Security Software Trojan Help! Urgent!!

[Apex]

Here's the chat log frm my MSN chat with XTo..
please read this and help him out.

XTerminator - See You On The Other Side says:
look
XTerminator - See You On The Other Side says:
my comp is infected with this stupid trojan and i am in safe mode
XTerminator - See You On The Other Side says:
where my mouse etc is not working
XTerminator - See You On The Other Side says:
file name is wsock32.dll
XTerminator - See You On The Other Side says:
in the winnt/system32 folder
XTerminator - See You On The Other Side says:
trojan name is downloader.small.54.Z
XTerminator - See You On The Other Side says:
post this info on TE
XTerminator - See You On The Other Side says:
and u also try to find me info on this ASAP
XTerminator - See You On The Other Side says:
i cant use windows in safe mode for long
XTerminator - See You On The Other Side says:
tried stuff like
XTerminator - See You On The Other Side says:
replacing the file from the win2k cd
XTerminator - See You On The Other Side says:
no use...what happens when i try to start the comp
XTerminator - See You On The Other Side says:
it boots up till the time the window that states preparing network connections etc comes up
XTerminator - See You On The Other Side says:
after that it just reboots
XTerminator - See You On The Other Side says:
i can boot in safe mode
XTerminator - See You On The Other Side says:
but cant quarantine or repair the file
XTerminator - See You On The Other Side says:
i cant delete the file as it is under use
XTerminator - See You On The Other Side says:
both my hdds have been infected
XTerminator - See You On The Other Side says:
both have a seperate installation of windows
XTerminator - See You On The Other Side says:
replaced the same file on the other hdd with the one present in the win2k cd
XTerminator - See You On The Other Side says:
now it doesnt boot into safe mode as well
XTerminator - See You On The Other Side says:
AVG detects the trojan
XTerminator - See You On The Other Side says:
but each time it heals it or quarantines or tries to delete
XTerminator - See You On The Other Side says:
asks for reboot
XTerminator - See You On The Other Side says:
which i dont wanna do coz it will infect me further
XTerminator - See You On The Other Side says:
as it happened in the other installation
XTerminator - See You On The Other Side says:
thats just about the info....apart from this...my bro used the comp last more than 24 hrs ago to check mail and chat
XTerminator - See You On The Other Side says:
after that its been switched on around 11

Here's the HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 23:08:56, on 12/15/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\asuskbservice.exe
C:\WINNT\System32\GEARSEC.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\KM9801U\MMHotKey.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\KM9801U\HokHIDKC.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Anshul.HOME\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.3:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *nofra*;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download using Download &Express - file://C:\WINNT\system32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3B4D3A-EF82-44B6-9692-B5803185B4F7}: NameServer = 172.16.1.3,172.16.1.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINNT\asuskbservice.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: %NVSVC.name% - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

[tracerbullet]

C:\PROGRA~1\KM9801U\MMHotKey.EXE

C:\PROGRA~1\KM9801U\HokHIDKC.EXE

C:\WINNT\anvshell.exe

C:\WINNT\asuskbservice.exe

What's all this trash??

 

[Ein]

This is a job for... Hijack This! Log Auto Analyser (v2.01) :cool2:

This system has been designed to help you quickly find information about everything contained in your HJT logs. We tap the greatest information databases we've been able to find to help you figure out which items in your log are OK and which ones are bad! Any information we have on the items will be displayed when you run your mouse over that line. Wherever possible you will be linked to a specific thread for help on that item.

Everything is color coded to help you determine which category each item falls under. We cannot guarantee this to be 100% accurate and is to be used for reference purposes only. We suggest using proper adware and virus scanners on a regular basis.

Check out the results @ http://hjt.iamnotageek.com/parse.php?log=146314

It contains a lotta " Bad if you don't know what it is, and Unknown Item - investigate further" entries, including:

C:\PROGRA~1\KM9801U\MMHotKey.EXE

C:\PROGRA~1\KM9801U\HokHIDKC.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

Also, XTO's Hijack This! is 1 version behind the current.

 

[dipdude]

Ok, quickfire try this first, hope is using fat32

boot in dos mode using win 98 startup disk, go to avg folder, start the dos version of avg, scan-delete-reboot as many times as required until all threats are gone. say him to disable system restore first, he can re-enable once all threats are dealt with.

ask to him to delete all temp files, ie cache, cookies etc.

also check in msconfig the startup entries, ask him to disable all suspicious entries.

 

[XTerminator]

OK ppl...thanks to tracerbullet, i am on normal boot of win2k he sent me his copy of wsock32.dll....but theres more.

heres clarifying stuff....

1. all entries there in hijack this log are known to me.

2. i am using NTFS in OS partition

3. without this file, windows doesnt boot

4. each reboot causes this file to be infected yet again...
here are a few screenshots.
http://img372.imageshack.us/my.php?image=trojan9fz.jpg
http://img363.imageshack.us/my.php?image=taskmanager7xx.jpg

 

[XTerminator]

and yes, the current version of the wsock32.dll is infected too

 

[tracerbullet]

I think rundll is the culprit again.

It's executing malicious dlls which are probably hiding quietly inside the system32 folder. I've told him to download ad-aware SE, and use the process watch. It shows you exactly which dlls are being executed by rundll. Once that happens, he can zoom in on those infected dlls, and knock them off from the recovery mode

Any other suggestions?

