two separate trojans found? help!

system · January 23, 2005, 5:27pm

I picked up a trojan that kept rebooting my computer for no reason that made it really unusable. In safe mode, I did an avast! scan and found “Win32: trojano-904 [trj].” it wouldn’t ‘put it in the chest’ so I had it deleted. Didn’t solve the problem. After several reboots and scans by various virus detection programs, it came up with another one, “Win32: PowScan [trj].” I deleted that one too because the ‘chest’ function still wasnt working properly. I’m not including some of the adware that popped up and I deleted as well. Needless to say the problem hasnt gone away and I cant even boot it up not in safe mode anymore. Any suggestions to get rid of it? Or am I going to have to reformat. thanks.

DavidR · January 23, 2005, 5:40pm

Hi, welcome to the forums.

Please Help us to Help you In order to help fully we need more information…
- What OS are you using? is it up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?

If a program is in use and windows is protecting it, then it is difficult to get rid of it at the time. If you have w2k/XP you can schedule a boot-time scan in avast!

Advice & Tools for virus/trojan/malware Removal & Prevention

system · January 23, 2005, 5:44pm

I’m running windows XP with service pack 2. 0503-2 is the virus definition pack, and I’m using avast! 4.5. PowScan was found in programfiles/powerscan/ and the other one was a temp file in my documents and settings somewhere. I’ve had norton running full time for three months but apparantely that didn’t help any.

system · January 23, 2005, 5:48pm

i guess it was a mistake to delete the files… is my system still salvagable though? I did it in kind of a rage, oops. ???

system · January 23, 2005, 6:02pm

Hi,

please post a hijackthis-Logfile here
run full Scans with avast (thorough&archive Scan), Trend, RAV & ESCAN
and report exact virusnames and full path/folder/filenames of infected files

Links/Info you’ll find in the link davidr provided above

system · January 23, 2005, 6:16pm

here’s the log from safemode, I can try and make one in regular mode but im not sure it’s gonna work. but here it is! hope it helps.

Logfile of HijackThis v1.99.0
Scan saved at 12:09:34 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avast4\ashLogV.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [IPInSightLAN 02] “C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe” -l
O4 - HKLM..\Run: [IPInSightMonitor 02] “C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe”
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM..\Run: [hxgejdpmpjk] C:\WINDOWS\system32\ftwilmq.exe
O4 - HKLM..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Spyware Doctor] “C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096429941608
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.com/xp/ScanFilexp.CAB
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

DavidR · January 23, 2005, 6:18pm

Always best to take the action that is least likely to do harm, if it turns out to be a false positive (probably not the case here), FP. avast! usually only shows the actions that can be attempted (not greyed out).

Repair, should be your first choice (not always possible, trojans, generally can’t be repaired).
Move to Chest, here nothing in the file can do any harm, you can check it out (ask here if need be), you can restore it to its original location (if FP), if after a period with no adverse effect, you can delete it from the chest.
Delete - I would not advise this as a first course of action unless you are really certain - Act in haste Repent at leisure.

All may not be lost, you don’t need to boot into safe mode, just be able to boot for the time being. Have you tried that, if it boots schedule a boot-time scan from with in avast!

Also have you looked at the information in the link I gave you (The link is the blue text)?

DavidR · January 23, 2005, 6:21pm

Run hijackthis again from a normal boot. Running it in safe mode will disable some of the things that may be harmful so we need to see them.

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php

DavidR · January 23, 2005, 6:29pm

You also need to get rid of Norton AV as the two on the same machine are likely to cause conflict.

O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

If you have run the add/remove programs for Norton, it hasn’t worked fully and you need to run the Norton uninstall tool. The tool can be downloaded here: ftp://ftp.symantec.com/misc/consumer/Rnav2003.exe ensure that you are using the correct tool for the version of NAV you had, this one is for nav2003.

system · January 23, 2005, 6:36pm

I can’t get it to stay in normally booted mode, computer restarts as soon as I get into windows. could be because of conflict im not sure, going to go and uninstall norton and try again.

system · January 23, 2005, 6:47pm

ok I can’t get it to stay in windows normally booted for long enough to make a hijackthis log. is there some way to look at or modify the boot record in safe mode so I can turn off norton or avast!? It will also not let me uninstall anything in safe mode.

edit: in the mode where I choose safe mode there’s also an “enable boot logging mode” would that be of help? and if i do it where can I find the log so I can copy paste it into this thread? thanks.

system · January 26, 2005, 1:48pm

I gave up and reformatted but I’m not entirely sure its gone because the same thing has happened twice now! Good news is the computer starts up into windows, here’s the hijackthis log. see anything out of the ordinary?

Logfile of HijackThis v1.99.0
Scan saved at 7:46:45 AM, on 1/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\René\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

DavidR · January 26, 2005, 3:34pm

You are still vulnerable, having reformated and installed XP (you haven’t been to windows update), so there are vulnerabilities that are probably being exploited.

The same is true for IE it is unpatched.

You have to update your system otherwise it will be a similar problem, sticking band aids on, treat the illness not the symptom

In fact your system is much less secure than before.

Logfile of HijackThis v1.99.0 Scan saved at 12:09:34 PM, on 1/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

two separate trojans found? help!

Announcements