Help Needed With Trojan Dropper

Question

Hello.  It was suggested I post a message here looking for help with my computer.  We just got involved with DSL where I live and have had problems with our computer slowing down.  I downloaded Ad aware to help with that problem and that worked for a bit.  I ran it at least once a week, as well as a weekly system scan with Norton Anti virus.  I have automatice updates for Norton as well as for Microsoft, and I always check for new updates from Ad aware. Anyway, The computer should be super fast but it is slower than with the old dial up service.  It was suggested that I download AVG virus software to check for what Norton misses.  That program found two Trojan dropper programs(?) and put them in the virus vault.  I ran the program again and it found another Trojan.  I'm simply getting confused and I don't have a ton of computer background to work from. Tonight I downloaded Spybot Search & Destroy and it found several problems that it could fix.  I then downloaded Hijackthis and below is a copy of the scan log.  Please help if you can. Thanks. Logfile of HijackThis v1.97.7Scan saved at 8:01:10 PM, on 6/1/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus
avapsvc.exeC:\Program Files\Norton Internet Security\NISUM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Norton Internet Security\SymProxySvc.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Norton Internet Security\NISSERV.EXEC:\WINDOWS\Explorer.EXEC:\PROGRA~1\NORTON~1
avapw32.exeC:\Program Files\Norton Internet Security\IAMAPP.EXEC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\Common Files\Real\Update_OBealsched.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\RunDLL32.exeC:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exeC:\WINDOWS\System32\hpoipm07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exeC:\Documents and Settings\Patrick\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/R3 - Default URLSearchHook is missingO1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.comO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exeO4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXEO4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe'O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osbootO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUPO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNowO4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXEO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Messenger (HKLM)O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cabO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {35B1769E-299A-4E17-B9D0-E669A02C0F18} (QCDownload2 Class) - http://accel.netacc.net/download/QCDownload.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28e5a88cd7af31229701/netzip/RdxIE601.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CABO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab     Message Edited by Patrick1964 on 06-01-2004 07:28 PM

ChrisRLG · Answer

Important: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. When you run HijackThis from this folder and have it 'Fixed checked' it will create a backup file of modifications to use if restore is necessary. Please delete the old copy (including the zip copy) so it can't be used.=====================================Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked. O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28e5a88cd7af31229701/netzip/RdxIE601.cabThen Reboot.Spybot S&D did a good job on your PC.====================================This is my normal post for when you are clear - which you now are:-------------------------How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957--------------Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-Spybot S&D, Ad-aware Run weekly - or after a heavy internet session.Spybot S&D v1.3 also have a run time module that runs in the background.Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of 'bad' adult sites to install as well.All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.Another good program winpatrol from here.With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

Patrick1964 · Answer

Thanks so much for your support. I did what you suggested, but I then ran spybot and it found the following results. My DSL doesn't seem any faster. What am I still doing wrong? Thanks so much for helping me. I just want to get my computer back to normal.

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1935655697-1202660629-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-28 Includes\Trojans.sbi
2004-05-24 Includes\Tracks.uti

Nelson Gonzalez · Answer

Hello everyone,

I have the same problem to this reply...The HKEY_USERS/ etc etc etc.

Dell support directed me here first.

DSO Exploit 5 entries...Registry change.

This info comes from Spybot SD...I follow instructions to "fix problems", then I run Spybot again and the five entries are still there.

Is this common or is there something wrong?

Do I leave this or is there anything you guys recommend me to do?

Thanks for Starts.

Nelson

Message Edited by NELSON GONZALEZ on 11-19-2004 08:55 PM

arazhopar · Answer

I NEED HELP WIT INSTALLING MY NORTON ANTI VIRUS IT KEEPS ASKING FOR PASSWORD PLEASE HELP ME!!!!!!!!:smileysad::smileysad::smileysad:

Nelson Gonzalez · Answer

Try your PC password.

Contact Symantec/Norton online Help.

http://www.symantec.com/techsupp/support_options.html

I had mine installed by Dell, new PC. After Three months, I renewed it online. I don't remember passwords when renewing. I had both, NIS and NAV renewed online, simultaneously.

If this does not help, post your problem on the message board as a new thread. Good Luck

Nelson

PS: I get paid to read emails, you can too…Earn Ten Dollars for Signing up for Free…Click…Copy/Paste URL… Below

http://hits4pay.com/members/index.cgi?nelsonisok

Make it a habit...
Daily, Weekly, or Monthly...
You decide. Update and Run...
Everything concerning your PC Security...
Anti-Virus, Windows and any software you have...
Better Safe than Sorry...

I Get Paid For Reading Emails...
http://hits4pay.com/members/index.cgi?nelsonisok

Virus & Spyware

Was this post helpful?