PL HELP ME

Viruses and worms
1

hello avast team ,
i am really glad to hear the reply from u.i am using avast 4.7 for my windows xp. today
morning avast a detected
trojan horse: JS:AGENT-AK[trJ]
location : c:\documents and settings\manjeet\local settings\temporary internet files\content.IE5\0order4t6v.
and recommended to move to virus chest. are i am safe now . do the infected file in virus chest
would be removed automatically or i should remove manually .i searched trojan horse in registry and i found it but
i am not able to delete it . do avast remove it or i should remove it manually.
V.R.D.B repairs infected files . so should i generate V.R.D.B by option
(generate V.R.D.B now ) to repair it .
sorry i am not actually familiar with computer applications properly.

                                                  i wish u will help  and guide me,
2

  1. edit your post to make the link inactive

  2. the question is, which program tried to open the URL…

3

I’ve answered you already. Please, avoid double posting…
Please, do not use CAPS (it’s the forum policy).

4

hi tech ,
thanks for ur immediate reply . i am really glad for ur support.
i have scheduled boot time scan . but it has not found any infected files and after logging in
i have scan the all local disks and avast has not detected any infections . but when i searched trojan horse manually i found (keyword_default_0) in folder
c:\program files\yahoo\messenger\cache\search keywords.
and in registry HKEY_CURRENT_USER ,ACMru 5604 .
name type data
ab 000 REG_SZ trojan
ab 001 REG_SZ TROJAN HORSE.
actually i dont understand any of these . i am able to delete after manual search but not able to
delete from registry . it comes every day . pls explain me . i am not familiar with computer applications
how should i get rid of it permanently .

5

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
6

hai tech,
r u there ? thanks for u help. but i have not understood
the 6,7,8 options . can u give me the alternative . hijack this
software is completely new to me . i have used avg anti spyware
it has detected some adware and tracking cookies and i have
quarantine them as u said . but still i am finding trojan horse in
registry . is my computer hacked ?.pls guide me.
thanking u,
chanik.

7

For step 6, download hijackthis from the link in teck’s post, run the program and post the log here in your next reply.

Tech will have to comment on steps 7 & 8.

8

HJT Information HiJackThis Tutorial.

What are the details of this trojan that is being found in the registry ?

9

hello tech
hi , i am trying to remove trojan horse from registry but not able to succeed.
i have a new problem ,i have installed avg anti_spyware and avg rootkit .and my avast
is not working . after memory test avast simple interface window is getting minimised automatically
and i am not able to open and scan . using avg anti -spyware and avast creates any problems .

10

Firstly a trojan doesn’t reside in the registry, there may be a run command in the registry to start a trojan, that is why I asked about the details of this trojan detection you say is found in the registry.

We can only help when we know what is going on that is why we ask questions.

So what detects this trojan in the registry ?
What are the full details of the detection ?

11

I suggest you visit this page http://www.antirootkit.com/software/index.htm for antirootkit detection, removal & protection.
Comparison test here: http://www.informationweek.com/software/showArticle.jhtml?articleID=196901062&pgno=1&queryText=
You could use AVG and/or TrendMicro and/or Panda.

They are compatible, shouldn’t be a problem.

12

hello everyone,
i am using avast 4.7 home edition(windows xp).avast has detected trojan horse: JS:AGENT-AK[trJ]
location : c:\documents and settings\manjeet\local settings\temporary internet files\content.IE5\0order4t6v
and recommended to move to virus chest . but when i searched trojan horse manually i found (keyword_default_0) in folder
c:\program files\yahoo\messenger\cache\search keywords.
and in registry HKEY_CURRENT_USER ,ACMru 5604 .
name type data
ab 000 REG_SZ trojan
ab 001 REG_SZ TROJAN HORSE.
avast is not able to detect this as when i remove key_word _default_0 . i get it daily . i have also udes avg anti spyware
and avg root kit , avg has detected some adware and tracking cookies and i quarantine them . but neither of them
has detected trojan in registry and i am not able to remove it .and in avast forums they recommended
to use HIJACKTHIS but i am compltely new to this.
can u explain my problem and solution to remove trojan permanently
from my system .pls help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:22 AM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{5CD7C8B4-F828-48BC-99FD-5E899EA9B9F5}: NameServer = 172.23.0.1
O17 - HKLM\System\CS1\Services\Tcpip..{5CD7C8B4-F828-48BC-99FD-5E899EA9B9F5}: NameServer = 172.23.0.1
O17 - HKLM\System\CS2\Services\Tcpip..{5CD7C8B4-F828-48BC-99FD-5E899EA9B9F5}: NameServer = 172.23.0.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe