cmoney0954
New Member
..
Last edited:
Trojan Help
- Thread starter cmoney0954
- Start date
cmoney0954
New Member
..
Last edited:
cmoney0954
New Member
..
Last edited:
GameMaster
New Member
It seems that the Trojan is placed in a legit file. That msCMTSrvc.exe is a monitoring tool and it's a legit file but you can delete ( in fact you should ).
I think I didn't understand you very well, where is the Trojan located now?
You have to delete the file to get rid of the Trojan but that won't do it all.
Please do the following:
Open HijackThis and click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.
msCMTSrvc
Now navigate to and delete the file.
I think I didn't understand you very well, where is the Trojan located now?
You have to delete the file to get rid of the Trojan but that won't do it all.
Please do the following:
Open HijackThis and click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.
msCMTSrvc
Now navigate to and delete the file.
ceewi1
VIP Member
Your logfile shows signs of malware, and not just the file that AVG was detecting. Among other things, your logfile shows that you have Weatherbug.
Weatherbug is a utility that shows current weather conditions and future weather forecasts for your locale. It is an adware supported product, which contains both banner and pop-up ads. It is often installed as a secondary application with many popular pieces of software. If you're looking for a free alternative that doesn't display ads, you may want to try WeatherPulse
I recommend you uninstall it. If you wish to do so, please click on Start -> Control Panel -> Add or Remove Programs. If Weatherbug appears, click on it and click Remove.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries (if still present):
If you chose to remove Weatherbug also place a check next to the following entry (if still present):
Please download the OTMoveIt2 by OldTimer.
Please Post
Weatherbug is a utility that shows current weather conditions and future weather forecasts for your locale. It is an adware supported product, which contains both banner and pop-up ads. It is often installed as a secondary application with many popular pieces of software. If you're looking for a free alternative that doesn't display ads, you may want to try WeatherPulse
I recommend you uninstall it. If you wish to do so, please click on Start -> Control Panel -> Add or Remove Programs. If Weatherbug appears, click on it and click Remove.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries (if still present):
- O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
- O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
- O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
- O23 - Service: Windows Host Services (ExplorerSvc) - Unknown owner - C:\WINDOWS\system\explorer.exe
- O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
If you chose to remove Weatherbug also place a check next to the following entry (if still present):
- O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:C:\WINDOWS\system\explorer.exe C:\WINDOWS\system32\msCMTSrvc.exe - Return to OTMoveIt2, right click in the Paste List of Files/Folders to be Moved window (under the light blue bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
- Close OTMoveIt2
Please Post
- The Dr. Web CureIt! results
- The OTMoveIt2 results
- A new HijackThis log
Last edited:
cmoney0954
New Member
..
Last edited:
ceewi1
VIP Member
That's great, just a few leftovers.
Please run Notepad and copy the contents of the codebox below into a new Notepad document. Please do not include the word Code:
Save the file to your Desktop as remove.bat and make sure the Save as type field says All files. Double click on remove.bat
You are using an older version of Adobe Reader, which contains some security flaws. You can download the latest version by going to http://www.adobe.com/ and clicking on Get Adobe Reader.
You desperately need to update your Windows XP to Service Pack 2 since it is probably the most important security update they have ever created and running without it almost guarantees you will get infected again. You can obtain Service Pack 2 from http://update.microsoft.com/
Once you've updated to Service Pack 2, please also download all critical updates from http://update.microsoft.com/
Please post back indicating how the update to Service Pack 2 went, as any problems with the update may indicate that there is still malware on your system. How is your system running now?
Please run Notepad and copy the contents of the codebox below into a new Notepad document. Please do not include the word Code:
Code:
sc delete ExplorerSvc
sc delete msCMTSrvcSave the file to your Desktop as remove.bat and make sure the Save as type field says All files. Double click on remove.bat
You are using an older version of Adobe Reader, which contains some security flaws. You can download the latest version by going to http://www.adobe.com/ and clicking on Get Adobe Reader.
You desperately need to update your Windows XP to Service Pack 2 since it is probably the most important security update they have ever created and running without it almost guarantees you will get infected again. You can obtain Service Pack 2 from http://update.microsoft.com/
Once you've updated to Service Pack 2, please also download all critical updates from http://update.microsoft.com/
Please post back indicating how the update to Service Pack 2 went, as any problems with the update may indicate that there is still malware on your system. How is your system running now?
cmoney0954
New Member
..
Last edited:
ceewi1
VIP Member
You're most welcome.
Below I have included some ideas on how to prevent future infections.
Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.
Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.
As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.
Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.
Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.
If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.
Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.
Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/
Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
Below I have included some ideas on how to prevent future infections.
Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.
Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.
As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.
Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.
Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.
If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.
Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.
Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/
Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.