| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85587 | 2007-12-15 08:43:00 | New Trojan | Luppi (12974) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 621358 | 2007-12-15 08:43:00 | I got a new trojan on my PC,that has infected my C:\Windows\System32\NTSpool.exe I have the latest avast antivirus installed,and it tells me to add to chest.I do that,and then some windows error comes op,cannot execute process or something. The trojan name in avast is Win32:Agent-OJX[Trj] and i cannot find any information about this trojan anywhere on the internet. What can i do,how can i get rid of it? |
Luppi (12974) | ||
| 621359 | 2007-12-15 08:50:00 | Didnt Avast ask if u wanted to put it in the chest? Looks like that NTSPool file also belongs to Bifrose (www.symantec.com) Or this variant (www.symantec.com) Try Trojan remover in my sig, see if that picks up anything. Install update it, then click on scan. Then select all options under utilities. |
Speedy Gonzales (78) | ||
| 621360 | 2007-12-15 09:18:00 | I am beginning to have the impression that avast is a weak antivirus. It did ask me to move it to chest,which i did,then i removed it and scanned my pc online with trend micro in case it detects something. Now the virus has spread to autocheck.exe in system32,still don't know where it is or how to remove it. I ran Trojan Remover,it was the first thing i did,nothing detected,neither in Rogue Remover. |
Luppi (12974) | ||
| 621361 | 2007-12-15 10:34:00 | I have finished scanning with Trend Micro and removed some threats and vulnerabilities,but not this virus. Autocheck.exe is still infected and in chest now.Here's the latest HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:33:54 PM, on 12/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Opera\Opera.exe C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe C:\Documents and Settings\User\My Documents\Misc Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\ Yahoo! \Companion\Installs\cpn\yt.dll O2 - BHO: & Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\ Yahoo! \Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\ Yahoo! \Common\yiesrvc.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min O4 - HKCU\..\Run: [ Yahoo! Pager] "C:\Program Files\ Yahoo! \Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\ Yahoo! \Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\ Yahoo! \Common\Yinsthelper.dll O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - www.adobe.com O17 - HKLM\System\CCS\Services\Tcpip\..\{335716B4-440E-4BE0-B325-A2C4789EED78}: NameServer = 193.231.238.2 193.231.238.2 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7244 bytes What can i do to get rid of this latest trojan? Also,i would like a recommandation for the best antivirus existent now and the best Internet Security package that i can install and use.I had enough AVG and Avast for all my life. |
Luppi (12974) | ||
| 621362 | 2007-12-15 17:05:00 | Put HJT in its own folder first then run it again. Then tick these entries then tick fix checked Close browser/s. Safe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" These are the nasty entries O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe <--- Disable system restore, and delete this file in safe mode after. O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe - As above Use something better / more recent than MSN Messenger. Uninstall MSN Messenger. IMO Avast is better than AVG. Well theres Zonealarm, but some options in it arent free (You still have to pay). You could try Comodo. BUT, it can be pretty hard to configure. It's free. Is Yahoo Messenger the latest version? Dont know why Boclean didnt pick this trojan up and do something with it. |
Speedy Gonzales (78) | ||
| 621363 | 2007-12-15 17:24:00 | Do you mean delete ntspool.exe and the other one? Yahoo Messenger is 9.0 BETA. MSN is actually Windows Live Messenger latest. Ticked those entries and removed them. As for BOClean,i just installed it after i saw your sig today. |
Luppi (12974) | ||
| 621364 | 2007-12-15 17:28:00 | Do you mean delete ntspool.exe and the other one? Yup, delete NTSpool and NTSecurity.exe in safe mode. May pay for you to disable system restore FIRST. After you tick the rest of the entries in hijackthis. Yahoo Messenger is 9.0 BETA. Ok, thats fine. MSN is actually Windows Live Messenger latest. Thats fine too. Thats how you got Bifrose. Be careful, WHAT u get thru Messenger. |
Speedy Gonzales (78) | ||
| 621365 | 2007-12-15 17:31:00 | I used to have the "pics008.zip" thing before,got rid of it in a week. WLM sucks though.The security is second to inexistent. Okay,System Restore is off for me,i'll delete the files. Entries have been ticked and eliminated. |
Luppi (12974) | ||
| 621366 | 2007-12-15 17:38:00 | Cool! No IM program has security. Just dont accept files. If you dont know WHO its from, or WHAT it is. |
Speedy Gonzales (78) | ||
| 1 | |||||