win32 trojano-141

[onlyme1984]

Wonderin if any1 knows how to fix this prob. been readin the forum and tried the suggestionz but still it remainz.  

A hijacked browser changed to http:\\thenewsearch.com\search.html, i got hijackthis, spybot s&d,n avast but it still managed to get through, bit slack on the updates i guess. avast says infected with the virus win32 trojano-141 but read it was not a virus but a hijacked browser

Running Windows XP

Here is the log file determined by hijackthis

Logfile of HijackThis v1.98.2
Scan saved at 12:05:34 AM, on 27/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
O1 - Hosts: 69.50.173.250 auto.search.msn.com
O1 - Hosts: 69.50.173.250 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A370DF5E-F361-438D-A86C-DABAF10D44AB}: NameServer = 203.89.226.26 203.89.226.24

If any1 knows whats wrong it would be much appreciated news. cheers

[whocares]

Hi,

here's an analysis:

http://hijackthis.de/logfiles/216a06eef5135c823b979f6fa6fc1d34.html

fix (in SAFEMODE: F8-Boot) everything that's marked yellow or red, EXCEPT O9 & O17-entries

you might want to check the PROCESSES marked yellow by Onlinescanners from Trend, RAV & KAV (although they're probably all ok..)

see "VirusRemoval" below in my sig. for links and also tips how to secure your system better

[whocares]

and after fixing,
reboot, and then please move the file
C:\WINDOWS\System32\winupd.exe
into a password-protected ZIP- or RAR-archive
and email it to
virus (at) avast.com
 

[Eddy]

==========================================================================
THESE ITEMS SHOULD BE REMOVED:
==========================================================================
\windows\system32\slserv.exe
r1 - hkcu\software\microsoft\internet explorer,search = http://thenewsearch.com/search.html
r1 - hkcu\software\microsoft\internet explorer,searchurl = http://thenewsearch.com/search.html
r1 - hklm\software\microsoft\internet explorer,search = http://thenewsearch.com/search.html
r1 - hklm\software\microsoft\internet explorer,searchurl = http://thenewsearch.com/search.html
r1 - hkcu\software\microsoft\internet explorer\main,default_search_url = http://thenewsearch.com/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://thenewsearch.com/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://thenewsearch.com/search.html
r0 - hkcu\software\microsoft\internet explorer\main,start page = http://thenewsearch.com/thenewsearch.html
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = http://thenewsearch.com/search.html
r1 - hklm\software\microsoft\internet explorer\main,search bar = http://thenewsearch.com/search.html
r1 - hklm\software\microsoft\internet explorer\main,search page = http://thenewsearch.com/search.html
r0 - hklm\software\microsoft\internet explorer\main,start page = http://thenewsearch.com/thenewsearch.html
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://thenewsearch.com/search.html
r1 - hkcu\software\microsoft\internet explorer\search,customizesearch = http://thenewsearch.com/search.html
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://thenewsearch.com/search.html
r0 - hklm\software\microsoft\internet explorer\search,customizesearch = http://thenewsearch.com/search.html
o1 - hosts: 69.50.173.250 auto.search.msn.com
o1 - hosts: 69.50.173.250 auto.search.msn.com
o4 - hklm\..\run: [winupd] c:\windows\system32\winupd.exe

==========================================================================
THESE ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR
THE SYSTEM TO WORK, IT IS RECOMMENDED TO REMOVE THEM:
==========================================================================
o4 - hklm\..\run: [share-to-web namespace daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
o4 - hkcu\..\run: [msmsgs] "c:\program files\messenger\msmsgs.exe" /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o9 - extra button: real.com - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - c:\windows\system32\shdocvw.dll
 

[whocares]

if the PC has a SmartLink modem, SLSERV shouldn't be disabled:
INFO

[onlyme1984]

me again, sorry to be a burden but I have to ask if I have to run hijackthis in f8 safemode or is it enough to run it in normal mode – I ran it in normal and seemed to work fine

I have moved the file c:\windows\system32\winupd.exe in a password protected ZIP as asked should be attached

I also changed my homepage (someone suggested), I reboot and all is well my chosen homepage is there, I run hijackthis and again no probs

I come unstuck tho when I run avast to search for virus/s it says that I have a virus in my computer, run hijackthis but the items for hijack homepage is not there –is there something I should know or should I ignore

Your help is much appreciated. cheers

[whocares]

1)
winupd.exe in a password protected ZIP as asked should be attached

2)
when I run avast to search for virus/s it says that I have a virus in my computer,

Hi,
@1) attached ? to the mail to AVAST, I hope

@2) WHAT virus is detected WHERE in WHICH file ?
Please more details -> Read "VirusRemoval" again, please

[onlyme1984]

Quote from: onlyme1984 on August 27, 2004, 04:49:50 AM

1)
winupd.exe in a password protected ZIP as asked should be attached

2)
when I run avast to search for virus/s it says that I have a virus in my computer,



Quotes from:whocares, Avast Evangelist
August 27, 2004, 11:32:19 AM
Hi,
@1) attached ? to the mail to AVAST, I hope

@2) WHAT virus is detected WHERE in WHICH file ?
Please more details -> Read "VirusRemoval" again, please

August 26, 2004, 02:33:35 PM »
and after fixing,
reboot, and then please move the file
C:\WINDOWS\System32\winupd.exe
into a password-protected ZIP- or RAR-archive
and email it to
virus (at) avast.com
 

-------------------------------------------------------------------------
My Apologies I must of misinterpreted your message. But I thought u wanted me to do the above and move the file C:\WINDOWS\System32\winupd.exe into a zip file and email it to you after the hijackthis fix, I thought I attached this file to the email I last sent.

The virus that avast keeps warning me of is win32 trojano-141 and gives me a file of c:\xd\dr.exe.  The homepage I chose comes up alright now after the hijackthis fix you guys suggested (thanx heaps for that). It is just when I run avast virus\s scan that the warning of the virus resurfaces.  Should I ignore the scanning warning or is there something I missed and should know about?

Cheers.

[whocares]

move the file C:\WINDOWS\System32\winupd.exe into a zip file and email it to you after the hijackthis fix, I thought I attached this file to the email I last sent.

this was quite all right, except that "I" am not virus (at) avast (dot) com , but just a regular user here..
I misunderstood you too, thought you wanted to attach it here on the board..

Anyways..:

[EDIT]
you should DEACTIVATE system RESTORE, too , before going any further with Cleaning, especially if there is/was a trojan/hijacker avast doesn't recognize yet (this winupd.exe I mean)
[/EDIT]

The file "dr.exe" you mention does sound suspicious, please scan it Online with KAV, RAV & Trend (avast resident shield must be paused for this),
or scan it with Escan in SafeMode
-> for Links to the scanners, please see "Virusremoval"

--> if they also detect this,
try moving the file to quarantine with avast in SafeMode, or via a boot-time scan
or move it manually yourself..


- if none other scanner detects anythign in "dr.exe", please submit it to avast, this time stating you suspect a false positive..

Also please post a new hijackthis-Log

P.S.: Also please enter
TROJANO-141
into the board-search above, there are some other topics on it, which might help you