trojan detected by web shield

Viruses and worms
1

this may be a silly question but avast caught a trojan trying to be downloaded on my pc. i aborted connection. but on web shield it says infected count: one virus & last infected: http:// 80.93.48.74/opiwecowebowi/. don’t click this
i ran a scan and no infections. am i worrying over nothing? if im clean why does it say infected count 1 on web shield/
ty :slight_smile:

2 
http:  //   80.93.48.74/opiwecowebowi/.

Please, NEVER post infected live links… just edit your post adding spaces in the link.

To be sure you’re clean, it will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

3

isn’t avg bad news? im not sure about the others.
i added a space

4

Can you elaborate? I’m not following your mind…

It wasn’t enough… the link is still there.

5

i mean the whole false positive thing. isn’t avg notorious for that?

i don’t get it. isn’t sumo torrent a reputable site? how does this script get in there? lol

i took a chance with avg and it says im clean minus a few tracking cookies so i feel self assured.
ty

6

A webshiled detection means the malware was blocked before it could get on your computer.

As Tech mentioned, a scan with AVG Anti-Spyware would be a good idea just to check there is no undetected Trojan downloader on your system trying to initiate the download.

7

i see why he wanted me to do that now. ty

and i still don’t like avg ;D

8

Nothing that much anymore. I think a-squared is worse on false positives than AVGas.
AVGas detection is very good (sometimes a-squared detects more riskwares) and it’s better, imho, than Lavasoft or SpywareTerminator. SuperAntispyware is accurate also (but not that huge detection).

In not a place I was talking about AVG antivirus but AVG antispyware.

9

i was just on the web and avast stopped the same trojan again. does this mean im infected with a trojan loader or something?

10

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

11

You don’t say anything about the detection, malware name, url of the detection (break any links as in the first post) ?

More importantly was the infected url one that you had elected to visit or was it one that just occurred ?

If it was not one that you elected to visit then it is possible that it might be a trojan downloader at work or a browser hijack, but we need information to attempt to determine the cause.

So have you run any of the programs Tech suggested earlier ?

12

the http were slightly different. should i do all this anyway?

13

the trojan is called the JS:Agent Q{tr}
the url which i did not elect to go to but loaded up in tandem were at first http: //80.93.48.74/opiwecowebowi/ & http: //80.93.56.229/xurrvyqvswqcwq

i ran avg antspyware and clean i ran superantispyware and it’s clean

should i try a system restore? let me say i haven’t noticed anything wrong with my pc? is it necessary to do all of this or should i wait?

14

I would suggest you avoid system restor for the time being it can prove to be problematic.

I think you should now move on to Tech’s step 5 anti-rootkit tools as what is on your system could be hidden by a rootkit and report the findings.

Then if no joy move on to step 6 HiJackThis, Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1 and post the contents of the log file here, you may need to use two posts because of its size.

15

This? Please, follow the steps… the way to get clean again…

16

hijack this log
Scan saved at 5:43:42 PM, on 8/18/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\vVX3000.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Geoff\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)


End of file - 4910 bytes

17

You can check the automatic analysis of your HijackThis log here.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

  1. If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.

  2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’.

Hope it helps.
There are at least two infections in your computer.

18

I’d follow Tech’s and David’s advice and look for rootkits.

19

i don’t know what these mean

FIX IF UNKNOWN O9 - Extra button: (no name) - {08B0E5C0-4FCB-11C F-AAA5-00401C608501} - C:\Program Files\Java\jre1 .6.0_02\bin\ssv.dll Fix it, if you don’t recognize the button or menuitem (in the IE menu).
FIX IF UNKNOWN R1 - HKCU\Software\Microsoft\Internet Explorer\Ma in,Search Page = http://go.microsoft.com/fwlink/? LinkId=54896 Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R0 - HKCU\Software\Microsoft\Internet Explorer\Ma in,Start Page = http://google.com/ Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R1 - HKLM\Software\Microsoft\Internet Explorer\Ma in,Default_Search_URL = http://go.microsoft.com/f wlink/?LinkId=54896 Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R1 - HKLM\Software\Microsoft\Internet Explorer\Ma in,Search Page = http://go.microsoft.com/fwlink/? LinkId=54896 Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R0 - HKLM\Software\Microsoft\Internet Explorer\Ma in,Start Page = http://go.microsoft.com/fwlink/?L inkId=69157 Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R0 - HKLM\Software\Microsoft\Internet Explorer\Se arch,SearchAssistant = Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R0 - HKLM\Software\Microsoft\Internet Explorer\Se arch,CustomizeSearch = Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN R0 - HKCU\Software\Microsoft\Internet Explorer\To olbar,LinksFolderName = Fix it, if you don’t recognize the the program.
FIX IF UNKNOWN O1 - Hosts: ::1 localhost Fix it, unless you knowingly put the redirection in the hosts file

should i fix them?

… and this should i fix it? i don’t use dreamscene
FIX (CHECK NOTES!) O22 - SharedTaskScheduler: Windows DreamScene - { E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Window s\System32\DreamScene.dll So far only used maliciously by CWS.Smartfinder. Treat with care.

ran the avg rootkit and the f-secure both came up clean any other’s i should try?
ty

i downloaded and used advanced window care it says im clean. should i keep it?

20

Can you open your hosts file into Notepad and posts its contents here?
C:\WINDOWS\system32\drivers\etc\hosts

a-squared, AVGas, SuperAntispyware and/or SpywareTerminator.

It’s a good immunization tool, you can keep it. But it’s not a powerful antispyware scanner.