system
December 20, 2006, 11:19pm
1
Hi,
Avast always finds in my Temp folder win32:Horst-DZ Trojan.
It is an exe file. Like ( 90exinjs.v.exe/[UPX] ).
After deleting and a while Avast find again a trojan which named different.
Like: ( …v.exe / [UPX] )
I searched with spyware softwares. Nothing found.
I turned-off system-restore.
Restarted the pc.
Searched with avast.
And then nothing found.
But some time ago i got avast warning again.
And then i decided to write here.
My OS is Windows XP SP2 Home Edition.
I am using;
Avast 4.7 Edition
SUPERAntiSpyware
Spyware Blaster
I got a message again when i am writing this.
I moved the file to the quarantine and then i got a message again with a different name of this trojan or spy or something.
Help me please.
P.S: I am searching again now with avast. Excuse for bad english also.
system
December 20, 2006, 11:20pm
2
My HiJackThis Log File Part 1:
Logfile of HijackThis v1.99.1
Scan saved at 01:00:20, on 21.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\5C38BC20.DLL
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\OĞUZHAN\LOCALS~1\Temp\xpinstall.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\OĞUZHAN\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://de.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sakarya.edu.tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://de.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {09F93072-DE5E-4b5a-B347-F80FD7CB7309} - (no file)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Web Class - {D03B6018-E880-4A89-99A2-7354FE52DDAE} - C:\Program Files\NLIA\Nlia.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
system
December 20, 2006, 11:21pm
3
My HiJackThis Log File Part 2:
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\\Oguz\EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P33 "\\Oguz\EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [spywatch] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{259AB3CA-F67D-4AB8-9FB8-9105C2904D84}: NameServer = 10.0.0.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{79F1E3E1-B58A-4DC8-BD91-213887B00DF6}: NameServer = 193.140.253.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Did you try boot time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
It will be good if you download, install, update and run other trojan remover tools:
a-squared
Free AVG Antispyware
Spyware Terminator
Help me please.
We can understand you very well.
system
December 21, 2006, 1:00am
5
An online analysis identifies
O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
as a trojan (probably horst).
Also, you either have no firewall running or are using the Windows Firewall. You should consider installing a third part firewall.
system
December 21, 2006, 2:49am
6
Hi again,
I did everything
Turned Off System Restore
Used Clean-Up
a-squared Anti-Malware search, find and delete
Avast! Boot Time Scan
But still getting the win32:Horst-DZ [Trj] trojan warning from Avast!.
Last infected (found virus) file: Temp\68exinjs.v.exe[UPX]
I quarantined it.
Then i look up to the temp folder. And i found the others.
First it begins with conf extension like:
injs.v.exe.conf or ssd32.w.exe.conf
and then it creates exe files at the same (temp) folder like:
68exinjs.v.exe …vs…vs.
I don’t know what i can do.
I really need your help.
@mauserme ,
smss.exe is a trojan?
If so how can i solve this problem?
You are right. I will setup a firewall as soon as possible.
system
December 21, 2006, 5:20am
7
The legitimate file is C:\Windows\System32\smss.exe.
The suspicious file is C:\Windows\System\smss.exe
Before proceeding please extract HijackThis into its own folder (C:\HJT\ would be fine) and scan again from that location. Post the results. Also verify that you have smss.exe in the C:\Windows\System (not System32) directory
system
December 21, 2006, 6:31pm
8
I have smss.exe in C:\Windows\System location.
I extracted HiJackThis C\HJT\ folder and searched.
Here is the results
part 1:
Logfile of HijackThis v1.99.1
Scan saved at 20:30:44, on 21.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\system32\svchost.exe
E:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PeerGuardian2\pg2.exe
E:\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Jet Detection] “D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series]
system
December 21, 2006, 7:43pm
10
Hi VBS :
Your 1st HJT log showed the presence of the "rogue/suspect" "SpywareRemover"
with its "real-time" component "spywatch"; however, your 2nd log does NOT show
its is there. What do you know about this product being on your computer ?
Your 2nd log indicates you MAY have BOTH SUPERantispyware AND a-squared's
"real-time" protection "running" !? If true, you should "disable" one of them .
system
December 21, 2006, 8:04pm
11
Hi Spiritsongs,
SUPERAntiSpyware don’t works in real time protection cos’ it’s not Pro version so i’m using SpywareGuard for real time protection and also a-squared guard for search & delete the other moments a-squared is off.
