Trojan removal i have tried everything

Gordon24Johnson48 · March 23, 2006

Hey everyone you guys have saved me some money here before instead of having to go to the computer shop. I am having another problem now and was wondering if anyone could help. I have done a spyware scan and nothing comes up except tracking cookies. I did a scan with Norton because my AVG won't open. I keep getting an error when i try to open it saying that it needs to close.

Anyway my problem is a couple trojans that Norton found.

PWSteal.Trojan

Trojan.Cmapp

Those are the 2 trojans and it says there is 3 files i need to delete located in the system32 file.

Accies98.dll

AcciesX2

Runner.dll

When i try to delete those files i get an error message saying they are in use and can't be deleted. I also tried to delete them in safe mode with the same results. Does anyone know a way i can delete them? This is really a crazy trojan. It makes Internet explorer pretty much useless and it always freezes. Firefox seems to work ok but i get the same popup every few minutes.

Below is a hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 10:05:09 PM, on 3/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\a-squared\a2guard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE

C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140804302562

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.temaki.org/activex/AMC.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: Runner.dll,bhfkpooc.dll,EQMini.dll

O20 - Winlogon Notify: accies98 - C:\WINDOWS\SYSTEM32\accies98.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Sorry if i explained it bad. I tried not to make it too confusing but i have been working on this all day doing nothing but spyware and virus scans. It's driving me crazy. :pullhair:

Thanks for any advice.

**Trevuren** · March 23, 2006

Hi Gordon24Johnson28 and welcome to the PC Pitstop Forums .

My name is Trevuren and I will be helping you with your log.

I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program.

Restart your system

1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

Download Ad-Aware SE Personal 1.06:
- Download Ad-Aware SE Personal 1.06.
- Save aawsepersonal.exe to a convenient location.
Install Ad-Aware SE Personal 1.06:
- Double-click on aawsepersonal.exe to install the program.
- Follow the default settings for installation.
- After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
Update Ad-Aware SE Personal 1.06:
- Double-click the Ad-Aware SE Personal icon on your desktop.
- Click "Check for updates now" then click "Connect".
- It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
Configure Ad-Aware SE Personal 1.06:
- Click on the Gear button at the top of the window.
- Click "General" on the left hand side to display the General Settings box.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Automatically save logfile"
    - "Automatically quarantine objects prior to removal"
    - "Safe Mode (always request confirmation)"
    - "Prompt to update outdated definitions" - change to 7 days from the default 14.
- Click "Scanning" on the left hand side to display the Scan Settings box.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  - "Scan within archives"
  - "Select drives & folders to scan" - select your hard drive(s).
  - "Scan active processes"
  - "Scan registry"
  - "Deep-scan registry"
  - "Scan my IE favorites for banned URLs"
  - "Scan my Hosts file"
- Click "Advanced" on the left hand side to display the Advanced Settings box.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
  - "Move deleted files to Recycle Bin"
  - "Include additional object information"
  - "Include negligible objects information"
  - "Include environment information"
- Click "Defaults" on the left hand side to display the Default Settings box.
  - Make sure these items have your preferred settings in them.:
  - "Default homepage"
  - "Default searchpage"
- Click "Tweak" on the left hand side to display the Tweak Settings box.
  - Click the + (plus) sign next to the Log Files section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Include basic Ad-Aware settings in log file"
    - "Include additional Ad-Aware settings in log file"
    - "Include reference summary in log file"
    - "Include alternate data stream details in log file"
  - Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Unload recognized processes & modules during scan"
    - "Scan registry for all users instead of current user only"
    - "Obtain command line of scanned processes"
  - Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
  - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    - "Always try to unload modules before deletion"
    - "During removal, unload Explorer and IE if necessary"
    - "Let Windows remove files in use at next reboot"
    - "Delete quarantined objects after restoring"
- Once you are done with these settings, click "Proceed" to save them.
- This will take you back to the main screen.
Run Ad-Aware SE Personal 1.06:
- Click the "Start" button.
- Uncheck the "Search for negligible risk entries" entry.
- Choose the "Use custom scanning options" scan mode.
- Click the "Next" button.
- Ad-Aware will begin to scan for malware residing on your computer.
- Allow the scan to finish.
- Right-click on any entry in the list and click "Select All" to select the whole list.
- Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido security suite it is a trial version of the program.
- Install ewido security suite
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will prompt you to update click the OK button
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Click on Start
- The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
- REBOOT into Safe Mode
- Run EWIDO
- Click on scanner
- Click on Start Scan
- Let the program scan the machine
- While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report
- Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Regards,

Trevuren

Gordon24Johnson48 · March 23, 2006

Thanks Trevuren for the reply. Great instructions that even i could follow.

Here is the updated hijackthis log. I also removed both AVG and Norton. I am now using Nod32 and it seems alot better then the others.

Logfile of HijackThis v1.99.1

Scan saved at 5:00:12 AM, on 3/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe