Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

AustinTexas45

2 Posts

4170

July 19th, 2004 22:00

Help Removing Trojan Dropper Virus

I have looked for the files that are supposed to be infected but can't find them to delete.  The files are (notepad.exe) in the C:\\ Windows\System32\ folder.  Also, (A0041110.exe) in the C:\System Volume Information\_restore{66ED3EDC-B906-4EDF-A78D-5C2304F3078C}\RP851\.   I have tryed scanning in safe mode and disabling the system restore function but can't seem to find the virus.  Any help would be greatly appreciated!! 

pskelley

933 Posts

July 19th, 2004 22:00

Howdy, Please follow the direction and we will see what we can do.

We need to make you aware that many logs are being posted.  Because we are few, all volunteers with families and real jobs, who do not work for Dell, we will have to ask you to be patient.  We work the logs in the order they come in, one of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.
I would also suggest strongly that if you have not done so, you review the pinned information post that is on the New Message page of this forum, Here is a link to that thread:
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=19204

We need you to download and install an analysis and repair tool called HijackThis. Download the zipped file from here: http://www.majorgeeks.com/download3155.html.   Please see the following link for information about downloading and other FAQ's.  There is also a link there to an .exe version of HijackThis if there is anyone who absolutely can not open a .zip file.  Please use this for that purpose only due to limited bandwidth, thank you.   HijackThis FAQ (Frequently Asked Questions) also at: http://russelltexas.com/malware/faqhijackthis.htm
Please unzip HijackThis.zip or move the hijackThis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place the Hijackthis.exe file on the Wallpaper, in a temp folder, or in the root level of the C: drive or in the My Documents folder. The use of Hijackthis to fix problems will create many backup files and they need to be stored in a unique Hijackthis folder. Then run HijackThis, click on the 'scan' button and then 'save log' button.
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjtSpecial Notice! HijackThis is a powerful tool that edits the brains of Windows (the Registry). Do not fix anything in the HijackThis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. HijackThis should identify the vast majority of your problems and enable us to help you clean them off your system.
Stay in this thread for continuity. Reply to this message.

Thanks...pskelley
In training Tom Coyote Forum 
& SpywareInfo.com
Expert Malware Responder Dell Forum

The following trained DellForum experts feel that too many helpers in one thread, or help from inexperienced users may increase the chance of software accidents. The following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, ChrisRLG, Baskar1234, Grinler, pskelley, SpotCheckBilly, and cghost.
Also...these longtime  DellForum experts have proven time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  ddeerrff, msgale and redwolf_98.

 

 

AustinTexas45

2 Posts

July 20th, 2004 13:00

Here is the logfile, any help would be great!! Thanks.

 

 

Logfile of HijackThis v1.98.0
Scan saved at 9:24:26 AM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\System32\cba\pds.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\Promon.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\JumpCart\JumpCart.exe
C:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\PROGRA~1\IBM\CLIENT~1\Emulator\PCSCM.EXE
C:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\PROGRA~1\IBM\CLIENT~1\cwblmsrv.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\DOWNLOADS\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: JumpCart.lnk = C:\Program Files\JumpCart\JumpCart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {53A38293-1BFF-11D1-B660-00C0C0D90028} - http://www.jumptech.com/webinstall/JumpCartInstall.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14FC6D23-6FA1-4AD8-880E-214CB4D3A398}: NameServer = 216.167.161.35,216.167.161.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{14FC6D23-6FA1-4AD8-880E-214CB4D3A398}: NameServer = 216.167.161.35,216.167.161.36

 

Was this post helpful?

View All

No Events found!

Top