Trojano-1941?

Hello,

Avast keeps finding a trojan horse, perhaps every half hour or so, in my C:/Windows folder. It is a dll with a series of letters/numbers that ends in _disk.dll. Searches on the internet cannot find either the virus “trojano-1941” or the dll. When I move or delete it it just comes back again later. When I scan the PC with Avast it simply doesn’t find the touble. Any ideas? Can Avast actually deal with this problem? Does anyone know anything about trojano?

Regards and thanks ahead of time,
PsychoCy

Please follow the instructions in the malware removal section on THIS SITE

Check out this thread, if you are using a user account with admin privileges then any virus that gets on to your system also has those privileges.

Security Tips & Tricks - DropMyRights

You might want to look at a different browser that is less susceptible to this, but ensure that your OS and browser are up to date.

Scope this one out… my avast tells me i am infected with this trojan virus WIN32:TROJANO-1941 When i start my computer i am able to launch everything which is how i am posting here now but after a certain amount of time approx (30mins to 1hr) if i click on anything from the desktop my computer locks right up. After rebooting from the freeze i come back to a desktop that is unresponsive. Then have to rollback my system in safe mode using system restore to get it functioning again. I have run a boot time scan and it detects the virus, deletes the virus in multiple locations, and loads windows only for it to reappear magicly. What should i do i am so tired of restoring my system i am going nuts. I did search on the web for it and found nothing my VPS is up to date and my comp is still finding it each time i scan. I have a HP 510c with windows xp pro edition and a headache. Thanks for anyones help you would be a life saver.

Have you tried Ewido anti-Trojan program?

http://www.ewido.net/en/

I’m running the scan right now after downloading it so far its found 3 infections.

This is my report from ewido 56 infections found
HKLM\SOFTWARE\Classes\CLSID{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} → Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\ → Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\ → Spyware.MiniBug : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@2o7[2].txt → Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ad.yieldmanager[1].txt → Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@adopt.specificclick[2].txt → Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ads.addynamix[2].txt → Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ads.pointroll[2].txt → Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@advertising[1].txt → Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@as-us.falkag[2].txt → Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@atdmt[2].txt → Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@bfast[2].txt → Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@bluestreak[2].txt → Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@burstnet[2].txt → Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@casalemedia[1].txt → Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@citi.bridgetrack[2].txt → Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@com[2].txt → Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@cz3.clickzs[2].txt → Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@doubleclick[1].txt → Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@e-2dj6wjkoohazcfq.stats.esomniture[2].txt → Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@e-2dj6wjkospcjedo.stats.esomniture[2].txt → Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@e-2dj6wjkygid5ocp.stats.esomniture[2].txt → Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@e-2dj6wjloogcpecq.stats.esomniture[2].txt → Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@e-2dj6wjlowmcjmgp.stats.esomniture[2].txt → Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@edge.ru4[2].txt → Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-aarp.hitbox[2].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-dig.hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-gameshownet.hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-knightridder.hitbox[2].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-techtarget.hitbox[2].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg-wizardsofthecoast.hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@ehg.hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@fastclick[2].txt → Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@hg1.hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@hitbox[1].txt → Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@marykay.122.2o7[1].txt → Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@mediaplex[1].txt → Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@msnportal.112.2o7[1].txt → Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@overture[1].txt → Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@perf.overture[1].txt → Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@questionmarket[1].txt → Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@rotator.dex.adjuggler[1].txt → Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@servedby.advertising[2].txt → Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@server.iad.liveperson[1].txt → Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@serving-sys[2].txt → Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@spylog[2].txt → Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@statcounter[1].txt → Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@statse.webtrendslive[1].txt → Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@thunderbolt.adjuggler[2].txt → Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@tradedoubler[2].txt → Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@trafficmp[2].txt → Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@trafic[1].txt → Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@tribalfusion[1].txt → Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@valueclick[1].txt → Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\OUR COMPUTER\Cookies\our computer@z1.adserver[2].txt → Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\checkIn.dll → Dialer.Generic : Cleaned with backup

::Report End

:slight_smile: Brand :

  Most of what Ewido found were harmless cookies; I use
  a "cookie manager", the good & FREE "CookieWall" from
  www.analogx.com and would encourage you to do
  likewise. Once you place a cookie in its "Kill" section, it
  will NOT get on your computer in the future. However, if
  you have Win XP, there's a "quirk" in the program which
  I will explain if you wish to send me a "Private Message".
  Ewido is a good program to use in conjunction with an
  anti-virus and at least 1 antispyware program.