I don’t think that using more spy software is my computers’ problem.
And i still don’t know why the infection is and its solution.
Thanks for caring and reply anyway.
system
December 21, 2006, 8:12pm
12
Hi VBS :
Perhaps it's time to have your HJT log reviewed by an experienced, volunteer Malware Expert
usually found on an antiSPYWARE Support Forum !? Since both SUPERantispyware & a-squared
do NOT seem to have any such Experts, I recommend the Ad-Aware oriented Forums at
www.landzdown.com ; they are little known and hence, have a relatively fast "turnaround" time .
system
December 21, 2006, 8:24pm
13
Always Avast! finds the trojan so i came here.
Thanks for forwarding to landzdown.com .
I’ll try also there when i am waiting this infection solution here.
system
December 21, 2006, 10:49pm
14
Attachment: Trojan Remover 6.5.4 Log File.
It found nothing.
But avast still giving warning.
And Temp folder creating the files that i told before.
system
December 22, 2006, 5:26am
15
Thanks for your patience vbs.
Since Spyware Remover and Download Accelerator Plus seem to be in the past tense we won’t worry about them now. I’m not sure there is 100% agreement on Spyware Remover being a rogue, and DAP might have been the bigger of those two problems as it is a source of adware and possibly worse.
Anyway, I’ve felt since the being that the trojan was the main priority so lets go for that.
Since putting C:\WINDOWS\system\smss.exe in quarantine isn’t an option burn a copy to CD - this is just a conservative approach prior to deletion. Put the CD in a safe place since you don’t want the file finding its way back on anybody’s computer.
Open HijackThis from the C:\HJT\ folder and fix this line
O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
Close HijackThis and boot into safe mode. Delete smss.exe from C:\Windows\System, remembering to leave the file in System32 intact.
While in safe mode scan again with SuperAntispyware and a-Squared. Quarantine anyting found.
Reboot into normal mode and get that firewall installed. Update Windows as you’re behind on the security patches. Then run HijckThis and post the log again. There may be a couple other things we need to fix but I’m still researching.
system
December 23, 2006, 6:09am
16
@vbs
I notice you’ve also sought advice on this problem at the LandzDown Forum and that’s perfectly fine.
But please don’t try to combine the advice given here with the advice given there - doing so could lead to unproductive and possibly harmful results since we are not able to give you a co-ordinated effort. For example, when they told you to delete smss.exe using killbox you got an error because you had already deleted it via my method. My goal, and theirs, is to fix the problem not create larger problems.
http://www.landzdown.com/index.php?PHPSESSID=e8cb1871c6ac24f05dc52ad92883c212&topic=13235.0
@ Spritsongs
Your constant ambulance chasing is inefficient, unproductive, and potentially damaging. You profess a desire to help people yet your own agenda always finds its way ahead of their well being.
I implore you , if you want to help then help. You have the knowledge and ability. But recognize that always telling people to go elsewhere is the opposite of help.
system
December 23, 2006, 3:13pm
17
Hi again mauserme.
Before your and landzdown help, i deleted smss.exe manually.
Now i am not sure that i’m be able to fix the problem.
But after deleting with shift + delete (C.\Windows\System\smss.exe) i didn’t get avast warning.
Everything seems good for now.
What can i do now for to be sure that the trojan gone?
system
December 23, 2006, 3:42pm
18
Hi vbs,
No problem - smss.exe needed to go so you should be fine. The lack of warnings is a good sign.
You still should install a third party firewall and update windows. And you should scan with a-Squared and SuperAntispyware.
That question you were asked at LandzDown (and would have eventually been asked here too) about
O17 - HKLM\System\CCS\Services\Tcpip..{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1
needs to be resolved. Do you recognize it?
Also let me know if you ever fixed
O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
with HijackThis. Its been recommended on both forums but you haven’t indicated whether its done.
And most importantly, keep us updated as to what steps you’re taking. Surprises aren’t good when trying to figure these things out.
DavidR
December 23, 2006, 4:07pm
19
The 017 entry seems strange to me also as the 192.168.0.1 is usually your router’s IP address (I assume you have a router) and legitimate 017 IP entries usually point to your ISP’s IP. Pointing to your router wouldn’t allow access to the ISP IP, weird ?
system
December 23, 2006, 5:03pm
20
Possibly a router or modem depending on the configuration.
If there are no connectivity problems and the computer appears malware free I’m inclined to say leave it alone for now.