Trojan help

Trojan help

Called Completed.6.L and AVG says it is on a Svchost2.exe file. It brings up a porn dialer and changes the home page to www.pureseeker.com. It comes up when i connect to internet explorer.

Have ran all the usual - Sbybot, adaware, avg, spysubtract, cwshreder, plus a couple of others but no look shifting it. Had a search on google but cant find anything apart from people posting Hijack This logs.

Anybody have any idea or have a version of Hijack This that i could try as when i d/l it from the official site it the zip file extracts nothing

You sure it's called Completed.6.L?

AVG say nothing about what it is?

You tried running Housecall instead?

Got it wrong its called Collected.6.L :evil:

Hadn't thought of House Call, will try that now and c what happens

Make sure you use the new one, Housecall 6 I think, it gives you the option to do so at the main page: http://housecall.trendmicro.com

It's both spyware and a trojan (it's a modification of w32.startpage I think), but unfortunately I don't know how to remove it.

If you see this thread: http://www.promisealways.com/forums/showthread.php?s=&threadid=41628 there's instructions and a link to hijackThis - post up a log if you're still having bother and I'll try and help.

Cheers mate. Will post back in a bit

I've still got probs with this cxtpls.exe.

Tried allsorts, turning sys restore off, run adAware/spybot, used that hijackthis prog, deleted the infected files, rebooted in safe mode. rescanned. deleted. rebooted. looked clean. And it still reappears!!!!

:spangled:

Ran House Call which picked upa trojan and a few other bits of spyware, n then rebooted in safe and scanned with ad-aware, apybot and cwshredder n then rebooted normally.

Thought it had got rid of it but after openning a second IE page AVG reported it. Checked IE and the dialer and home page change havent happenned, which is at least something. But its still not gone

Then you'll need to use HijackThis - extract it, and get a log file.

Also, unless you're using Housecall, don't use IE - get Firefox instead.

@ Swana - do the same, post a log file, there's more than just deleting the infected files :up;

I may not be able to get back to you's on this til the weekend though.

Logfile of HijackThis v1.99.1
Scan saved at 08:56:56, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hpnra.exe
C:\WINDOWS\System32\hpstatus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\wyowe.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\idmtetab.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hpnsvr32.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\System32\HPBSPSVR.EXE
C:\WINDOWS\System32\HPBJDSNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe <---- Heres the bugger !!
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\karlp\Desktop\HijackThis.exe

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\System32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2Efl] C:\WINDOWS\wyowe.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [evyrgvun] C:\WINDOWS\evyrgvun.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rFrh3ti] idmtetab.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ao0nRjG6X] hpnsvr32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA65731-713A-478B-BADF-0459D2C58B28}: NameServer = 92.110.10.3,92.110.20.254
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

There's quite a few nasty things there (180 search assistant + others) - shall try give you removal instructions tomorrow

Hmmm.... think mine has a bigger problem. When i run HJT it comes up with
C:\HIJACKTHIS~1\HIJACK~1.EXE
C:\WINDOWS\SYSTEM32\AUTOEXEC.NET. The system file is not suitable for running MS-Dos and Microsoft Windows application.

Guessing the comps a bit fucked then?

There will be... others generate from that cxtpls.

I aint worried bout tothers they'll prob be fine.. its just that one!!

HIJACK~1.EXE is, erm, HijackThis...

AUTOEXEC.NET has become corrupt, see here: http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

@ Swana - download and update the following (but don't run): adaware, spybot, MS Antispyware, cwshredder, avg (manually update avg if it's playing up).

Then turn off your net connection, and run all 5 in that order.

Then close all open windows, run HijackThis, and delete the following (if still there):

C:\WINDOWS\wyowe.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\hpnsvr32.exe
C:\WINDOWS\system32\idmtetab.exe
C:\Program Files\CxtPls\CxtPls.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [2Efl] C:\WINDOWS\wyowe.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [evyrgvun] C:\WINDOWS\evyrgvun.exe
O4 - HKLM\..\Run: [rFrh3ti] idmtetab.exe
O4 - HKCU\..\Run: [ao0nRjG6X] hpnsvr32.exe

Close, reboot into safe mode, and delete:

the entire 180solutions folder in C:\Program Files\
C:\WINDOWS\evyrgvun.exe
idmtetab.exe and hpnsvr32.exe - you'll need to search for those two though, although they may have gone

Advice for future - stop using IE, use Firefox instead, and use M$ Antispyware as an always on agent.

Just thought again - what's the location of the infected file(s) that avg finds?

They were the svchost.exe and svchost2.exe

First off, there shouldn't be a svchost2.exe - next, where is the infected svchost.exe? It should give you the location, eg C:\Windows\ or summinck. Run HijackThis and post up a full log.

Yeah i read up on the svchost2 and found out then so whenever it appeared i deleted it.

Not sure where the infected svchost is, as avg has stopped picking it up and alerting me. All im getting now is a windows box poping up randomly, telling me that program wont run because of the autoexec.nt not being right/working on an MS-Dos system

Follow the instructions here: http://support.microsoft.com/default.aspx?scid=kb;en-us;324767 to fix autoexec.net, it's become corrupted so it just needs fixing.

If AVG is finding nothing then I'm guessing whatever it was is gone.

Seems to have worked, cheers.

Gonna get Firefox today. Also should i instal SP2. Steered clear of it cos of all the bad stories when it first came out