Author Topic: Troj/Zikdow-A  (Read 8239 times)

0 Members and 1 Guest are viewing this topic.

iamgiggs

  • Guest
Troj/Zikdow-A
« on: December 03, 2003, 07:19:44 PM »
I get very slow startups and a msg pops out saying they can't find C:\$NtUninstallQ887678$.winsys.vbs.  Also, i can't change my home page for internet explorer...they keep starting me on this website where i remember catching this trojan.

I did some research and it seems i have caught Troj/Zikdow-A.  Can anyone help me solve this problem and get rid of this trojan

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Troj/Zikdow-A
« Reply #1 on: December 03, 2003, 07:52:23 PM »
 Please post a hijackthis log: http://www.tomcoyote.org/hjt/
Download then unzip the file and double click on the "HijackThis" icon.
When finished loading click on the "Scan button".
Next click on the "Save Log" button. Save the log somewhere you will remember and open the log file with notepad. Then copy the contents and paste them in a reply to be checked. (Taken from http://forums.net-integration.net/index.php?showtopic=6624)

MfG Ralf

iamgiggs

  • Guest
Re:Troj/Zikdow-A
« Reply #2 on: December 03, 2003, 08:14:53 PM »
here..

Logfile of HijackThis v1.97.7
Scan saved at 03:26:08, on 03/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\EzButton\CPLBTS88.EXE
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Ong\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv911.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wwwcache.ed.ac.uk/config/proxy-config.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mtv911.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mtv911.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks in advance

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Troj/Zikdow-A
« Reply #3 on: December 03, 2003, 08:29:09 PM »
Please let Hijackthis fix this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv911.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wwwcache.ed.ac.uk/config/proxy-config.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mtv911.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.mtv911.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mtv911.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKCU\..\Run: [] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKLM\..\RunOnce: [WlN32] C:\$NtUninstallQ887678$\WINSYS.vbs
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

You should delte the following files or folders, after a restart.
C:\$NtUninstallQ887678$
msblast.exe
C:\WINDOWS\System32\P2P Networking\
C:\PROGRA~1\Save
C:\Program Files\MyWay\myBar

Updatre yor Windows and IE via www.windowsupdate.com as fast as possible
MfG Ralf

iamgiggs

  • Guest
Re:Troj/Zikdow-A
« Reply #4 on: December 03, 2003, 08:52:16 PM »
i've done all the fixing with hijack this...but i can't seem to find the first file you ask me to delete....where is it hiding?...thanks so far for all ur help

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Troj/Zikdow-A
« Reply #5 on: December 03, 2003, 09:01:40 PM »
No, it is not hidden in any way(normally), it seems to be ome leftover entries from a former Blaster/lovsan infection.
MfG Ralf

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Troj/Zikdow-A
« Reply #6 on: December 03, 2003, 09:32:05 PM »
and save.exe is spyware/adware
"People who are really serious about software should make their own hardware." - Alan Kay