Help with Trojans

Hi, a few weeks ago I received a message that I had a trojan. I ran Avast in safe mode and it found a trojan in the memory. I believe I put the files in the chest. My computer is very sluggish since then. If I disable Avast altogether, I can atleast surf the internet, but if I don’t do that, it takes forever for a page to load.

A few times I saw something at the bottom of the screen saying waiting for media.adrevolver. After reading another post, I downloaded Super Anti Spyware, ran a scan and then ran Hijack this.

I have attached the Avast Warning LOG, Avast Error Log and Hijack This report.

Please help.

BTW I’m running Windows XP Home SP2.

Thank you.

Let’s see if we can see what’s going on.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

attached is the text from the main.txt file: For some reason, the second file didn’t show up. I ran DSS once and realized that there was still a window open. That time, both text files were created. When I tried to run DSS after that, only the main.txt file was showing up
I even deleted DSS and started over and nothing changed.

That’s normal, the extra text is only produced once. It should be at

C:\Deckard

If you can find it, please post it. If not open HJT, click the mics tools button, click Open uninstall manager. Please post the contents.

There is a bit of adware in the DSS log, unless of course you know about the Coupons toolbar. If not we can remove it after.

Since your trouble began when you moved a file to the chest, I checked your warning log. I don’t believe any of those are files you want to have, with exception of one. On Feb 11\08, Griftsoft confirmed it was a false positve. Is that the complete warning log?

Can you access the chest? If so please right click on this file and select restore.

C:\Program Files\music_now\inetchk.exe

Then submit it to virustotal and we’ll see what other scanners have to say.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\music_now\inetchk.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

I don’t think it will resolve your problem, but it’s a start. I’m leaning towards a corrupt install of avast, but I want to make sure that no other files are in the infected or user section of the chest before you reinstall avast. We don’t want to lose a good file. If you can access the chest, please make a list of all files in both of those sections. note: there should be 3 or 4 files in the system section by default.

Thanks

That’s normal, the extra text is only produced once. It should be at
C:\Deckard

The file is not there because I deleted the folder thinking it would run the file if it didn’t already exist.

[b]If you can find it, please post it. If not open HJT, click the mics tools button, click Open uninstall manager. Please post the contents.

There is a bit of adware in the DSS log, unless of course you know about the Coupons toolbar. If not we can remove it after.[/b]

The Uninstall Manager List is attached.

[b]Since your trouble began when you moved a file to the chest, I checked your warning log. I don’t believe any of those are files you want to have, with exception of one. On Feb 11\08, Griftsoft confirmed it was a false positve. Is that the complete warning log?

Can you access the chest? If so please right click on this file and select restore.

C:\Program Files\music_now\inetchk.exe[/b]

I can access the chest, but the file does not exist so I haven’t submitted anything to virustotal.

Below is a list of the files in the chest:

C:\Documents and Settings\Allison\Local Settings\Temporary Internet Files\Content.IE5\BJHYO52H\17PHolmes[1].cmt
C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP143\A0040051.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\mrofinu1395.exe
C:\DOCUME~1\Allison\LOCALS~1\Temp\mshtml3.exe
C:\WINDOWS\system32\winsock.dll
C:\WINDOWS\system32\wsock32.dll

Thank you so much for your help.

:slight_smile: Hi :

Your various Logs indicate you have 3 antiSPYWARE programs ( Ad-Aware,
Spybot, & SUPERAntiSpyware ) ; have any of them “detected” the “trojan” ?

It would be best IF you uninstalled the outdated Version of HijackThis ( 1.99 )
& used the newer 2.0.2 which can be downloaded from
www.filehippo.com/download_hijackthis .

Your “Uninstall List” shows the outdated “J2SE Runtime Environment 5.0 Update 6” ; for security purposes, best to have ONLY the latest version of Java, so recommend this be uninstalled .

Also it appears you have the outdated Adobe Reader 7.0 ; since this seems
to be under periodic “attack” from the Makers of Malware, it would be
wise to uninstall it & consider using the “safer” Foxit reader, with Info
available at www.foxitsoftware.com/pdf/rd_intro.php .

I wonder IF :

C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\winsock.dll
C:\WINDOWS\system32\wsock32.dll

should be in Avast’s Virus Chest !? I defer the “correct” Answer to those
more experienced than I in this particular area .

Regarding the missing file, it not that imorptant, it connected with AOL music.

Please confirm that these 3 files are in the system section of the chest. Open the chest,click the system files button.

C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\winsock.dll
C:\WINDOWS\system32\wsock32.dll

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop. Do not run it yet

Open control panel, go to add/remove programs and uninstall these programs, if present

Coupon Printer for Windows
CouponBar
J2SE Runtime Environment 5.0 Update 6

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll

Close all other browsers/windows, click fix, close HJT.

