system
March 23, 2005, 5:54pm
1
Hi
I was wondering if someone could help me, 3 days ago my avast! 4.6 Home warned me about this trojan in the temp folder, i moved it to the chest and erased it. The problem seems to be that every time i restart a session it multiplies itself, avast warned that the memory is affected but after i erase the files it doesn’t give me any warning. I haven’t noticed any diference in the pc’s performance neither annoying pop-ups have showed up, there are some files that seem to be infected too but i can’t move them to the chest (don’t know why):
Thanks in advance and my apoligies for my rude english :-[
DavidR
March 23, 2005, 6:30pm
2
If you have winXP, you can schedule a boot-time scan from within avast.
there are some files that seem to be infected too but i can't move them to the chest (don't know why):
When a file is in use windows protects it, so you can't delet or move it and becayse it is in the windows\system32 folder if you are able to delete it, it is likely to be saved by system restore to a restore point.
Again if you have XP, then use Task Manager and check if you can see the running processes of the above files, you can end the task, then you should be able to delete or move to chest.
system
March 23, 2005, 6:37pm
3
Hi
First Disable System Restore
Then as David suggested run a boot time scan with avast set to scan within archives (open avast > Menu (top left hand corner) >boot time scan)
Then post a hijackthis log here: http://members.home.nl/edeijl/download/hijackthis.exe
–lee
system
March 23, 2005, 7:04pm
4
Logfile of HijackThis v1.99.1
Running processes:
system
March 23, 2005, 7:04pm
5
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/a/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/c/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://vladimir-ramchenko.blogspot.com/ http://www.fbnet.pt/pcg/ http://out.true-counter.com/c/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://www.fbnet.pt/pcg/ http://download.games.yahoo.com/games/clients/y/vto_x.cab http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab https://components.viewpoint.com/adobe/MTSInstallers/MetaStream3.cab?url=http://joao.leitao.free.fr/lapis/ThumbnailFrame.html http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe http://www.errorguard.com/installation/Install.cab http://www.easports.com/downloads/games/common/ieell.cab http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe http://www.parallelgraphics.com/bin/cortvrml.cab http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab http://zone.msn.com/binGame/ZAxRcMgr.cab http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab http://zone.msn.com/bingame/shpo/default/shapo.cab http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab http://chat.msn.com/bin/msnchat45.cab
system
March 23, 2005, 7:07pm
6
Ufff
system
March 24, 2005, 11:53am
7
Hi mariohugo,
Make sure system restore is still off, then:
r1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/a/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://out.true-counter.com/c/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://vladimir-ramchenko.blogspot.com/ http://www.fbnet.pt/pcg/ http://out.true-counter.com/c/?101 (obfuscated)http://out.true-counter.com/b/?101 (obfuscated)http://download.games.yahoo.com/games/clients/y/vto_x.cab http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab https://components.viewpoint.com/adobe/mtsinstallers/metastream3.cab?url=http://joao.leitao.free.fr/lapis/thumbnailframe.html http://www.errornuker.com/products/errn2004/installers/default/errornukerinstaller.exe http://www.errorguard.com/installation/install.cab http://www.easports.com/downloads/games/common/ieell.cab http://files.ea.com/downloads/rtpatch/v2/eartpx.cab http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/quicktimeinstaller.exe http://www.parallelgraphics.com/bin/cortvrml.cab http://messenger.zone.msn.com/binary/messengerstatsclient.cab31267.cab http://zone.msn.com/bingame/zaxrcmgr.cab http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab http://messenger.msn.com/download/msnmessengersetupdownloader.cab http://zone.msn.com/binframework/v10/zintro.cab34246.cab http://zone.msn.com/bingame/shpo/default/shapo.cab http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab http://chat.msn.com/bin/msnchat45.cab
o4 - global startup: microsoft office.lnk = c:\programas\microsoft office\office10\osa.exehttp://www.fbnet.pt/pcg/
Then run CWshredder: http://cwshredder.net/bin/CWShredder.exe
Then run Ad-Aware: http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button (update first)
Then Run Spybot: http://www.safer-networking.org/ (update first)
Then run another boot time scan with avast and remove everything it finds. (update first)
Then run ccleaner: http://www.filehippo.com/download_ccleaner.html
Also i see no active running firewall on your system, so if your not using a hardware firewall (usually in a router) then i suggest downloading a free one called Zonealarm: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe
Then reboot your system.
