TechSpot

Do I have a trojan?

By comwiz
Sep 28, 2006
  1. I've had a few things starting at startup
    Winlogon Shell Explorer.exe
    Winlogon Usernit userinit.exe
    could there be a trojan causing problems here?

    and yesterday something disabled my Nortons (NIS)
    i have to uninstall and reinstall it again

    I will post a hijack this log ive noticed O20 - AppInit_DLLs: in the log but cant find any more info about this

    is my system infected with a trojan?
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    new log

    ok done

    here is a fresh HJT log :
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Anti-Hijacker

    Colorjinn Calibrize<I can find no reliable info for this. If you know for certain it`s safe, keep it. Otherwise uninstall it.

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    AntiHijacker 1.2.EXE
    CalibrizeResume.exe
    CalibrizeLoader.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [CGFLoader] C:\Program Files\Colorjinn Calibrize\CalibrizeLoader.exe

    O4 - HKCU\..\Run: [CalibrizeResume] C:\Program Files\Colorjinn Calibrize\CalibrizeResume.exe

    O4 - Startup: Anti-Hijacker.lnk = C:\Program Files\Anti-Hijacker\AntiHijacker 1.2.EXE

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk

    O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F63037-7D9A-4E46-BD80-89374446D766}: NameServer = 203.12.160.35,203.12.160.36

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E5FFBAB6-D040-4B40-9E7C-8B584C6D6A22}: NameServer = 203.12.160.35,203.12.160.36

    Only fix the above 017 entries, if they don`t belong to your ISP.

    O20 - AppInit_DLLs:

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Colorjinn Calibrize
    C:\Program Files\Anti-Hijacker

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok regarding Colorjinn Calibrize : its a software i use to help me adjust the colours of my monitor also helps me match a screen color to a print been using this for a while (its safe)

    AntiHijacker is another software that i use it helps protects my homepage from being hijacked so i think this is (safe) to use

    but the other issues i will fix then i will post a new log again

    thanks
    comwiz
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    From the info I have seen AntiHijacker is a suspect programme and should be uninstalled.

    Regards Howard :)
     
  7. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok i have uninstalled AntiHijacker

    here is a new log
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok thanks for that :)

    ok with the Winlogin Shell Explorer.exe
    and Winlogin Userinit.exe are they (safe) running on startup?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Are you sure it`s Winlogin and not winlogon?

    Winlogin is a virus, whereas winlogon is legit.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    sorry my mistake

    my system is clean :)

    thanks for you help

    cheers :)
     
  12. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    I have another virus problem please read!

    I keep getting the (downloader virus) norton identifies it as downloader and the infected file is checkin[1].htm now norton says it has deleted it but it keeps on returning it also put a file abc123.pid in the temp folder and when i delete that it keeps coming back.

    so i need to delete the key so it wont recreate the files again

    anyhelp will be grateful
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post fresh HJT and Ewido logs.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok here are the logs
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    FamilyFeudSetup-dm[1].exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\downloads\FamilyFeudSetup-dm[1].exe

    Run a full system scan with your antivirus programme and delete whatever it finds. This incudes any files in quarantine.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Let me know if your system is running ok.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok done a scan with nortons (nothing found)
    ok what about the theses files that ewido has in quarantine see below

    C:\Program Files\Colorjinn Calibrize\CalibrizeLoader.exe -> Downloader.Agent.awf :
    C:\Program Files\Colorjinn Calibrize\CalibrizeResume.exe -> Downloader.Agent.awf :
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe -> Downloader.Agent.awf :
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe -> Downloader.Agent.awf :
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.awf :
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE -> Downloader.Agent.awf :
    C:\WINDOWS\system\wcdvtray.exe -> Downloader.Agent.awf :
    [2396] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE -> Downloader.Agent.awf :
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    They are all safe files and nothing to worry about.

    The CAP3ONN.EXE file is part of your Canon drivers.

    wcdvtray.exe is part of your webcam software.

    C:\Program Files\Common Files\Ahead files are part of Nero.

    For the Colorjinn Calibrize entries see HERE for fruther info.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    virus and spyware

    I got rid of most of the viruses and spyware but there could be some still some left please check the log
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your new thread into this one. Please use this thread for all your virus/spyware issues.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SX Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    sxserv101.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedotcom.com.au/search/dogpile.html

    O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINNT\system32\sxserv101.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINNT\system32\sxserv101.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    ok here is the new log
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. dahli

    dahli TS Rookie Posts: 28

    Comwiz,

    You may have been infected with a new virus. Please post a log from AVG Antispyware. Thanks.
     
  23. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    Spyware

    some more spyware take a look at the log
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is badly infected.

    First, go HERE and follow the instructions very carefully.

    Then, go HERE and do likewise.

    Post fresh HJT and AVG Antispyware logs as attachments, only after doing the above.

    Regards Howard :)

    This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. comwiz

    comwiz TS Rookie Topic Starter Posts: 21

    cant remove infections

    I cant Remove Smitfraud-C.Toolbar888 & YazzleSudoku

    Please Check Log
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...