DVDizzy Forum

This will be my first topic post, sadly it isnt a happy one

A "friend" sent me a game by email, and i got a trojan. i knew something was wrong when it changed my dial-up user name (it added numbers, eg. scars2.54.67 blah blah blah) and the phone number. I downloaded trojan removers and had free virus scans and all that, but it came up with nothing. then i went to C:/WINDOWS, and found a program called "internet.exe", and it stood out because it had NO ICON. then i went into system32, and found a program called "explorer.exe", also with NO ICON. i deleted them, and restarted, but it still changes my user name and phone number. i have no idea what to do....if anyone can help, it would be MUCH appreciated!!! im really scared, i hope it doesnt dial numbers or anything, or i am dead!!! just for refrence, the number it dials is 00114382082018424, i've tried to look it up on google.com, but found nothing.

I don't really know how to help, but these programs have always proved useful to me in stressful computer situations:

HiJack This: http://www.spychecker.com/program/hijackthis.html

This should restore your browser settings. Find a spyware forum and post the results of your scan. They'll tell you which boxes to check to be fixed. Or you could even post it here, and I or someone with a better grasp might be able to help.

Ad Aware: http://www.lavasoftusa.com/software/adaware/

Spyware remover, and even if it doesn't directly address this (which it might, I don't know), it will remove junk you don't need from the computer.

There may be a problem with your registry. Of course, be careful what you delete, though, in any case.

It could be worse. At least you're still able to get online and you haven't lost anything.

As luke said, Lavasoft's AdAware is excellent and free. (Donate a few bucks to them if it works for you.)

But I tend to think that Spybot Search and Destroy is superior to most other useware (read: free) spyware programs. You should be able to find it by tayping "spybot search and destroy" into google. If you can't find it, let me know, and i'll grab the url for you.

OK thanks so much, I'll check them out now

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 1:32:06 AM, on 8/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\program files\notes6\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\system\em_exec.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\qt\Desktop\Warwick's Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www-internal.qdot.qld.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-internal.qdot.qld.gov.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Queensland Government
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [BGInfo] C:\WINDOWS\system32\wscript.exe c:\windows\system32\BGInfo.vbe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c2 -w
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Details.lnk = C:\SETUP\Scripts\igtcd32.vbe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.lnk = C:\SETUP\Scripts\startXP.vbe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Novell delivered applications (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www-internal.qdot.qld.gov.au/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5CFC72D-4E0B-4060-BACE-F19632306E17}: Domain = qdot.qld.gov.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5CFC72D-4E0B-4060-BACE-F19632306E17}: NameServer = 165.240.0.77,165.240.4.22,165.240.4.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DE4A42-0F66-42C3-9824-B844030C0A2E}: Domain = qdot.qld.gov.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DE4A42-0F66-42C3-9824-B844030C0A2E}: NameServer = 165.240.0.77,165.240.4.22,165.240.4.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7B60FE8-7715-44A1-A316-80215CEB0B90}: NameServer = 203.194.27.57 203.194.56.150

I hate it when that happens. I've had that happen to me once. A friend of mine sent me an e-mail attachment but she didn't know that it had a virus so I open the attachment and I get the virus. Here's a little tip for you, next time you are sent an e-mail with an attachment scan the attachment first to see if there are any viruses present. Usually your anti-virus software will automatically get rid of the virus if there are any in the attachment. Just be careful.

SPY SWEEPER


Always gets rid of Trojans

OK, It's all sorted out now, I found what was wrong, and now it works fine! Thanks everyone for your help! I owe you's!

Glad it's fixed. The one thing that stands out from the HiJackThis scan is:

O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll

BHOs (Browser Helper Objects) are rarely something you'd want, but perhaps this is something you intentionally installed?