my computer ate a trojan :(

maticmuzik · TweakNOOB Joined: 01 Aug 2004 Posts: 37

k....i've pre-determined that i have the w32.poison1 trojan, prorat trojan, and im unsure whether or not i still have virtumundo...found these off spybot. it hasnt seemed to have done much help after a fix & restart. i cant access the internet from the infected computer , my wireless has been down since i clicked on the first file that gave me the problems. I also have a "sservice.exe" messagebox that pops up on EVERY restart that says "updating my settings" or something to that effect, and then it dissappears. once again this is a reoccuring message so i believe whatever took me over keeps setting up shop every restart. i also took notice to the fact that the icon for the infected file i clicked on in the first place (damn damn damn), has attached itself to my services.exe file in c:/windows. it seems like the problems are here to stay

but if i remember right last time i came to this forum i found the solution to my problem through explaining and posting my HJT log. thanks for your help ahead of time. hijackthis log below....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:55 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\services.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: CDNSCacheObj Object - {376892AE-1825-4E5F-9F85-23F9640051CC} - C:\WINDOWS\xmljacodec.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: SVIEBHO Class - {B3C54716-9D0A-4666-A81A-6072A6325A5A} - C:\Program Files\SelectView\svie.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ifimckli.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKCU\..\Run: [Tauo] "C:\WINDOWS\RACLE~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKLM\..\Policies\Explorer\Run: [DirectX For Microsoft® Windows] C:\WINDOWS\system32\fservice.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: SelectView - {16D60F96-2FF6-40b2-96D3-C32170E45A01} - C:\Program Files\SelectView\svie.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fxxhyyct.exe (file missing)
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe

--
End of file - 5295 bytes

......thanks again ahead of time i hope i can speedily find a solution to these many problems.

Google · Sponsor

[TN] Nathan · ALMIGHTY PWNER! Joined: 14 Feb 2002 Posts: 7406

Download and use : MAKE SURE YOU UPDATE THEM

Then restart in safe mode. go to run, then type msconfig and go to the startup tab and uncheck anything that looks suspicious.

Then scan using

Spybot Search and destroy
Ad Aware
A2 Squared free Edition

Also run a good antivirus.
_________________
Owner & Administrator
www.Tweaknews.net
www.Pocketbookpinch.com

Xal · Posted: Mon Mar 17, 2008 1:24 am Post subject:

I would run AVG Free Antivirus both before and after you run the apps Nathan mentioned. The trojan that hit me overwrote my tcpip.sys in windows\system32\drivers and that killed my internet. Replacing it with the origional version and restarting sorted out the problem. If you use all the apps and still have no internet then do a search by date modified in your windows folder. Set the dates to be between the time you were infected and present.

Good luck.
_________________
Phenom II x4 955 @ Stock
Asus M3N78-EM
4gb Corsair XMS2 DDR2 667 @ 800
1gb Powercolor Radeon HD 5850 @ Stock
X-fi Extreme Audio PCI E
Nexus 600W Silent PSU
Nexus Fans
Custom case