NEED HELP TO REMOVE TROJANS on my system.

For information:

• Windows updates are taken every week
• Avast virus information and program are updated
• Have also installed SuperAntiSpyware, and SpywareBlaster
• Also ran Asquare Free

But still after every 1-2 days Avast reports Trojans, mostly the following:

1. Win32:Trojan-gen {Other} — this is always an exe in Windows Temp folder, and the path shown is like this: c:\windows\temp\2540.exe[ASPack][Embedded_R#HOOKDLL]. Malware type is Virus/Worm. However sometimes the path is just like c:\windows\temp\2540.exe, with Malware type Virus/Worm

The administrative shares were on, and system was on simple file sharing.
I moved to advanced file sharing, and disabled the administrative shares. Then again updated everything, and ran Avast Full Scan - but still this Trojan-gen is reported, after every few full scans.

This trojan is also reported at times in c:\system volume information_restore

2. Win32:Dasher-J [trj], malware type: Trojan Horse. File name was c:\windows\temp\2064.exe[PESpin][Embedded_R#S]. But after disabling simple file sharing, and restricting access to hard disk to Administrators, this has not been reported again

This was also reported in c:\recycler.
As I said after disabling simple file sharing it is not reported anymore - but trojan in point 1 is still after every few scans (or virus alert for this pops at interval of 1-2 days)

3. Another one I encountered even after days of disabling simple file sharing is: some backdoor - Actually a exe ran on system, from c:\windows\temp<nnnn>.exe, but failed to initialize. This crashed, and when I checked Process Explorer the command line was c:\windows\svchost -KWinErp.

Searching KWinErp indicated that its one of the various entires made by a Backdoor - Backdoor.PcClient.Gen.3, Backdoor.Pcclient, Trojan.Crypt

PLEASE HELP…

HijackThis log follows…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:38:18, on 20/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Huey\HueyServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\IBM\Client Access\cwbunnav.exe
C:\Program Files\IBM\Client Access\jre\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_17\bin\ssv.dll
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [Client Access Service] “C:\Program Files\IBM\Client Access\cwbsvstr.exe”
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Everything] “C:\Program Files\Everything\Everything.exe” -startup
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_17\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_17\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip..{38155B43-906E-4C2C-9552-8FB8158D0299}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CCS\Services\Tcpip..{3CDC719F-3BB7-4243-88CA-5998F3E414D6}: NameServer = 158.152.1.58
O17 - HKLM\System\CS1\Services\Tcpip..{38155B43-906E-4C2C-9552-8FB8158D0299}: NameServer = 158.152.1.58,158.152.1.43
O17 - HKLM\System\CS2\Services\Tcpip..{38155B43-906E-4C2C-9552-8FB8158D0299}: NameServer = 158.152.1.58,158.152.1.43
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Huey Server (HueyServer) - Unknown owner - C:\Program Files\Huey\HueyServ.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

–
End of file - 7388 bytes

Hi vikramsjn,

Your hjt log file showed you have no active software firewall running on that machine. The following commercial RAT was found there. If the machine is yours and not owned by your boss you can remove it according to the instructions, if your boss placed this programme there to observe your online activities do not remove, but if you feel unhappy with it contact your management official,

Spyware Huey Information
Name: Huey
Category: Commercial RAT
Date: 2002-07-17
Coded in: Delphi
Dangerous: Yes
Huey belongs to Commercial RAT spyware category.
It’s presence means that your computer is infected with malicious software and is insecure.
Huey description by publisher:
Vendor: ´Huey is a remote control application that allows you to control & view another PC from across the internet. The system is specifically designed to allow you to use your work/school computer from home.´

Huey Removal Instructions
Kill the following processes
huey.exe, hueyserv.exe
Remove the following files
huey help.lnk, huey.exe, huey.lnk, hueycli.hlp, hueyins.reg, hueyserv.exe, instlog.lsl.

'm not advising you to remove it as it’s a legitimate remote access tool that many companies use to help them control computers on their network including updates etc

I suggest if you are unhappy with the idea of the company being able to see what is on your computer or update it or control it to have a word with management.

They set the rules at work and you have to abide by them

All I have done is say yes there is a program on there and what you do is up to you , but my advice is contact your management at work,

Low Risk
Low risk threats pose a very low risk or no immediate danger to your computer or your privacy, however these types of applications may profile user online habits, but only according to specific privacy policies stated in the applications End-User License. These types of threats generally borderline on being a threat to being a standard application that has a complex license agreement that you knowingly installed.

Huey files ignatures

process: huey.exe: MD5 Hash: 61cc23a65650377849c…
process: hueyserv.exe: MD5 Hash: 0fd796b667fe077374a

polonus

Its my boss’s system - he uses it to demo to other clients.

Regarding that KWinErp entry…

I found couple of services on the system that were backdoors

1. Windows System Event Reporting
   c:\windows\svchost.exe -k KWinErp

2. System Event Reporting Service
   c:\windows\svchost.exe -k sysErs

3. Windows System Reporting Manager
   c:\windows\svchost.exe -k winErs

I disabled these.

But why aren’t these security programs able to identify these malicious backdoor services?
I ran SuperAntiSpyware, Asquare Free, and ran their full scans - but none reported these malicious services, or could not uproot these.

Is there any other software that I should use to scan?

There are remnants of Symantec on the system, presumably Norton. These remnants could well conflict/impede avast.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT

• Symantec remnants, check the Product.Catalog.LiveUpdate file, see http://forum.avast.com/index.php?topic=36812.msg308435#msg308435

The JAVA is also way out of date, which is open to exploit:
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp

Or JRE version 6 update 13 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html