| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 92648 | 2008-08-17 10:55:00 | Trojan Horses invaded computer | umila (13079) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 698121 | 2008-08-17 10:55:00 | I have found numerous trojan horses on my system detected by AVG, and I do manage to get them removed to vault but they keep reappearing . They are named as trojan horse dialer SAP, Trojan Horse Pakes . O, torjan horse backdoor agent . UAC, trojan horse PSW . online games . aygy, generic10 . BBP, etc . Also have two programs wanting access from computer since last Friday, sss . exe and maomaochong . exe . which are no doubt related to the trojans found . Any assistance in removal would be greatly appreciated but please note I am unfamiliar with technical side of computer side . Thanking you . I attach hijack log, and am in the process of scanning with superantispyware . Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 8:30:07 PM, on 08/17/2008 Platform: Windows 2000 SP4 (WinNT 5 . 00 . 2195) MSIE: Internet Explorer v6 . 00 SP1 (6 . 00 . 2800 . 1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss . exe C:\WINNT\system32\winlogon . exe C:\WINNT\system32\services . exe C:\WINNT\system32\lsass . exe C:\WINNT\system32\svchost . exe C:\WINNT\system32\spoolsv . exe C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr . exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc . exe C:\PROGRA~1\Grisoft\AVG7\avgemc . exe C:\Program Files\Comodo\CBOClean\BOCORE . exe C:\WINNT\System32\svchost . exe C:\Program Files\ewido\security suite\ewidoctrl . exe C:\WINNT\system32\regsvc . exe C:\WINNT\system32\MSTask . exe C:\WINNT\Explorer . EXE C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv . exe C:\WINNT\system32\ZoneLabs\vsmon . exe C:\WINNT\System32\sistray . EXE C:\WINNT\System32\SiSAudUt . exe C:\WINNT\Twain_32\3730\SButton . Exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04 . exe C:\Program Files\Common Files\Real\Update_OB\evntsvc . exe C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd . exe C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap . exe C:\PROGRA~1\Grisoft\AVG7\avgcc . exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe C:\Program Files\QuickTime\qttask . exe C:\Program Files\ChronosXP\ChronosXP . exe C:\WINNT\System32\WBEM\WinMgmt . exe C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON . exe C:\WINNT\system32\svchost . exe C:\Program Files\AstroClock\AstroClock . exe C:\WINNT\System32\svchost . exe C:\Program Files\Lunabar\Lunabar . exe C:\WINNT\system32\wuauclt . exe C:\Program Files\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . google . co . nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . google O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2 . dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm . ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt . dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2 . dll O4 - HKLM\ . . \Run: [SiS Tray] C:\WINNT\System32\sistray . EXE O4 - HKLM\ . . \Run: [SiS7012Utility] C:\WINNT\System32\SiSAudUt . exe -wdm O4 - HKLM\ . . \Run: [NeroCheck] C:\WINNT\System32\NeroCheck . exe O4 - HKLM\ . . \Run: [SmartButton] C:\WINNT\Twain_32\3730\SButton . Exe O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04 . exe O4 - HKLM\ . . \Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc . exe -osboot O4 - HKLM\ . . \Run: [Pop3trap . exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap . exe" O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKCU\ . . \Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr . exe" /background O4 - HKCU\ . . \Run: [ChronosXP] "C:\Program Files\ChronosXP\ChronosXP . exe" O4 - HKCU\ . . \Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7 . 0\Reader\AdobeUpdateManager . exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\ . DEFAULT\ . . \Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1 . 2 . 1128 . 5462\G oogleToolbarNotifier . exe (User 'Default user') O4 - HKUS\ . DEFAULT\ . . \RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1 . exe /desktop (User 'Default user') O4 - . DEFAULT Startup: AstroClock . lnk = C:\Program Files\AstroClock\AstroClock . exe (User 'Default user') O4 - . DEFAULT Startup: Lunabar Taskbar Icon . lnk = C:\Program Files\Lunabar\Lunabar . exe (User 'Default user') O4 - Startup: AstroClock . lnk = C:\Program Files\AstroClock\AstroClock . exe O4 - Startup: Lunabar Taskbar Icon . lnk = C:\Program Files\Lunabar\Lunabar . exe O4 - Global Startup: Real-time Monitor . lnk = C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON . exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava . dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O12 - Plugin for . spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox . dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - . hotmail . com/mail/w2/resources/MSNPUpld . cab" target="_blank">gfx2 . hotmail . com O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6 . 5) - . trendmicro-europe . com/housecall/applet/html/native/x86/win32/activex/hcImpl . cab" target="_blank">eu-housecall . trendmicro-europe . com O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton . setup) - . trendmicro-europe . com/file_downloads/common/housecall/HouseCallButton . CAB" target="_blank">de . trendmicro-europe . com O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - . com/files/driveragent . cab" target="_blank">driveragent . com O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgupsvc . exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgemc . exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE . exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp . - C:\WINNT\System32\dmadmin . exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc . - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv . exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon . exe -- End of file - 6707 bytes |
umila (13079) | ||
| 698122 | 2008-08-17 11:19:00 | Turn off System Restore before you scan again, your infections are most likely reinstalling from there (files in there arent scanned (usually), as they are hidden from the operating system). | feersumendjinn (64) | ||
| 698123 | 2008-08-17 11:24:00 | Download Trojan Remover (http://www . simplysup . com/), as well as malwarebytes , Spyware Terminator from my sig, install and run . Run Malwarebytes & Spyware Terminator in full scan mode . The Hijackthis-- rerun and tick the following to remove a couple of bugs, there is a few items that can be removed to speed thing up, but do this first . O4 - HKLM\ . . \Run: [SmartButton] C:\WINNT\Twain_32\3730\SButton . Exe Just looking at your log, do you still have Trend Micro, PC-cillin 2000 installed ? If you do uninstall it, as you cant run two or more AV's together, they can cause problems . Might also pay to download Avast ( . avast . com/eng/download-avast-home . html" target="_blank">www . avast . com) Antivirus, and remove / replace AVG, as its causing a few problems and missing to many infections lately . |
wainuitech (129) | ||
| 698124 | 2008-08-17 11:31:00 | I see you have three antivirus progs running (Ewido, AVG 7, and PC-cillin), not a good idea, they'll conflict with each other, uninstall a couple. | feersumendjinn (64) | ||
| 698125 | 2008-08-17 12:15:00 | Service pack 3 would be a good idea. Once you have cleaned up that machine. | apsattv (7406) | ||
| 698126 | 2008-08-17 21:46:00 | You can also tick these then tick fix checked after doing the above Close browsers C:\WINNT\Twain_32\3730\SButton.Exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') Yup uninstall Zonealarm or Ewido, and uninstall AVG or Trendmicro |
Speedy Gonzales (78) | ||
| 698127 | 2008-08-17 21:46:00 | Service pack 3 would be a good idea. Once you have cleaned up that machine. Its Windows 2000 not XP. SP4 is installed which is the latest for 2000 |
Speedy Gonzales (78) | ||
| 698128 | 2008-08-17 22:52:00 | Hi guy thanks for your replies. I have windows 2000. I have AVG live - the Ewido, PC-cillin are not activated. Ewido I use to scan only. I did find a link on the internet from Trend... but it wanted me to go to reedit to remove something and to do back up but not sure how to to the registry back up for Wk2. I am at work at the moment and will try your suggestions tonight - and may be give it a go or otherwise get an 'expert' to fix the trojan as it has done quite a bit of mischief according to Trend ... Many thanks Umila |
umila (13079) | ||
| 1 | |||||