Author Topic: Trojano-180, big problems  (Read 6638 times)

0 Members and 1 Guest are viewing this topic.

Offline ran102

  • Newbie
  • *
  • Posts: 10
Trojano-180, big problems
« on: June 26, 2004, 11:36:56 PM »
Hello everyone.  Ill get right to it.  My home page has been hijacked to this adress, res://hihxl.dll/index.html#96676 .  It is a page called "home search" with a coupled hundred links on it.  Also apon starting internet explorer, a popup from "search-all-fast.com" appears, and then similar ones or the same one keep appearing frequently, as long as I am on the internet (I have dial-up), even if IE isn't running.  Now, I have Avast! loaded, updated, and running at it's most secure level.  Frequently when online a virus alert pops up saying that I am infected with win32:trojano-180, I delete it, and then a little while later it pops up again.  So far in writing this message I have had 5.  I have done numerous pre-windows xp loading scans at the highest level.  In addition to avast! I have installed, updated and used Ad-aware, Hijack this, Spybot S&D, Spyware blaster, registry mechanic, and spyware doctor.  Usually after a few days I can get bugs off, but am stumped this time.  I have tried everything that I know how to do.  Oh, also after using IE for a while, the trojan or whatever I have stops any data at all from being transmitted over my modem(I know that this is not my service provider as it started exactly when I was infected).  That screen that says "this page cannot be displayed" is also different now, "kindly" offering other links to go to since the page is not available.  Thanks everyone here.  PS, Im running windows xp.  

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojano-180, big problems
« Reply #1 on: June 26, 2004, 11:42:38 PM »
Hello!
Did you block the IE start page into Spyware Blaster?
Where is the trojan located? (file and path) Maybe you should empty your temporary folder and/or disable system restore (to empty it and enable it again)  ::)
The best things in life are free.

Offline ran102

  • Newbie
  • *
  • Posts: 10
Re:Trojano-180, big problems
« Reply #2 on: June 27, 2004, 12:26:33 AM »
I'm not sure what you mean by blocking the start page.  I have all of spyware blasters protection updated and enabled.  I will list the places this trojan has infected so far (the ones that I've written down).  These all start with C:/windows/  -  apisf.exe, atlrr.exe, ntkq.exe, crbi32.exe, iehv.exe, msyj32.exe, apity32.exe, atlfq32.exe, sdkyf.exe, winaw32.exe.  I have deleted them all.  

Offline ran102

  • Newbie
  • *
  • Posts: 10
Re:Trojano-180, big problems
« Reply #3 on: June 27, 2004, 12:28:20 AM »
PS, C:/windows/winsr.exe just popped up in avast while I was posting this.  I deleted it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojano-180, big problems
« Reply #4 on: June 27, 2004, 01:06:02 AM »
I'm not sure what you mean by blocking the start page.

SpyBot and SpywareBlaster have features to 'lock' the IE start page.
You said this in your first post, if I understood it correctly  ::)
The best things in life are free.

Offline ran102

  • Newbie
  • *
  • Posts: 10
Re:Trojano-180, big problems
« Reply #5 on: June 27, 2004, 03:27:50 PM »
OK.  I see in spyware blaster what you mean.  I set everything in there to what it was before, and it worked for one time when I opened IE.  The next time I opened it, its back to the wrong home page again.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojano-180, big problems
« Reply #6 on: June 27, 2004, 05:27:54 PM »
OK.  I see in spyware blaster what you mean.  I set everything in there to what it was before, and it worked for one time when I opened IE.  The next time I opened it, its back to the wrong home page again.

So you have a trojan  :'(
Try a full scan with avast, a scan at boot time and, if you can, I suggest an on-line scanning by Trend Micro (www.trendmicro.com).
Maybe you can send an IM to whocares and ask for help.
See the virus board and read his advices: http://forum.avast.com/index.php?board=4;action=display;threadid=5373
The best things in life are free.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Trojano-180, big problems
« Reply #7 on: June 27, 2004, 06:28:05 PM »
You may also try this cleaner: http://www.downloads.subratam.org/AboutBuster.zip

after that, restart (stay offline!) generate a Hijackthis log (www.hjt.klaffke.de/en) and post it here or better in the virus and worms Forum.
MfG Ralf

Offline ran102

  • Newbie
  • *
  • Posts: 10
Re:Trojano-180, big problems
« Reply #8 on: June 28, 2004, 02:13:55 AM »
That program, AboutBuster, seemed to find and delete a lot of stuff.  I thought that it worked, because after doing that and then doing a boot scan with avast! Internet Explorer was reset to my home page and even after a couple re-loads of it it seemed to work smooth.  Then, all of a sudden I got that trojano-180 warning from Avast! and now it's back.  Anyways, heres my log.

Logfile of HijackThis v1.97.7
Scan saved at 5:08:06 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\apiid32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll
O4 - HKLM\..\Run: [mswspl] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [apiid32.exe] C:\WINDOWS\apiid32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38164.8623263889
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF97B015-1FF3-46FD-A784-709AC574A598}: NameServer = 63.93.64.20 63.93.64.21


Thank you for your help.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojano-180, big problems
« Reply #9 on: June 28, 2004, 03:52:36 AM »
raman, I did not forget you but I didn't know you were round in this part of the forums... Thanks for helping in this issue  ;)
The best things in life are free.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Trojano-180, big problems
« Reply #10 on: June 28, 2004, 05:45:04 AM »
Technical, ran102 post a topic in "virus and worms"!;)

Please fix the following entries in safe mode(!).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll

Rename these files:

C:\WINDOWS\d3uc.dll
C:\WINDOWS\apiid32.exe

and send them packed and passordprotected to virus(at)asw.cz
MfG Ralf