 

[Ein]

Best Free Trojan Scanner/Trojan Remover

Ewido is the best of a new crop of anti-Trojan programs. On my recent tests over at www.anti-trojan-software-reviews.com it emerged as was one of the few products that could reliably detect polymorphic and process injecting Trojans that were totally missed by anti-virus products like Norton and AVG. Unfortunately the free version of Ewido doesn’t have a memory monitor and this omission significantly reduces the level of active protection provided. However the on-demand scanner is excellent. I recommend that all average PC users who don't have an anti-trojan scanner download Ewido and scan their PCs weekly. I suspect you may be surprised at what you will find. Ewido is also pretty good at removing some spyware infections so bear that in mind next time you encounter a spyware product you can't remove with normal anti-spyware products like Ad-Aware. Note that Ewido only works with Windows 2000 and later so Win 9X users should consider the free version of a2 (a-squared) anti-trojan as an alternative. It's not quite as effective as Ewido but is still an excellent product. High risk PC users such as P2P file sharers and frequenters of hack sites, should however consider the industrial strength protection of Trojan Hunter or the full version of Ewido both of which offer the active protection they need. Note: The free version of Ewido is actually the same as the paid version but after 14 days the active protection (i.e. memory monitor) becomes non-functional.

http://www.ewido.net/en/ (2.2MB)

http://www.techsupportalert.com/best_46_free_utilities.htm#6

U could try this.

 

[dipdude]

anshul, do you have wsock32.exe or mtx_.exe as your start up entry.

 

[XTerminator]

nope dipdude,
i dont have any of those in my startup entries.

Somehow again today, i am able to login using the copy paste procedure into the secondary installation from the file that tracerbullet gave me using the safe mode of the primary installation.

I have downloaded adaware as tracerbullet suggested me and ran a process scan.
Now what do i do?

 

[Grease Monk]

try 'the cleaner'

 

[XTerminator]

that didnt find anything.

 

[medpal]

Manual Removal of Happy99.exe

Steps marked optional are not absolutely necessary and are completely safe to skip. If you're not comfortable with DOS, get someone knowledgable to help you with this. I cannot make guarantees of perfect safety since its a manual removal, Perform these at your own risk. If you have Windows NT, you don't have to follow the removal steps.

1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to exit Windows in order to be able to replace the file WSOCK32.DLL which Windows normally has in use.

2.At the DOS prompt type this exactly and press enter at the end of each line:

CD \WINDOWS\SYSTEM

3. Delete SKA.EXE and SKA.DLL by typing

DEL SKA.EXE
DEL SKA.DLL

If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.

4.Copy WSOCK32.SKA to WSOCK32.DLL by typing

ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL

Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.

WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the modified DLL with the original. If you get a "Sharing violation" make sure you followed step 1.

5.Optional Delete WSOCK32.SKA by typing

DEL WSOCK32.SKA

You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.

6.Return to Windows by typing

EXIT

7.Optional Delete Windows Registry Key.
Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also, you'll only find it in the registry if you haven't rebooted since you ran HAPPY99.EXE.

8.Optional Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA. Make it clear to the people you warn that they won't be infected unless they ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.

9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary depending on where you saved it. You can delete it simply by dragging it to the Recycle Bin from within Windows or whatever method you prefer. You may still have some messages with HAPPY99.EXE attached in your mailbox. These cannot do anything unless you run them. You can delete them if you want to or just ignore them. 10.Optional If you aren't sure whether WSOCK32.DLL is infected, choose Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive C: or whatever drive you have Windows on. In the "Containing Text" box type "ska.dll" without the quotes. Then click "Find Now". If you don't find any files, that means that wsock32.dll isn't the modified version. If you don't have the modified WSOCK32.DLL, the virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL, and WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the RunOnce registry section, and you haven't deleted SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you restart the computer.

Make sure you type the instructions exactly including spaces and punctuation. You might want to print out the removal instructions so you have something to refer to. If you're having trouble with the DOS commands, get a local person to help you with them. It's hard to know exactly how you're typing the DOS commands and what your exact situation is without seeing it in person.

if it is some thing like this you can use above guide.

 

[it_waaznt_me]

Hmm.. XTerm .. Your logfile looks clean to me .. It was created in Safe Mode na ..?
Anyways .. Lets try to fix the problem ... First and foremost, Install Service Pack 4 for Windows 2000 .. And if you are not able to install it in safe mode, then try this .. :

Download UnLocker and install it .. Now navigate to NT\System32 (where the infected file resides) and right click on wsock32.dll (Be VERY sure to select the correct file) and Select Unlocker from context menu .. This will show the process using the file .. Click on Unlock to unlock the handle .. and if that doesnt work, try killing the process .. After the file is unlocked you can delete it ...
After deleting the file, run :
Start > Run > Cmd <Press Enter>
On the command prompt, type :
sfc /scannow <Press Enter>

You may need your W2k cd for the file to be replaced ...
See if that helped .. After the file is replaced, then install Service Pack 4 ..

 

[dipdude]

try to run Spybot Search and Destroy 1.4 first, it's the best out there.

http://fileforum.betanews.com/download/Spybot_Search_and_Destroy/1043809773/1

other alternative freeware is ms's own antispyware, validation req.

http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

goes without saying update your avg, adware etc.

anshul, if nothing helps then, very important, go to castlecops forum, register, post your hijack-this logs over there.
here's the link to the trojan thread.

http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

be patient

 

[XTerminator]

Thanks everyone....but i managed to get rid of the infection temporarily
Following what i think is some weird logic...which i will explain when i have more free time.
And as for that hijack this log...it was created in normal infected mode.
With thanks to all those who helped me and special thanks to Tracerbullet who helped me online...sparing time from his busy work schedule