1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

troyan collected.5.l

Discussion in 'Malware and Virus Removal Archive' started by arpro, 2005/05/26.

Thread Status:
Not open for further replies.
  1. 2005/05/26
    arpro

    arpro Inactive Thread Starter

    Joined:
    2005/05/25
    Messages:
    2
    Likes Received:
    0
    HI (HOLA)
    I AM ARGENTINE USER THEN MY ENGLISH IS NOT GOOD, BUT I UNDERSTAND
    I HAVE DE SAME PROBLEM WITH TROYAN COLLECTED.5.L
    THIS TROYAN GENERATE DE MSDIRECTX.SYS
    MWAV RECOGNIZE 3 INFECTED FILES BUT A DONT COPY THE LOG
    THE LOG HIJACKTHIS IS THIS:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:03:40, on 26/05/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE
    C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
    C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\ARCHIV~1\mcafee.com\agent\mcregwiz.exe
    c:\archiv~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\ssmss.exe
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com.ar/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [AnyDVD] C:\Archivos de programa\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63 "
    O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [MMTray] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.0\THGuard.exe "
    O4 - HKLM\..\Run: [McRegWiz] C:\ARCHIV~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe "
    O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [FireFox Service Drivers] ssmss.exe
    O4 - HKLM\..\Run: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKLM\..\RunServices: [FireFox Service Drivers] ssmss.exe
    O4 - HKLM\..\RunServices: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [FireFox Service Drivers] ssmss.exe
    O4 - HKCU\..\Run: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKCU\..\RunServices: [FireFox Service Drivers] ssmss.exe
    O4 - HKCU\..\RunServices: [FireFox Startup Drivers] wuaclt.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe

    PLEASE HELP ME :( AND SORRY FOR MY ENGLISH
     
    arpro,
    #1
  2. 2005/05/28
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS arpro :)

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    O4 - HKLM\..\Run: [FireFox Service Drivers] ssmss.exe
    O4 - HKLM\..\Run: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKLM\..\RunServices: [FireFox Service Drivers] ssmss.exe
    O4 - HKLM\..\RunServices: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKCU\..\Run: [FireFox Service Drivers] ssmss.exe
    O4 - HKCU\..\Run: [FireFox Startup Drivers] wuaclt.exe
    O4 - HKCU\..\RunServices: [FireFox Service Drivers] ssmss.exe
    O4 - HKCU\..\RunServices: [FireFox Startup Drivers] wuaclt.exe

    Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

    Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

    Open C:\WINDOWS\system32 and delete the files msdirectx.sys, ssmss.exe and wuaclt.exe. Use caution here!! There are very similarly named system files.
    Open C:\Temp if present, select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Windows\Prefetch, select all and delete.
    Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all username folders.
    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

    If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

    Back in Windows, go to Start>All Programs>Windows Update. Accept all critical updates.
    Reboot and go back to Windows Update until there are no more criticals offered.

    Run another HijackThis scan and post the log.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2005/05/30
    arpro

    arpro Inactive Thread Starter

    Joined:
    2005/05/25
    Messages:
    2
    Likes Received:
    0
    very thanks

    very thanks but i had format my HD ..... :D
     
    arpro,
    #3
  5. 2005/05/31
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thanks for posting back. :)
     
    noahdfear,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...