Please double-click OTMoveIt2.exe to run it.

See image below.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[b]
purity
C:\WINDOWS\COUPON~1.DLL
C:\WINDOWS\CouponBarIE.dll
C:\Program Files\Coupons

[/b]

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Now we will do a little registry fix.

Please Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{5BED3930-2E9E-76D8-BACC-80DF2188D455}”=-

[-HKEY_CLASSES_ROOT\CLSID{5BED3930-2E9E-76D8-BACC-80DF2188D455}]

[-HKEY_CLASSES_ROOT\TTB000001.TTB000001.1]

[-HKEY_CLASSES_ROOT\TypeLib{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}]

[-HKEY_CLASSES_ROOT\TTB000001.TTB000001]

Next you will need to create the repair registry fix.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box above into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “fix.reg”

Click save.

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Please post a new DSS log. Let me know of any problems you have doing the above steps. Also if there is an improvement in your system.

Thanks

[b]Regarding the missing file, it not that imorptant, it connected with AOL music.

Please confirm that these 3 files are in the system section of the chest. Open the chest,click the system files button.

C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\winsock.dll
C:\WINDOWS\system32\wsock32.dll
[/b]

The above files were in the system section of the chest.

[b]Open control panel, go to add/remove programs and uninstall these programs, if present

Coupon Printer for Windows
CouponBar
J2SE Runtime Environment 5.0 Update 6
[/b]

Removed the above programs

[b]Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
[/b]
Close all other browsers/windows, click fix, close HJT.

The above files were not present.

[b]Please double-click OTMoveIt2.exe to run it.

See image below.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[b]
purity
C:\WINDOWS\COUPON~1.DLL
C:\WINDOWS\CouponBarIE.dll
C:\Program Files\Coupons

[/b]

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.[/b]

[Custom Input]
< purity >
< C:\WINDOWS\COUPON~1.DLL >
File/Folder C:\WINDOWS\COUPON~1.DLL not found.
< C:\WINDOWS\CouponBarIE.dll >
File/Folder C:\WINDOWS\CouponBarIE.dll not found.
< C:\Program Files\Coupons >
C:\Program Files\Coupons moved successfully.

OTMoveIt2 v1.0.20 log created on 03062008_204236

Please post a new DSS log. Let me know of any problems you have doing the above steps. Also if there is an improvement in your system.

DSS log is attached.

Thanks

There is a small improvement in my system, however, email is extremely slow. I am using Yahoo mail. When Avast on Access Protection is on, it takes forever to load. When I turn it off, it’s a little better, but still takes a while to load.

The log looks ok. We’ll try to determin if it’s an av problem.

How long have you had avast?

And did it ever work right.?

Where you using something prior to avast?

Unless you are using the paid version of yahoo mail, I don’t belief avast will scan it.

There is one folder I almost forgot I’d like to have a look at.

Open a new notepad and copy and paste the following into it


dir “C:\WINDOWS\Cache” >> look.txt
start look.txt

Click file, save as. Set save it to desktop, name it (including the " " marks) “look.bat”, You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

We’ll have a look at this folder, then perhaps a reinstall of avast, depending on what we find and your answers.

This is also present in your DSS log

Percentage of Memory in Use: 93% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 0.48 GiB (less than 15%) free.

As it stands you can’t even defrag your hard drive if you wanted to.

This will clean up some odds and ends laying around and may improve preformance a bit.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

We will continue looking, there must be a reason…

Thanks.

How long have you had avast?
A few months.

And did it ever work right.?
It worked fine until I had that virus a few weeks back.

Where you using something prior to avast?
I was using Clamwin

Unless you are using the paid version of yahoo mail, I don’t belief avast will scan it.
It doesn’t actually scan, but it takes forever to load.

[b]There is one folder I almost forgot I’d like to have a look at.

Open a new notepad and copy and paste the following into it[/b]


dir “C:\WINDOWS\Cache” >> look.txt
start look.txt

look.txt is attached

We’ll have a look at this folder, then perhaps a reinstall of avast, depending on what we find and your answers.

[b]This is also present in your DSS log

Percentage of Memory in Use: 93% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).
System Drive C: has 0.48 GiB (less than 15%) free.

As it stands you can’t even defrag your hard drive if you wanted to.

This will clean up some odds and ends laying around and may improve preformance a bit.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp[/b]

I will try the utility now.

Thank you so much.

Allison

Well the batch file didn’t open the folder and report it’s contents.

Can you navigate to the folder, right click on it, select properties and let me know creation date, modified date and size.

C:\windows[b]cache[/b]

Is clamwin uninstalled? I don’t think it would conflict anyway.