My son has a laptop and reported a Trojan attack. Apparently he made the mistake of authorising download of a codec required by a video on UTube. Sigh.

Having travelled to his home I ran Avast which reported W32-Agent-LTS [trj] with the name syscore.dll. Avast duly transferred this to its chest, and I ran a complete check. Another three files were discovered and moved to the chest. All such files were then deleted and after several cold and warm reboots everything seemed clear.

Three hours later the Trojan returned. Unfortunately I was then travelling back – hence no HiJack report yet available. Any thoughts?

What Operating System are you using ?

There may be other elements to this malware that is either undetected or hidden which are restoring or downloading the trojan.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode (and report your findings).

1. If using winXP AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

The laptop is running Windows Pro SP2 on a Cereron 1.8 GHz 512 RAM. On my recommendation he has been running Avast Home Edition v4.7 – which is why I reported this incident to this forum. I now have the laptop (with a ruined parental reputation), and am again running an Avast check after which I intend to run Ewido and SuperAntiSpyware. Question: can I safely copy a copy of HiJack log from his laptop to mine on floppy for printing? Is a text file reasonably safe, and could the floppy be used as a backgroung conduit to mine?

Usually a text file is not infected but exe, dll or scr executable files are the targets so viewing the HijackThis log should be safe but that assumes that your anti virus and anti trojan resident detectors are up to date.

The recommended scanners are good and I can also recommend a-squared that has both a Free and a Fee version and I use the Free version:
http://www.emsisoft.com/en/software/free

Post the HijackThis log and I’m sure you will receive expert advice here.

I had hoped to post the HiJack report which is why I queried the risk of moving a floppy into my machine, albeit only with the log file on it.

Any computers connected could be vulnerable because depending on the malware some can travel over a network in the same way as you can navigate it. Using a floppy, USB drive or CD is generally safer so long as you don’t allow autorun and scan the floppy or CD before opening anything.

The text file is relatively safe as it isn’t executable, but there are some viruses that try to spread through removable media, so it isn’t the hijack.log file that is likely to be the problem. So avoid using autorun as that can launch other stuff on the removable media or USB drive.

A little trick (to avoid autorun) with floppies or CD, keep the Shift key depressed whilst the drive light is on when you load the floppy/CD. Once the drive light is off and no drive activity you can scan it with avast.

You can paste the contents of the HJT log here (you may need two or more posts to cut and paste it) and we will have a look at it. First run the other tools though as it may reduce the size of the problem and contents of the HJT log.

Just take care about false positives!

But, can’t you send (post) the HijackThis log from the suspicious machine itself (laptop)?

Apologies for what could become a major event, and the experience is leaving me somewhat jaundiced with all anti-virus programs. Consider progress to date:

On bootup (no available Internet connection), no apparent spyware reported.
Executed Avast computer check (thorough).
2 files identified, moved to chest, and deleted.
File Name c:\windows\memory.dmp
Malware Name W32-VB-EIJ [trj]
Recommended action was move to chest but disk capacity reported as insufficient, file deleted.
Summary of check, two files successfully deleted:
memory.dmp and msmdev.dll
Avast uninstalled.

Reboot
Installed and executed scan by Ewido v4.0
15 tracking cookies identified and deleted.
Repeat run, nothing found.
Ewido uninstalled.

Reboot
AdAware 2007 executed.
4 items identified and deleted.
Root: HKU Path: S-1-5-21-3757435101-3238835185-2771580065-500\software \microsoft\ windows\currentversion\policies\system value: disableregistrytools Data: , Belonging to windows
MRU: Path: c:\Documents and Settings\Admin…
MRU: Reg Key: S-1-5-21-3757435101-3238 ……
MRU: Reg Key: S-1-5-21-3757435101-3238 …… [apparent duplicate]
Reboot, repeat run.
1 item identified and deleted
Root: HKU Path: S-1-5-21-3757435101-3238835185-2771580065-500\software\microsoft\ windows\currentversion\policies\system value: disableregistrytools data: , belonging to windows
Reboot, repeat run.
2 items identified and deleted.
Root: HKU Path: S-1-5-21-3757435101-3238835185-2771580065-500\software\microsoft\ windows\currentversion\policies\system value: disableregistrytools data: , belonging to windows
MRU: Path: c:\Documents and Settings\Administ…
Whilst able to identify, AdAware unable to completely clean infection.

Reboot
Installed and executed scan by SuperAntiSpyware Ewido v3.9
44 tracking cookies identified and deleted. [!!]
9 Infected files identified in Internet Explorer cache, deleted.
Reboot, empty Internet cache, repeat run, nothing found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:32, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM..\Run: [TosHKCW.exe] “C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe”
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ZyXEL G-202 Wireless Adapter Utility.lnk = ?
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189003058274
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip..{873AFBDC-DA03-4F55-91AB-A73AA66E71B9}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: msmdev - {23815390-56BD-423D-AC97-4504707FB6BD} - C:\WINDOWS\msmdev.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Ok, no problems to delete.

Why didn’t you leave it in Chest? First do not harm, better is send the file to Chest for further investigation.

Why?

Why?

Better and safe is quarantine…

I’ll take a look in the log soon.

Avast and Ewido were uninstalled because my original intention had been to work through each of about five programs. Avast (the ‘home’ program) was installed when I ran Ewido, but after Ewido had completed it run the computer froze. With much difficulty the laptop was switch off, but I considered that there may be possible conflicts so for subsequent testing each software program was uninstalled after use. The computer is now back to Avast, awaiting diagnosis of the HiJack log. My reliance in these programs is shaken – why would they produce such varied results? My fear is that the dreaded rootkit may be with me …

Due to a lot of factors: different malware database, different detection methods, deepness of the scanning, different features and purposes of each program… not a software is perfect or complete.

OK I see that – but why would the much=vaunted AdAware 2007 successfully locate a Trojan and fail to clean it?

Repair (clean) is most of the times more difficult than to detect.
AVG antivirus and (taking care) a-squared have better cleaning methods.
SuperAntispyware is good on cleaning.

OK that. Pity that SUPERAntiSpyware and Ewido cannot see that particular program.

Other ones:
Spyware Terminator and/or a-squared (take care about false positives).

AVG
Panda
F-Secure BlackLight

Full computer on-line scanning (look that BitDefender could clean):
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)

If AdAware 2007 finds a trojan, what is its file name and location, e.g. (C:\windows\system32\infected-file-name.xxx) ?

There are often reasons why it can be dealt with, file in use, protected, etc. but you should most certainly confirm it is a good detection first (which may be why others didn’t detect it).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

I’ve tried the programs that I had to hand. Unfortunately, until the HiJack file is cleaned I’m loath to return it for wireless internet connection. I am broadband. I’ve had enough for today after seven hours, tomorrow I’ll try A-Squared and others.