Hi Brand,

Ewido found a dialler, a bit of spyware and alot of cookies as Spiritsongs said. Is the problem still there? If it is, could you post a HijackThis! log for us to look at?

The name Trojano-1941 seems to be specific to avast!, so it’s hard to know what we’re dealing with. A log should show us what the problem is.

http://www.bleepingcomputer.com/forums/tutorial42.html

_disk.dll

The dialler found could have been the problem:

http://vil.nai.com/vil/content/v_135627.htm

Just to rule out CoolWebSearch variant:

http://castlecops.com/o20list-2.html

Please run CWShredder:

http://www.intermute.com/spysubtract/cwshredder_download.html

Logfile of HijackThis v1.99.1
Scan saved at 2:34:53 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\UltimateBet\UltimateBet.exe
C:\Documents and Settings\OUR COMPUTER\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://movies.go.com/
R3 - Default URLSearchHook is missing
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: C:\WINDOWS\q10864343_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q10864343_disk.dll (file missing)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra ‘Tools’ menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://wildmatch.com/ChatSource/hVideoContol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123009987815
O20 - Winlogon Notify: style32 - C:\WINDOWS\q10864343_disk.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

You don’t appear to have a software firewall present, this is an essential defence otherwise you will just be fighting a losing battle to clean your system.

See this link for an on-line analysis of your HJT log http://hijackthis.de/logfiles/a075d8bf6a19643086dd816d901faa4c.html there are a number of nasty, unknown and unnecessary entries in the log. Google those you are unsure of and fix those that should be removed.
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Yeah uh what should i remove or check and fix i have never used this program before

These entries must be fixed. Start HijackThis! and run a scan. Tick the box next to each entry then click fix and reboot into safe mode. (Tap F8 while booting.)

O2 - BHO: C:\WINDOWS\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\adsldpbc.dll

R3 - Default URLSearchHook is missing

O2 - BHO: C:\WINDOWS\q10864343_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q10864343_disk.dll (file missing)

O4 - Startup: PowerReg Scheduler V3.exe

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.searchmeup.com

O20 - Winlogon Notify: style32 - C:\WINDOWS\q10864343_disk.dll (file missing)

Do you recognise this entry? I cannot find any indication that it is malware, but if you don’t need it, fix it too.

O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://wildmatch.com/ChatSource/hVideoContol.cab

Do you use and trust the program Ultimate Bet? Again a quick search didn’t bring anything up. You could submit the file UltimateBet.exe to Jotti just to be sure:

http://virusscan.jotti.org/

When you have fixed the entries and rebooted into safe mode do a search for and delete these files:

adsldpbc.dll
V3.exe

Then, as David mentioned, you will need to make sure Windows firewall is on, or preferably install a good free firewall like ZA.

Installing SpywareBlaster would be a good idea too!

You guys ROCK! I went into safe mode found v3 and deleted it and everything seems fine i want to thank all of you for your help and i know i dont know much about comps but if you ever need any help anyway my email is dravenhawke@hotmail.com feel free to contact me and once again you guys RULE!

You’re welcome, Brand.

Leaving your email address on the forum like this means the spambots are going to find it, so I recommend you remove it, but thanks for the offer!

HiJackThis is a very good analysis tool when allied with the on-line analysis tools.

The link Frank provided to an HJT tutorial will help you understand HJT by how to fix, the what to fix comes from:

  1. the on-line analysis giving a clue, Nasty, Unknown and Un-necessary.
  2. use the likes of google to check out the items listed in 1. above, this should reveal if it is known to be harmful or shine a light on the unknown.
  3. do you remember having installed the item, do you know what it is, etc.

From this you can get a feel of what to fix, not to mention we can help here for those you aren’t sure of. We also try to teach how to use the tools available to you so you can become more experienced and possibly help others in the future.