rapid reproducing trojan

Avast scan says I have the win32:TROJANO-180. i n less than one hour it showed up 19 times each with a different file name. Examples;addzt32.exe, apinkexe, apist.exe, syshu32.exe.,atdi.exe, etc.
I deleted each as they appeared on screen. I don’t know much about computers but will try to follow some very simple instructions.
am using win xp home,avast4.1,vps vers. 6-25-2004,

I have exactly the same thing, trojano-180. I posted a topic in another section, and was told to come here. After a while on the internet, the virus seems to shut down all internet communication, and I have to redial. I get an insane amount of popups even when not using IE, and my home page is changed. Here is a post of my hijack this log.

Logfile of HijackThis v1.97.7
Scan saved at 5:08:06 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\apiid32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll
O4 - HKLM..\Run: [mswspl] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [apiid32.exe] C:\WINDOWS\apiid32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38164.8623263889
O17 - HKLM\System\CCS\Services\Tcpip..{BF97B015-1FF3-46FD-A784-709AC574A598}: NameServer = 63.93.64.20 63.93.64.21

thank you.

Hi,

booting in safeMode or a boot-time scan with avast (and moving the file to quarantine) doesn’t help ?


it can be cleaned with avast + some manual digging, but here’s a
quick’n’dirty solution :wink:

Download ESCAN from here:
http://www.mwti.net/antivirus/free_utilities.asp

deactivate systemRESTORE &
reboot to safeMode (f8-Boot)
Then start ESCAN, set the options according to screenshot in this link:
http://www.trojaner-board.de/forum/ultimatebb.php?ubb=get_topic;f=24;t=000001

let escan scan & clean everything…

reboot normally…
maybe set your startpage again in IE

also read the link below “VirusRemoval” to secure your System/IE, or the trojan/hijacker will come back… :wink:

I downloaded Escan, but it won’t let me use it because it says that it is more than 30 days old. Do you happen to know where I can find a newer version? Also, yes, the pre windows Avast! scan didn’t work for me. I really apreciate your time.

got it. one of the links must have been old. using it now.

escan did find some viruses that avast missed, and I did the scan twice in safe mode. I did another scan before windows loaded, and ran all of my other virus software. I also deleted all cookies and history. This was all done before dialing up the internet. Unfortunately, the trojan is still here. Exactly the same. I have been trying to delete this thing for 4 or 5 days now, and I think I am just going to have to reformat. Thanks for trying. :-\