TechSpot

Hijack This! Trojan Horse please help!

By robert_harper
May 28, 2005
  1. Help!
    My Antivir Personal Edition6 says TR/Agent.cs Trojan horse and says links to c:\windows\system32\bits\splay.dll . I used Hiajck This! and read all about it and tried to go to safe mode ( Safe mode wouldn'd load properly so had to go through domain main controllers - a version of safe mode? ) then opened Hijack checked all everything i think i should have but it won't delete splay.dll as its a locked system file? anyway heres the log

    Please help thanks!
    Robert Harper
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ee.exe

    Next, try to UNinstall anything to do with:
    C:\Program Files\Evidence Eliminator\ee.exe
    C:\WINDOWS\system32\bits\splay.dll

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\bits\splay.dll
    OO4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
    O15 - Trusted IP range: 213.159.117.202 ===>>>(Russian Mafia in St.Petersburg!)
    O15 - Trusted IP range: 213.159.117.202 (HKLM) ===>>>(Russian Mafia in St.Petersburg!)
    O20 - Winlogon Notify: splay - C:\WINDOWS\system32\bits\splay.dll
    ...................................................................................................
    Now click on the Fix Checked button in HJT.
    When done, from between the dotted lines, delete the highlighted bold files.
    When a directory-name is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
     
  3. robert_harper

    robert_harper TS Rookie Topic Starter

    Thanks for replying so fast! However I tried putting a check against as you said and i uninstalled macromedia thingy as well. However whenever i try and delete this splay.dll or the folder bits its says its a locked system file??
    Is it because i'm not going into safe mode properly?? ( ie im restarting pressing F8 then selecting domain controllers? it says it is starting in safe mode ). but if i select safe mode it start but freezes!

    Cheers
    Attached is another log
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  5. robert_harper

    robert_harper TS Rookie Topic Starter

    one last problem ... ??

    Hey.. not sure why but that file won't delete... could it be cause i'm using windows xp and dr delete works for 9x/me ???

    if so what works for windows xp??

    Cheers
     
  6. robert_harper

    robert_harper TS Rookie Topic Starter

    another thing

    one other thing that might help help us figure it out is that each time i select the file for dr to delete my antivir immediatley points out its a virus.

    Robert
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Dr. Delete:
    Works on NT/2k/XP/2003 by calling the MoveFileEx() API function.
    Works on 9x/ME by appending/creating the WinInit.ini file.

    Switch off your virus-pgm when you do this.
    If you follow instructions correctly, it will reboot and then delete it.
     
  8. robert_harper

    robert_harper TS Rookie Topic Starter

    ok. I've uninstalled my antivirus now and rebooted into safe mode, then opened dr delete and tried again. I restarted and still the virus still there!!

    I could send another hijack this log i guess. Would that help?

    Thanks for all your help by the way, it's nice of you to take the time for my constant questions lol

    Cheers
    Rob
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  10. robert_harper

    robert_harper TS Rookie Topic Starter

    No luck!

    Afraid no luck so far! Sorry to keep on but please keep trying... this is so annoying i will be soo soooo much more careful inthe future!
    Cheers
    Rob

    Please find log attached
     
  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Go to this link and follow the advise from 'Oldtimer'.
    http://www.bleepingcomputer.com/for...ease_Help_Anaylize-tx18521-0.html#entry113819

    Where they talk about wnet.dll substitute your splay.dll

    These are your HJT lines to worry about (forget about the other lines):
    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\bits\splay.dll
    O20 - Winlogon Notify: splay - C:\WINDOWS\system32\bits\splay.dll


    Make sure you do the fixvundo.reg as well, that is the main-bummer!
     
     
  12. robert_harper

    robert_harper TS Rookie Topic Starter

    Thank you THANK YOU!!

    YES! This has worked! Thanks sooo much. I don't know how you knew to do all that but it worked!! I really appreciate all your help! Very good of you.

    Here's isa log to show you.
    Robert Harper

    If you need any pet stuff or need advice i run a pet shop, so just email me. Or anyone else!
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Glad you got sorted.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.