UPX - Temp - Trojan - Avast

Hi,

Avast always finds in my Temp folder win32:Horst-DZ Trojan.
It is an exe file. Like ( 90exinjs.v.exe/[UPX] ).
After deleting and a while Avast find again a trojan which named different.

Like: ( …v.exe / [UPX] )

I searched with spyware softwares. Nothing found.
I turned-off system-restore.
Restarted the pc.
Searched with avast.

And then nothing found.

But some time ago i got avast warning again.
And then i decided to write here.

My OS is Windows XP SP2 Home Edition.

I am using;

  • Avast 4.7 Edition
  • SUPERAntiSpyware
  • Spyware Blaster

I got a message again when i am writing this.
I moved the file to the quarantine and then i got a message again with a different name of this trojan or spy or something.

Help me please.

P.S: I am searching again now with avast. Excuse for bad english also.

My HiJackThis Log File Part 1:

Logfile of HijackThis v1.99.1 Scan saved at 01:00:20, on 21.12.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\5C38BC20.DLL
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\OĞUZHAN\LOCALS~1\Temp\xpinstall.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\OĞUZHAN\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://de.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sakarya.edu.tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://de.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {09F93072-DE5E-4b5a-B347-F80FD7CB7309} - (no file)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Web Class - {D03B6018-E880-4A89-99A2-7354FE52DDAE} - C:\Program Files\NLIA\Nlia.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

My HiJackThis Log File Part 2:

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [\\Oguz\EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P33 "\\Oguz\EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600" O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [spywatch] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesde.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{259AB3CA-F67D-4AB8-9FB8-9105C2904D84}: NameServer = 10.0.0.3 O17 - HKLM\System\CCS\Services\Tcpip\..\{79F1E3E1-B58A-4DC8-BD91-213887B00DF6}: NameServer = 193.140.253.2 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing) O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Did you try boot time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

It will be good if you download, install, update and run other trojan remover tools:
a-squared
Free AVG Antispyware
Spyware Terminator

Help me please.

We can understand you very well.

An online analysis identifies

O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

as a trojan (probably horst).

Also, you either have no firewall running or are using the Windows Firewall. You should consider installing a third part firewall.

Hi again,

I did everything

  • Turned Off System Restore
  • Used Clean-Up
  • a-squared Anti-Malware search, find and delete
  • Avast! Boot Time Scan

But still getting the win32:Horst-DZ [Trj] trojan warning from Avast!.

Last infected (found virus) file: Temp\68exinjs.v.exe[UPX]

I quarantined it.
Then i look up to the temp folder. And i found the others.

First it begins with conf extension like:

injs.v.exe.conf or ssd32.w.exe.conf

and then it creates exe files at the same (temp) folder like:

68exinjs.v.exe …vs…vs.

I don’t know what i can do.
I really need your help.

@mauserme,
smss.exe is a trojan?
If so how can i solve this problem?
You are right. I will setup a firewall as soon as possible.

The legitimate file is C:\Windows\System32\smss.exe.
The suspicious file is C:\Windows\System\smss.exe

Before proceeding please extract HijackThis into its own folder (C:\HJT\ would be fine) and scan again from that location. Post the results. Also verify that you have smss.exe in the C:\Windows\System (not System32) directory

I have smss.exe in C:\Windows\System location.
I extracted HiJackThis C\HJT\ folder and searched.

Here is the results

part 1:

Logfile of HijackThis v1.99.1 Scan saved at 20:30:44, on 21.12.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\system32\svchost.exe
E:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PeerGuardian2\pg2.exe
E:\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Jet Detection] “D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series]

Part 2:

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600" O4 - HKLM\..\Run: [GOKI üzerinde otomatik EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "GOKI üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\GOKI\Yazıcı" /M "Stylus CX3600" O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

:slight_smile: Hi VBS :

 Your 1st HJT log showed the presence of the "rogue/suspect" "SpywareRemover"
 with its "real-time" component "spywatch"; however, your 2nd log does NOT show
 its is there. What do you know about this product being on your computer ?
 Your 2nd log indicates you MAY have BOTH SUPERantispyware AND a-squared's
 "real-time" protection "running" !?  If true, you should "disable" one of them .