Then redo and repost your hijackthis log so we can confirm your clean.
P.S, i release there is alot of steps there, so just take your time, no need to rush, and post back when/if you need help with them.
–lee
system
March 24, 2005, 7:13pm
8
Here it is the log file lee
Logfile of HijackThis v1.99.1
Running processes:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
Well that seemed to solved the trojan problem but now it gives me a brand new error >:( lol when i shut the computer off there is a message that says that there is an error with the file AshServ.exe I cannot read the rest of the message because it is very quick, once again thank you for your help, can you help me once again?
PS: My windows firewall says it is turned on should i download zonealarm anyway?
system
March 24, 2005, 7:28pm
9
Hi
Log looks clean.
About the firewall, Windows firewall is only Inbound protection, but some people are fine with this, you can see the differences here: http://www.securetec.com.au/lockdown/compare.htm
About the error, does a repair of avast help? (Control pannel > Add/Remove programs > Avast > change/remove >Repair)
–lee
system
March 24, 2005, 9:25pm
10
Hi
Now i have an even bigger trouble, the pc only starts in safe mode (!). While loading win xp it stops and then a blue screen appears but i cannot read it cause it disapears very quickly, this appened after i installed zone alarm, i already uninstaled zone alarm but it keeps happening, after the blue screen it restarts and then it only enters in safe mode, i tried to use a boot disk but it’s useless. What should i do??
system
March 24, 2005, 10:11pm
11
Try rebooting a couple of times.
If that doesn’t work reboot the PC and tap F8 while you wait for boot options to be displayed for you. Once there, choose “Last known good configuration.”
You could try repairing XP if you feel the need to: http://www.help2go.com/article209.html
–lee
system
March 25, 2005, 12:25am
12
I cannot fix XP and the last good configuration gives the same error, i noticed that every time the pc restarts it doesn’t recognize the hard disk only if i shut off the computer and then turn it on again. I also tried to fixboot but it didn’t work i don’t know what else to do
If you can get into safe mode, run system restore and restore your computer back to before the problem occured.
system
March 25, 2005, 10:22am
14
Well the problem is solved, i re-installed XP without loosing any data (i couldn’t use sistem retore because it had been disabled before) now it’s boring cause i got to download sp2 again
DavidR
March 25, 2005, 1:43pm
15
Life and Windows can be a pain/pane at times.
If you are going to download SP2 again, make sure that you download the full version and not the windows update to SP2 (e.g. the download and install on-line, as only elements that require update are downloaded. leaving you in the same position if you ever need to re-install XP). The full SP2 update is about 266MB, but once you have downloaded it, burn it to a CD, then you have a copy of SP2 you can use over and over if needed.
The full SP2 update is about 266MB, but once you have downloaded it, burn it to a CD, then you have a copy of SP2 you can use over and over if needed.
You can ‘join’ the original CD of Windows XP (Home, Pro or Corporate Edition) with the SP2 updates using AutoStreamer .
Follow the instructions on screen to create an ISO file that could should be burned into another CD.
system
April 9, 2005, 9:11am
17
Hi there
Same problem again, avast warned me about the virus when i turned on the pc some time ago, i already tried the same steps that lee16 gave me previously but he keeps showing up, the problem is that i don’t know wich files to erase with hijackthis, here is the log, hopefully somebody can help me.
system
April 9, 2005, 9:13am
18
Logfile of HijackThis v1.99.1
Running processes:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btuga.com/ http://zone.msn.com/bingame/pacz/default/pandaonline.cab http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
This is it!
You don’t seem to have a software firewall. If you would like one, I can suggest a few
system
April 9, 2005, 11:12am
20
Hi
Remove these:
F2 - REG:system.ini: Shell=Explorer.exe winsock.scrhttp://zone.msn.com/bingame/pacz/default/pandaonline.cab http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
Then remove this file:
Then run any spyware scanners you have on your PC. (Spybot/Ad-aware etc)
Then run ccleaner: http://www.filehippo.com/download/ncAOCJr-Om3Lq35Rh3QQoQ2/download.html
Then post back to let us know if the problem is solved or not
–lee
