppbmdvemlhbg\command.exe

C:\WINDOWS\system\dllhost.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Grisoft\AVG Free\avgwb.dat

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Jim Jingozian\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jfwid.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe,taemnbx.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ms032855790155] C:\WINDOWS\ms032855790155.exe

O4 - HKLM\..\Run: [ikte8f5f] RUNDLL32.EXE w00af0a8.dll,n 005e8f5a0000000300af0a8

O4 - HKLM\..\Run: [{EB-B2-2E-EE-ZN}] c:\windows\system32\oldsregl.exe GEN001

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twinmpes.exe GEN001 ????

O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinmpes.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: kdsfj.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - AppInit_DLLs: dxclib303562752.dll

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\shrio800.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmltIEppbmdvemlhbg\command.exe

O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dwmputz.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

delte those in red as they are trojans

 

[JimJ 5,000+ posts]

One of the main files that was present before was a "drsmartload" .exe...pretty sure that was the original file.

 

[DBfan187 5,000+ posts]

sounds like adware

 

[Meka 10+ year member]

Try searching for it in the registry and deleting it from there. Also disable all the task and restart and enable them until the problem pops up again.

 

[cpierce 5,000+ posts]

I got pwnt by a Trojan not too long ago. I found the problem and "un-installed" the file thinking that would take care of it, but only made things worse. I did almost everything listed by pwnt by pat and various other things to no avail. I eventually just re-installed windows:crap:

Edit: By worse I mean after I deleted the file, it seemed to install tons of ad-ware, spyware and a few trojans on my computer

 

[JimJ 5,000+ posts]

Edit: By worse I mean after I deleted the file, it seemed to install tons of ad-ware, spyware and a few trojans on my computer

That's what happened to me recently.

 

[Meka 10+ year member]

Im pretty sure the way i described should take care of it, it may be time consuming but it would be worthwhile unless you just want to blast your o.s away and start over.

 

[pwnt by pat 10+ year member]

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jfwid.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe,taemnbx.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ms032855790155] C:\WINDOWS\ms032855790155.exe

O4 - HKLM\..\Run: [ikte8f5f] RUNDLL32.EXE w00af0a8.dll,n 005e8f5a0000000300af0a8

O4 - HKLM\..\Run: [{EB-B2-2E-EE-ZN}] c:\windows\system32\oldsregl.exe GEN001

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twinmpes.exe GEN001

O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinmpes.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: kdsfj.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O20 - AppInit_DLLs: dxclib303562752.dll

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\shrio800.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmltIEppbmdvemlhbg\command.exe

O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

get rid of all of that

remember: do everything in safe mode

 

[pwnt by pat 10+ year member]

follow my steps, even if you have to start over

It cures ~90% of the problems I run into and my job is to fix this crap...

 

[thatkidbob 10+ year member]

format/re-install.

i use norton ghost and an image of a fresh install to do this every three months or so anyways... takes like... 30 minutes. Norton Ghost is teh shizzle. //content.invisioncic.com/y282845/emoticons/smile.gif.1ebc41e1811405b213edfc4622c41e27.gif

 

[GrayMatter4tw 10+ year member]

id reformat but i save nothing on my windows drive so its no big deal to me.

on another note, i was quite disappointed that this thread wasnt about hard hats //content.invisioncic.com/y282845/emoticons/fyi.gif.9f1f679348da7204ce960cfc74bca8e0.gif

 

[luvinthebass 5,000+ posts]

id reformat but i save nothing on my windows drive so its no big deal to me.
on another note, i was quite disappointed that this thread wasnt about hard hats //content.invisioncic.com/y282845/emoticons/fyi.gif.9f1f679348da7204ce960cfc74bca8e0.gif

//content.invisioncic.com/y282845/emoticons/laugh.gif.48439b2acf2cfca21620f01e7f77d1e4.gif

 

[pwnt by pat 10+ year member]

people who give up and reformat without even trying aren't worth listening to. I don't use an antivirus and I've only been hit twice in the past year. Each time, I know exactly when I get hit because I'm forwared to a bad **** or advertiser site. I can usually kill an infection in less than 15 minutes, sans the actual virus scan which takes overnight.

 

[Hundreth 10+ year member]

Tried doing what Hundreth said...couldn't open the file even in safe mode...and the problem got worse //content.invisioncic.com/y282845/emoticons/frown.gif.a3531fa0534503350665a1e957861287.gif Now I have a whole bunch of .exe's running around.
I'm running another scan...I have Avast already loaded, maybe it'll do something that AVG didn't so far...

Ouch. Might as well try one more program since the others aren't helping. This has been one of the best ones I've seen:

http://www.freedownloadscenter.com/Utilities/Anti-Virus_Utilities/TDS_3_Trojan_Defence_Suite.html