Hi Spiritsongs,

SUPERAntiSpyware don’t works in real time protection cos’ it’s not Pro version so i’m using SpywareGuard for real time protection and also a-squared guard for search & delete the other moments a-squared is off.

I don’t think that using more spy software is my computers’ problem.

And i still don’t know why the infection is and its solution.

Thanks for caring and reply anyway.

:slight_smile: Hi VBS :

 Perhaps it's time to have your HJT log reviewed by an experienced, volunteer Malware Expert
 usually found on an antiSPYWARE Support Forum !? Since both SUPERantispyware & a-squared
 do NOT seem to have any such Experts, I recommend the Ad-Aware oriented Forums at
 www.landzdown.com ; they are little known and hence, have a relatively fast "turnaround" time .

Always Avast! finds the trojan so i came here.
Thanks for forwarding to landzdown.com.
I’ll try also there when i am waiting this infection solution here.

Attachment: Trojan Remover 6.5.4 Log File.

It found nothing.

But avast still giving warning.
And Temp folder creating the files that i told before.

Thanks for your patience vbs.

Since Spyware Remover and Download Accelerator Plus seem to be in the past tense we won’t worry about them now. I’m not sure there is 100% agreement on Spyware Remover being a rogue, and DAP might have been the bigger of those two problems as it is a source of adware and possibly worse.

Anyway, I’ve felt since the being that the trojan was the main priority so lets go for that.

Since putting C:\WINDOWS\system\smss.exe in quarantine isn’t an option burn a copy to CD - this is just a conservative approach prior to deletion. Put the CD in a safe place since you don’t want the file finding its way back on anybody’s computer.

Open HijackThis from the C:\HJT\ folder and fix this line

O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Close HijackThis and boot into safe mode. Delete smss.exe from C:\Windows\System, remembering to leave the file in System32 intact.

While in safe mode scan again with SuperAntispyware and a-Squared. Quarantine anyting found.

Reboot into normal mode and get that firewall installed. Update Windows as you’re behind on the security patches. Then run HijckThis and post the log again. There may be a couple other things we need to fix but I’m still researching.

@vbs

I notice you’ve also sought advice on this problem at the LandzDown Forum and that’s perfectly fine.

But please don’t try to combine the advice given here with the advice given there - doing so could lead to unproductive and possibly harmful results since we are not able to give you a co-ordinated effort. For example, when they told you to delete smss.exe using killbox you got an error because you had already deleted it via my method. My goal, and theirs, is to fix the problem not create larger problems.

http://www.landzdown.com/index.php?PHPSESSID=e8cb1871c6ac24f05dc52ad92883c212&topic=13235.0

@ Spritsongs

Your constant ambulance chasing is inefficient, unproductive, and potentially damaging. You profess a desire to help people yet your own agenda always finds its way ahead of their well being.

I implore you , if you want to help then help. You have the knowledge and ability. But recognize that always telling people to go elsewhere is the opposite of help.

Hi again mauserme.

Before your and landzdown help, i deleted smss.exe manually.
Now i am not sure that i’m be able to fix the problem.
But after deleting with shift + delete (C.\Windows\System\smss.exe) i didn’t get avast warning.
Everything seems good for now.

What can i do now for to be sure that the trojan gone?

Hi vbs,

No problem - smss.exe needed to go so you should be fine. The lack of warnings is a good sign.

You still should install a third party firewall and update windows. And you should scan with a-Squared and SuperAntispyware.

That question you were asked at LandzDown (and would have eventually been asked here too) about

O17 - HKLM\System\CCS\Services\Tcpip..{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1

needs to be resolved. Do you recognize it?

Also let me know if you ever fixed

O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

with HijackThis. Its been recommended on both forums but you haven’t indicated whether its done.

And most importantly, keep us updated as to what steps you’re taking. Surprises aren’t good when trying to figure these things out.

The 017 entry seems strange to me also as the 192.168.0.1 is usually your router’s IP address (I assume you have a router) and legitimate 017 IP entries usually point to your ISP’s IP. Pointing to your router wouldn’t allow access to the ISP IP, weird ?

Possibly a router or modem depending on the configuration.

If there are no connectivity problems and the computer appears malware free I’m inclined to say leave it alone for now.