Do I have a trojan?

[comwiz]

I've had a few things starting at startup
Winlogon Shell Explorer.exe
Winlogon Usernit userinit.exe
could there be a trojan causing problems here?

and yesterday something disabled my Nortons (NIS)
i have to uninstall and reinstall it again

I will post a hijack this log ive noticed O20 - AppInit_DLLs: in the log but cant find any more info about this

is my system infected with a trojan?

 

[howard_hopkinso]

Please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

new log

ok done

here is a fresh HJT log :

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Anti-Hijacker

Colorjinn Calibrize<I can find no reliable info for this. If you know for certain it`s safe, keep it. Otherwise uninstall it.

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

AntiHijacker 1.2.EXE
CalibrizeResume.exe
CalibrizeLoader.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [CGFLoader] C:\Program Files\Colorjinn Calibrize\CalibrizeLoader.exe

O4 - HKCU\..\Run: [CalibrizeResume] C:\Program Files\Colorjinn Calibrize\CalibrizeResume.exe

O4 - Startup: Anti-Hijacker.lnk = C:\Program Files\Anti-Hijacker\AntiHijacker 1.2.EXE

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark\Start Menu\Programs\IMVU\Run IMVU.lnk

O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F63037-7D9A-4E46-BD80-89374446D766}: NameServer = 203.12.160.35,203.12.160.36

O17 - HKLM\System\CCS\Services\Tcpip\..\{E5FFBAB6-D040-4B40-9E7C-8B584C6D6A22}: NameServer = 203.12.160.35,203.12.160.36

Only fix the above 017 entries, if they don`t belong to your ISP.

O20 - AppInit_DLLs:

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Colorjinn Calibrize
C:\Program Files\Anti-Hijacker

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

ok regarding Colorjinn Calibrize : its a software i use to help me adjust the colours of my monitor also helps me match a screen color to a print been using this for a while (its safe)

AntiHijacker is another software that i use it helps protects my homepage from being hijacked so i think this is (safe) to use

but the other issues i will fix then i will post a new log again

thanks
comwiz

 

[howard_hopkinso]

From the info I have seen AntiHijacker is a suspect programme and should be uninstalled.

Regards Howard

 

[comwiz]

ok i have uninstalled AntiHijacker

here is a new log

 

[howard_hopkinso]

Your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

ok thanks for that

ok with the Winlogin Shell Explorer.exe
and Winlogin Userinit.exe are they (safe) running on startup?

 

[howard_hopkinso]

Are you sure it`s Winlogin and not winlogon?

Winlogin is a virus, whereas winlogon is legit.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

sorry my mistake

my system is clean

thanks for you help

cheers

 

[comwiz]

I have another virus problem please read!

I keep getting the (downloader virus) norton identifies it as downloader and the infected file is checkin[1].htm now norton says it has deleted it but it keeps on returning it also put a file abc123.pid in the temp folder and when i delete that it keeps coming back.

so i need to delete the key so it wont recreate the files again

anyhelp will be grateful

 

[howard_hopkinso]

Please post fresh HJT and Ewido logs.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

ok here are the logs

 

[howard_hopkinso]

Your HJT log is clean.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

FamilyFeudSetup-dm[1].exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\downloads\FamilyFeudSetup-dm[1].exe

Run a full system scan with your antivirus programme and delete whatever it finds. This incudes any files in quarantine.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Let me know if your system is running ok.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

ok done a scan with nortons (nothing found)
ok what about the theses files that ewido has in quarantine see below

C:\Program Files\Colorjinn Calibrize\CalibrizeLoader.exe -> Downloader.Agent.awf :
C:\Program Files\Colorjinn Calibrize\CalibrizeResume.exe -> Downloader.Agent.awf :
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe -> Downloader.Agent.awf :
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe -> Downloader.Agent.awf :
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.awf :
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE -> Downloader.Agent.awf :
C:\WINDOWS\system\wcdvtray.exe -> Downloader.Agent.awf :
[2396] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE -> Downloader.Agent.awf :

 

[howard_hopkinso]

They are all safe files and nothing to worry about.

The CAP3ONN.EXE file is part of your Canon drivers.

wcdvtray.exe is part of your webcam software.

C:\Program Files\Common Files\Ahead files are part of Nero.

For the Colorjinn Calibrize entries see HERE for fruther info.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

virus and spyware

I got rid of most of the viruses and spyware but there could be some still some left please check the log

 

[howard_hopkinso]

I have merged your new thread into this one. Please use this thread for all your virus/spyware issues.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SX Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sxserv101.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedotcom.com.au/search/dogpile.html

O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINNT\system32\sxserv101.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINNT\system32\sxserv101.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

ok here is the new log

 

[howard_hopkinso]

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dahli]

Comwiz,

You may have been infected with a new virus. Please post a log from AVG Antispyware. Thanks.

 

[comwiz]

Spyware

some more spyware take a look at the log

 

[howard_hopkinso]

Your system is badly infected.

First, go HERE and follow the instructions very carefully.

Then, go HERE and do likewise.

Post fresh HJT and AVG Antispyware logs as attachments, only after doing the above.

Regards Howard

This thread is for the use of comwiz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[comwiz]

cant remove infections

I cant Remove Smitfraud-C.Toolbar888 & YazzleSudoku

Please Check Log