1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

HT Trojan virus

Discussion in 'Security and Privacy' started by truejiolah, 2004/09/07.

Thread Status:
Not open for further replies.
  1. 2004/09/07
    truejiolah

    truejiolah Inactive Thread Starter

    Joined:
    2004/06/16
    Messages:
    11
    Likes Received:
    0
    I have been encountering problems with HT Trojan. It seems like every time I start on my computer, I always get a message from the antivirus I'm using ( e Trust EZ armor) that the computer is infected by some HT Trojan. So almost everyday I run the virus scanning and deleting with that antivirus. And it deletes 3, 4 or sometimes 6 files in the temporary internet file folder. Now, this problem is happening all the time. Can anyone help me to prevent it to happen again? here are some the details reported by the antivirus.

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0PY3C1M7\v29[1].fil - Win32.Startpage.HT trojan. Deleted.

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XLK2GNPV\v29[1].fil - Win32.Startpage.HT trojan. Deleted.

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UIVL5RX3\v29[1].fil - Win32.Startpage.HT trojan. Deleted.

    I need some help please!!

    Truejiolah frustrated!
     
  2. 2004/09/07
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    Well, it would help to know for sure what OS version you are running but assuming it is a flavor of XP:

    - turn off system restore

    - boot to safe mode
    .. easiest way is probably to click on start, click on run, key in msconfig, click on OK. Then click on the boot.ini tab and on /SAFEBOOT and close msconfig and reboot.
    .. note that to get back to normal mode you will need to run msconfig again and uncheck /SAFEBOOT

    - Open My Computer then right-click on C: and click on properties. Select to do a cleanup and then let it remove all except 'compress old files).

    - Open Windows Explorer and delete the contents of all these folders if they are present. You may not have several of them
    c:\temp
    c:\windows\temp
    c:\documents and settings\username\temp (where username means do the deletion for all user accounts)
    c:\documents and settings\username\local settings\temp
    c:\documents and settings\username\local settings\history
    c:\documents and settings\username\local settings\temporary internet files

    - Boot back to normal mode and run an online virus scan. Several good options in Quicklinks (from my signature) and see what is found and what can be removed. Any found and not removed, please post details here.

    - Turn System Restore back on. Reboot.

    - Download, immediately update, and then run Ad-Aware SE (quicklinks). You want to run a full scan and delete all items if finds.

    - Download, immediately update, and then run Spybot. Delete all items it prechecks. The others are harmless and can be left alone. When the scan is finished, click on the immunize icon then on the green cross to immunize the PC against a large number of known bad items.

    - Download Hijackthis and extract it to a folder of its own (so not temp and not desktop) then run it to create a log and post it in a reply here.
     
    Newt,
    #2

  3. to hide this advert.

  4. 2004/09/08
    truejiolah

    truejiolah Inactive Thread Starter

    Joined:
    2004/06/16
    Messages:
    11
    Likes Received:
    0
    I run W2K. But I have already done spybot and virus scan without longterm result. So could you tell me how can I go to msconfig for W2K?
     
  5. 2004/09/09
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    Msconfig for 2K or you can do it the old fashioned way and just watch carefully when you boot. Varies with different systems but some F key will give you a boot menu where you can choose safe mode.

    I suggested an online virus scan because a number of the current crop of viruses will silently disable your onboard AV program so it appears to work but finds nothing.

    Spybot is good - make sure you have version 1.3 - but Ad-aware finds things that Spybot misses and vice versa so good to run both.

    Hopefully the various clean-up things will reduce the amount of junk you have to deal with but a Hijackthis scan log will show some bad things that the scans never see.
     
    Newt,
    #4
  6. 2004/09/09
    truejiolah

    truejiolah Inactive Thread Starter

    Joined:
    2004/06/16
    Messages:
    11
    Likes Received:
    0
    This is what I got after running RAV online.
    Scan started at 9/9/2004 1:13:35 PM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINNT\twaintec.dll_tobedeleted - Trojan:Win32/Spy.BiSpy.C -> Infected
    C:\WINNT\polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
    C:\Documents and Settings\All Users\Application Data\Pribi\Pribi.dll - Trojan:Win32/StartPage.KU -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\nviolcua.kmk - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\yfxrasja.kpz - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\_update.dat - TrojanSpy/Win32.Agent.L -> Suspicious
    C:\Documents and Settings\Administrator\Local Settings\Temp\eojtmbar.eyd - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\fgmmqmvl.xws - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\tvydlmzb.gry - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\kefyljcf.wjg - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\hncqhknz.opy - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\uroulrmz.qss - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\isvsvumf.oph - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\hztysfia.lux - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\qzfpkdvd.lzq - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\nrnnjvkb.qny - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\cltnbrwj.nap - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\epasayqu.cfn - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\gbbxkapr.ovv - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\nenrmkjx.zun - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\pqeiyhzm.ljw - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\ywkcronf.daj - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\utnophtd.esy - TrojanSpy/Win32.Agent.P -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\alchem.cab->alchem.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\alchem.exe - TrojanDownloader:Win32/Alchemic.A -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\polmx.cab->polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\polmx.exe - TrojanDownloader:Win32/Agent.AE -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\wupdt.exe - TrojanDownloader:Win32/Intexp.A -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\THI34E1.tmp\twaintec.cab->twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\THI34E1.tmp\twaintec.cab->polall1t.exe - TrojanDownloader:Win32/Agent.AE -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\THI34E1.tmp\twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
    C:\Documents and Settings\Administrator\Local Settings\Temp\THI34E1.tmp\polall1t.exe - TrojanDownloader:Win32/Agent.AE -> Infected
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040728.003\0004NAV~.TMP - TrojanDownloader:Win32/Agent.AE -> Infected

    Scanned
    ============================
    Objects: 27399
    Directories: 2158
    Archives: 702
    Size(Kb): -405995
    Infected files: 32

    Found
    ============================
    Viruses found: 6
    Suspicious files: 1
    Disinfected files: 0
    Mail files: 66

    I omitted to check autoclean so I have to do it again and we will see how many will be deleted. Thank you very much!
     
  7. 2004/09/09
    truejiolah

    truejiolah Inactive Thread Starter

    Joined:
    2004/06/16
    Messages:
    11
    Likes Received:
    0
    This is the log after running Hijackthis.

    Logfile of HijackThis v1.98.2
    Scan saved at 3:30:11 PM, on 9/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\VetMsgNT.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\WINNT\system32\pctspk.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64 "
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [MSConfig] A:\msconfig.exe /auto
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E15111B0-95AE-4C05-B91F-F4564057990C} (MovieSystem WAY) - http://servicesv4.moviesystem.com/cabs/msway.cab
     
  8. 2004/09/12
    truejiolah

    truejiolah Inactive Thread Starter

    Joined:
    2004/06/16
    Messages:
    11
    Likes Received:
    0
    Anyone can help me to figure out what files to delete? HT Trojan keeps coming back.
    :(

     
  9. 2004/09/12
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Delete all the files and folders in the following folder.
    C:\Documents and Settings\Administrator\Local Settings\Temp
    Then delete these files.
    C:\WINNT\twaintec.dll
    C:\WINNT\polmx.exe
    If you have a problem deleting, install MoveOnBoot. Target the files with this, and reboot and they will be gone.
    While you are at it, go into Internet Options, and delete all Temp IE files, be sure to put a checkmark in 'Delete Offline Content'.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.