Trojan will not go away

Computing.Net > Forums > Security and Virus > Trojan will not go away

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Trojan will not go away

Name: ImJustAClone22
Date: January 20, 2004 at 16:37:36 Pacific
OS: Windows XP
CPU/Ram: 74.4 gigs

Comment:

Hi. The other day I turned on my computer, and my system 32 folder pops up. I didn't think anything of it. Then a couple of days later i get a warning from AVG saying i have the Downloader.small.ct trojan virus. In my system 32 folder as the file aaa.exe I ran AVG numerous times but I can't get rid of it, everytime I delete it, it comes back the next day. Is there any way to fix this? Thank you in advance.
Logfile of HijackThis v1.97.7
Scan saved at 7:10:15 PM, on 1/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = home.netscape.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FB12FED-B38C-ADE4-EAB3-CD3869D1A7CF} - C:\WINDOWS\system32\vvggvkpd.dll
O2 - BHO: (no name) - {2FF9E98F-CFDE-E2C0-B33D-C6DF36AC313B} - C:\WINDOWS\system32\bmaxepja.dll
O2 - BHO: (no name) - {433107CD-EBCB-F8BB-2146-682D10C52CB1} - C:\WINDOWS\system32\oacaxeem.dll
O2 - BHO: (no name) - {44BA0634-9328-701B-E525-29F35F5FC8AD} - C:\WINDOWS\system32\nhftooyf.dll
O2 - BHO: (no name) - {5BF0CAEF-42E5-9A6B-EC0E-7B22D0A2DE0F} - C:\WINDOWS\system32\sqggtwwt.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A2C23BF3-7E43-914F-400D-6BCBAA0CA88E} - C:\WINDOWS\system32\tubmrqja.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B3BEE109-FB5C-6F25-9098-7CCEDCF479AE} - C:\WINDOWS\system32\vlxfjzfo.dll
O2 - BHO: (no name) - {B6862DB4-580C-832A-ADBE-D57AB2EC89DE} - C:\WINDOWS\system32\bmrbboui.dll
O2 - BHO: (no name) - {CD0CA64E-A3D2-EC31-B441-469DB063DA9D} - C:\WINDOWS\system32\utxfwokm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe/checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [uueyaobj] C:\WINDOWS\nvceoocy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [AGJ] C:\WINDOWS\AGJ.exe
O4 - HKLM\..\Run: [VGJQWDK] C:\WINDOWS\VGJQWDK.exe
O4 - HKLM\..\Run: [VCIPWR] C:\WINDOWS\VCIPWR.exe
O4 - HKLM\..\Run: [BHOUBELR] C:\WINDOWS\BHOUBELR.exe
O4 - HKLM\..\Run: [WDKQXEKRX] C:\WINDOWS\WDKQXEKRX.exe
O4 - HKLM\..\Run: [AGNTAHNU] C:\WINDOWS\AGNTAHNU.exe
O4 - HKLM\..\Run: [LVDNITA] C:\WINDOWS\LVDNITA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Dan\Application Data\DownloadPlus.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/verizon/polarbowler/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C621004F-DFAA-41F1-9940-A8523582D768}: NameServer = 151.202.0.84 151.203.0.84

Sponsored Link

Ads by Google

Response Number 1

Name: capt
Date: January 20, 2004 at 16:46:35 Pacific

Reply:

Did you follow all the removal instrctions for this trojan/worm, including Turning off "system restore"? You do this by right clicking "My Computer>select properties>turn off System Restore" and then restart. Run AVG and if the system is clean turn "system restore" back on.

Response Number 2

Name: ImJustAClone22
Date: January 20, 2004 at 17:12:37 Pacific

Reply:

I turned the system restore off and ran AVG and removed the file, but when i restarted it with the system restore back on, it came back.

Response Number 3

Name: Dog
Date: January 20, 2004 at 18:36:01 Pacific

Reply:

From my limited knowledge it looks like you have a massive dose of the peper virus. Do a search of this forum or go to
http://www.mjc1.com/files/peperpage/
and check it out.
No doubt others will help you here too
HTH
Dog

Response Number 4

Name: Dog
Date: January 20, 2004 at 18:42:06 Pacific

Reply:

By the way, you should follow this
A Good Place To Start
befor posting HJT logs
Dog

Response Number 5

Name: Imp
Date: January 21, 2004 at 00:39:38 Pacific

Reply:

Easiest way, which don't ask any particular knowledge to rid off a trojan horse, try Trojan Remover 6.15 this program resolve alone all problem connected to that betrayal, freeware during one month but fully updated.
Using two scans: one for the memory, one to hunt and eradicate the worm hidden in the hard drive....

get Process name from PID rdp console acrobat iehelper	dosbox lpt1 crypserv.exe cts-c21256
See More

Response Number 6

Name: ImJustAClone22
Date: January 21, 2004 at 13:36:54 Pacific

Reply:

Thank You Everyone. You Helped Me Fix My Problem. The Virus Is Gone (Or It Seems This Way) So Thank You All Again.

Sponsored Link

Ads by Google

vbAccelerator Question

i have 2 trojans i cant g...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Trojan will not go away

POPNAV Virus/Will not go away

Summary

www.computing.net/answers/security/popnav-viruswill-not-go-away/8992.html

IST wont go away!

Summary

www.computing.net/answers/security/ist-wont-go-away/12820.html

SPYWARE/PORN wont go away!!!!

Summary

www.computing.net/answers/security/spywareporn-wont-go-away/5164.html

From the Geek Dictionary
favorited - Favorited The act of adding someones tweet to your favorites in Twitte...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
network timed out after few hours

MYOB Retail Manager

Get tomorrows date in solaris

San storage

Upd8'd iTunes now 2Gen iPod won't sync-Help?

All Awaiting Reply

Tom's News
Man Officially Married Virtual GF, Plans Future

12-inch Netbooks to Go Mainstream in 2010

Man Arrested Robbing RuneScape Characters

Nintendo Sold 1.5 Million Systems Last Week

PS3 Sales Reach All Time High Over Black Friday

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE