Please help!
Every time I log on I get the Win32:Trojano-941[Tri] virus. Although I delete it with AVAST it keeps coming back! I delete the temp files on internet explorer, I run Adaware, I run x-oftspy, I run stinger. They all delete it but it keeps coming back! I have requested info on this virus on the net but there is no reference of it anywhere? PLEASE HELP!!!
Download and run HijackThis and then post the log output here.
Logfile of HijackThis v1.99.1
Scan saved at 8:06:08 πμ, on 28/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\srvany.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\hypertrm.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Singular\Sfp\sfpManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
E:\spyware remover\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O3 - Toolbar: &Ραδιόφωνο - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM..\Run: [MS Unix Binary] hypertrm.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\RunServices: [MS Unix Binary] hypertrm.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MS Unix Binary] hypertrm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Διαχείριση Φορ. Μηχανισμού.lnk = C:\Program Files\Singular\Sfp\sfpManager.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c139.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip..{9D2EB64A-0300-4269-AF28-EFDEB5E3B299}: NameServer = 127.0.0.1
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Ela, aderfe 
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
r0 - hkcu\software\microsoft\internet explorer\toolbar
o16 - dpf: {15ad6789-cdb4-47e1-a9da-992ee8e6bad6} - http://static.windupdates.com/cab/6247971canadainc/ie/bridge-c139.cab
o16 - dpf: {644e432f-49d3-41a1-8dd5-e099162eeec5} (symantec rufsi utility class) - http://security.symantec.com/sscv6/sharedcontent/common/bin/cabsa.cab
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
Hi tanzanos,
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
O4 - HKLM..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c139.cab
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
O4 - HKLM..\Run: [MS Unix Binary] hypertrm.exe
O4 - HKLM..\RunServices: [MS Unix Binary] hypertrm.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MS Unix Binary] hypertrm.exe
Close any browser windows (Internet explorer etx) and go to Control Panel > Add/remove programs, then uninstall “Media Access” (without quotes).
Remove/delete this folder:
C:\Program Files[b]Media Access[/b]
Then run ccleaner: http://www.filehippo.com/download/QSzoqmOGTJoWn6Eo8hUL4Q2/download.html
Then reboot your machine.
Then re run avast, it shouldn’t detect the infection anymore, but let us know if it does.
EDIT: Spyros , sometimes it best to check over a log yourself as well, rather then just rely on an Analyzer, just to make sure nothing is missed.
–lee
Hi
Thank you all for the help. I am not quite sure what you mean by “fix them”. I downloaded CCLEAN and will follow your instructions. The sick PC is at work and it really has caused us a lot of headaches. My home pc is purring along just fine. It is usually too late when the boss decides to do something about protecting the work pc untill it is too late!
Thanks again guys.
;D Ela Spyro!
Ase moy ehei spasei ta nevra ayto to Trojan. As elpisoyme oti tha pethanei sintoma.
Efharisto kai pali.
“WHEN ALL ELSE FAILS SHEER IGNORANCE AND BRUTAL FORCE IS REQUIRED”
By fix them, in hijackthis to the left of the entries there is a box, tick this box for the relevent entries (in the above info) and then click the Fix button in hijackthis.
;D ;D ;D
THANK YOU ALL!!!
Problem fixed!
I cannot express my gratitude enough. Also I discovered that xoftspy when updating was exposing me to all sorts of attack. I uninstalled it and now all is well and Quite on the Balkan front.
CHEERS TO ALL!!!
Thats good to know 
Good that you are in the clear, xoftspy is featured in this link - http://www.spywarewarrior.com/rogue_anti-spyware.htm, you may want to bookmark it for future use, there are a number of supposed anti-spyware products that are not all them might seem.