Trojan

T

tom

Picked up a nasty when opening a web site the other day and can't seem to
shake it. Am using updated CA anti-virus but it allowed the infection even
though it recognizes it but can't rid my system of it. I routinely clean out
history files and caches. I keep deleting files but it keeps recreating
them. It keeps re-establishing itself in the "start" menu in run/msconfig. I
have to "end process" of an unusual numbered process in task manager every
time I re-boot. The files that it keeps replicating are in "C/Windows" and
was "norton exe" but has now become "winform exe". Have tried Kapersky,
Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
getting. Any ideas? Tom G.

2007/03/29 11:30:24.656 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.578 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan. Deleted
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:31:23.343 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local
 
P

pcbutts1

Download this, run it, save a copy of the log file and post it here in this
group so I can analyze it.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



tom said:
Picked up a nasty when opening a web site the other day and can't seem to
shake it. Am using updated CA anti-virus but it allowed the infection even
though it recognizes it but can't rid my system of it. I routinely clean
out
history files and caches. I keep deleting files but it keeps recreating
them. It keeps re-establishing itself in the "start" menu in run/msconfig.
I
have to "end process" of an unusual numbered process in task manager every
time I re-boot. The files that it keeps replicating are in "C/Windows" and
was "norton exe" but has now become "winform exe". Have tried Kapersky,
Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
getting. Any ideas? Tom G.

2007/03/29 11:30:24.656 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic
trojan.
Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.578 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan. Deleted
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:31:23.343 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local
Click to expand...
 
L

Leythos

Download this, run it, save a copy of the log file and post it here in this
group so I can analyze it.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
Click to expand...

Download it and post the logs to where the instructions tell you to post
the logs, and that would not be to ANY Usenet group.

How come you're not providing hijackthis from your own website any more?


--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
 
D

David H. Lipman

From: "tom" <[email protected]>

| Picked up a nasty when opening a web site the other day and can't seem to
| shake it. Am using updated CA anti-virus but it allowed the infection even
| though it recognizes it but can't rid my system of it. I routinely clean out
| history files and caches. I keep deleting files but it keeps recreating
| them. It keeps re-establishing itself in the "start" menu in run/msconfig. I
| have to "end process" of an unusual numbered process in task manager every
| time I re-boot. The files that it keeps replicating are in "C/Windows" and
| was "norton exe" but has now become "winform exe". Have tried Kapersky,
| Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
| getting. Any ideas? Tom G.
|
| 2007/03/29 11:30:24.656 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic trojan.
| Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.578 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
| Deleted
| 2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan. Deleted
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:31:23.343 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local
|

It is stronly suggested to NOT use Trend Micro's version of HiJack This! (HJT) until it is
no longer a Beta product.

Download and execute the orginal HJT...
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggestd primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggestd secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggestd tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
 
P

pcbutts1

The thief speaks! your sock puppet Leythos has done a terrible job speaking
up for you. How's that website coming Dave? doesn't feel too good does it? I
would really love to take credit for that but I can't, I don't steal. How
come you don't have the balls to speak up in the NG like you do in all those
abuse complaints you file against me. Hey guess what, my site is still up.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



David H. Lipman said:
From: "tom" <[email protected]>

| Picked up a nasty when opening a web site the other day and can't seem
to
| shake it. Am using updated CA anti-virus but it allowed the infection
even
| though it recognizes it but can't rid my system of it. I routinely clean
out
| history files and caches. I keep deleting files but it keeps recreating
| them. It keeps re-establishing itself in the "start" menu in
run/msconfig. I
| have to "end process" of an unusual numbered process in task manager
every
| time I re-boot. The files that it keeps replicating are in "C/Windows"
and
| was "norton exe" but has now become "winform exe". Have tried Kapersky,
| Panda and CA on-line scanners but no luck. Below are the CA prompts I
keep
| getting. Any ideas? Tom G.
|
| 2007/03/29 11:30:24.656 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic
trojan.
| Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.578 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic
trojan.
| Deleted
| 2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll
is
| Win32/Frethog.IS trojan. Deleted
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll
is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll
is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:31:23.343 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local
|

It is stronly suggested to NOT use Trend Micro's version of HiJack This!
(HJT) until it is
no longer a Beta product.

Download and execute the orginal HJT...
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggestd primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggestd secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggestd tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
Click to expand...
 
L

Leythos

The thief speaks! your sock puppet Leythos has done a terrible job
speaking up for you.
Click to expand...

I don't, now or ever, speak for anyone except myself
Hey guess what, my site is still up.
Click to expand...

Hey, guess what, the content that the complaints were file against is NOT
on your site any more - there are no working links to it and you don't
have the balls to put it back online because you know what your hosting
provider will do next.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm
 
P

Poster 60

Turn off system restore until you get rid of the trojan. When you can scan
your system and all is clean, then turn it back on.
 
T

tom

Poster 60 said:
Turn off system restore until you get rid of the trojan. When you can scan
your system and all is clean, then turn it back on.




run/msconfig.
Click to expand...
My system restore has been turned off for months before picking up this
infection. AV can't clean infection. Just tonight my homepage has turned
Chinese. Updates for AdAware have been disabled since infection.
Re-installation doesn't help. No response to my hijack this posting.
Considering re-formatt.
 
P

Poster 60

tom said:
My system restore has been turned off for months before picking up this
infection. AV can't clean infection. Just tonight my homepage has turned
Chinese. Updates for AdAware have been disabled since infection.
Re-installation doesn't help. No response to my hijack this posting.
Considering re-formatt.
Click to expand...


Go to the registry (regedit) and search for the references to the files
norton.exe and winform.exe. Delete those references to them. The references
in msconfig will be deleted automatically at the same time. That should stop
the trojan process.
 
B

Bart Bailey

My system restore has been turned off for months before picking up this
infection. AV can't clean infection. Just tonight my homepage has turned
Chinese. Updates for AdAware have been disabled since infection.
Re-installation doesn't help. No response to my hijack this posting.
Considering re-formatt.
Click to expand...

Just save any dynamic data (email etc) and reload the last image you
dumped before the onset of problems, you do ghost your system regularly?
 
N

nashraf.nasa

Picked up a nasty when opening a web site the other day and can't seem to
shake it. Am using updated CA anti-virus but it allowed the infection even
though it recognizes it but can't rid my system of it. I routinely clean out
history files and caches. I keep deleting files but it keeps recreating
them. It keeps re-establishing itself in the "start" menu in run/msconfig. I
have to "end process" of an unusual numbered process in task manager every
time I re-boot. The files that it keeps replicating are in "C/Windows" and
was "norton exe" but has now become "winform exe". Have tried Kapersky,
Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
getting. Any ideas? Tom G.

2007/03/29 11:30:24.656 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.578 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan. Deleted
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:31:23.343 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local
Click to expand...

Try booting into safe mode and scan again. This might prevent the
trojan from recreating itself thus can be eliminated. I also recommend
that you try Trend Micro Sysclean, scanning in safe mode. Another
alternative would be Microworld MWAV, based on Kaspersky engine. Both
are standalone virus cleaner and very effective against wide range of
malware.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kryptik.AB trojan 2
Win32:Mhtplo-10 - False positive? 1
Replace an infected system32/winlogon.ece (688) 4
How do I get rid of perfc000.dat ? 2
PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!! 1
Kazaa ver 2.6 Plants In Win32:Trojan To User Computer 1
Elusive trojan Haher 12
WSHIRDA.EXE Trojan horse Downloader.Small.6.T 2

Top