HELP****I have a trojan I can't kill

Discussion in 'malware problems & news' started by makiavelli, Nov 29, 2003.

Thread Status:
Not open for further replies.
  1. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Hi
    I keep getting a warning from my AVG antivirus that I have a trojan in the following location.


    C:\System Volume Information\_restore{B42518BA-188E-432B-194A-D2c198B52520}\RP2\A0000101.exe

    it tells me to run AVG to remove it but when I run AVG it finds nothing
    I have also tried Anti Trojan 5.5 and that finds nothing.
    A few minutes ago the Icons in my tray started shutting down one by one when I re-started them my antivirus and firewall had been disabled I re-enabled them and they seem to bre OK now, but what's worrying me is I leave my computer running for days/weeks at a time
    and have a broadband connection always on so would obviously like to be rid of it.

    If anyone has any ideas I would be very gratefull for their help.

    Thanks
    Mak
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Mak,

    Assuming you are running XP

    Have you tried turning of system restore and a fresh reboot?

    Here is how to turn of system restore :

    Click here

    Once you disabled it just reboot the PC.

    Don't forget to turn it back on, once your restore folder is cleaned up.

    Hope this helps,

    Cheers,
     
  3. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Thanks for the quick reply Unzi Yes I am running XP Home, the link you put in for system restore didn't work all I got was Page cannot be displayed. Any ideas.

    Mak
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Mak,

    hmm the link works for me, but here are the steps to follow :

    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Select "Turn off System Restore
    5. Apply+ok

    And reboot

    Keep us posted

    Cheers,
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Mak,
    do you remember to have removed recently any infection? To know which one it might have been, as you say the AV and firewall were disabled. It could be "something" running on your system if those disablings have to do with an active nasty still there, or maybe it's just coincidence.

    So after deleting the former restore points as described above and reboot, go back to that same restore area, enable it again and make manually a new restore point.

    After that you're going for a second opinion with an online scanner, like www.pandasoftware.com or www.ravantivirus.com or one of the others you might like.
    In this case i would scan, but don't choose the automatic cleansing, as you might want to know what it is, if there is still something.
    That cleansing you can do on the site after examining the scan results log.

    After that, if nothing is found, only update the AV and maybe look in the settings of the firewall.
    If anything was found and cleansed out, you'll have to go another time through the system restore disabling reboot new restore point actions another time in the cleansed situation.

    Please keep us informed how it's going and good luck in the meantime.
     
  6. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Right I deleted the restore points and re-booted. Now my pc is on a re-boot loop. it re-boots as soon as the desktop appears it re-boots again and again. I am now running in safe mode and dont know what to do any help would be most appreciated.
    here is my current Hijack this log
    Logfile of HijackThis v1.97.7
    Scan saved at 23:24:35, on 30/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Frederick\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.aldi.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

    files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark

    X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

    Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

    "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: bhblaster.lnk = C:\Program Files\Browser Hijack

    Blaster\bhblaster.exe
    O4 - Startup: PeerGuardian.lnk = C:\Program

    Files\PeerGuardian_1.99pr7\PeerGuardian_1.99b_pr7.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program

    Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

    http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

    http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/houseca

    ll/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.1278356481
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry

    Information Class) -

    http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the

    Web Control) -

    http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    Here is my System ini File
    ;msconfig ; for 16-bit app support
    [drivers]
    ;msconfig wave=mmdrv.dll
    ;msconfig timer=timer.drv
    ;msconfig [mci]
    ;msconfig [driver32]
    [386enh]
    ;msconfig woafont=app850.FON
    ;msconfig EGA80WOA.FON=EGA80850.FON
    ;msconfig EGA40WOA.FON=EGA40850.FON
    ;msconfig CGA80WOA.FON=CGA80850.FON
    ;msconfig CGA40WOA.FON=CGA40850.FON
    ;msconfig Com1AutoAssign=0
    ;msconfig Com2AutoAssign=0
    ;msconfig Com3AutoAssign=0
    ;msconfig Com4AutoAssign=0
    ;msconfig NetHeapSize=40

    Here is my Win ini File
    ;msconfig ; for 16-bit app support
    ;msconfig [fonts]
    ;msconfig [extensions]
    ;msconfig [mci extensions]
    ;msconfig [files]
    [Mail]
    ;msconfig MAPI=1
    [MCI Extensions.BAK]
    ;msconfig aif=MPEGVideo
    ;msconfig aifc=MPEGVideo
    ;msconfig aiff=MPEGVideo
    ;msconfig asf=MPEGVideo2
    ;msconfig asx=MPEGVideo2
    ;msconfig au=MPEGVideo
    ;msconfig m1v=MPEGVideo
    ;msconfig m3u=MPEGVideo2
    ;msconfig mp2=MPEGVideo
    ;msconfig mp2v=MPEGVideo
    ;msconfig mp3=MPEGVideo2
    ;msconfig mpa=MPEGVideo

    Here is my boot ini File
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

    Autoexec Bat
    SET PATH=C:\PFW;C:\PFW

    Autoexec nt
    @echo off

    REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
    REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
    REM different startup file is specified in an application's PIF.

    REM Install CD ROM extensions
    lh %SystemRoot%\system32\mscdexnt.exe

    REM Install network redirector (load before dosx.exe)
    lh %SystemRoot%\system32\redir

    REM Install DPMI support
    lh %SystemRoot%\system32\dosx

    REM The following line enables Sound Blaster 2.0 support on NTVDM.
    REM The command for setting the BLASTER environment is as follows:
    REM SET BLASTER=A220 I5 D1 P330
    REM where:
    REM A specifies the sound blaster's base I/O port
    REM I specifies the interrupt request line
    REM D specifies the 8-bit DMA channel
    REM P specifies the MPU-401 base I/O port
    REM T specifies the type of sound blaster card
    REM 1 - Sound Blaster 1.5
    REM 2 - Sound Blaster Pro I
    REM 3 - Sound Blaster 2.0
    REM 4 - Sound Blaster Pro II
    REM 6 - SOund Blaster 16/AWE 32/32/64
    REM
    REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
    REM left unspecified, the default value will be used. (NOTE, since all the
    REM ports are virtualized, the information provided here does not have to
    REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
    REM The T switch must be set to 3, if specified.
    SET BLASTER=A220 I5 D1 P330 T3

    REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
    REM SB base I/O port address. For example:
    REM SET BLASTER=A0
     
  7. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Help pleeeeeeeeeeeeeeeeeeeeeees.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi makiavelli,

    Please start the Command Prompt and type or copy&paste sfc /scannow
    Windows will check the presence and versions of all vital files. You will be prompted for the Windows CD if anything needs to be replaced.

    Regards,

    Pieter
     
  9. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Pieter I got this message

    Windows file protection could not initiate a scan of protected system files.

    The specific error code is 0x000006ba [the RPC server is unavailable]
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hmmmm. http://support.microsoft.com/?kbid=296241

    Never mind. Tony beat me to it. :D

    Pieter
     
  12. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    I'm not running Windows 2000 running XP Home will it make any difference.
     
  13. Jason

    Jason Guest

    Theres always the reformat option. Its easier than people think, especially with xp.
     
  14. makiavelli

    makiavelli Registered Member

    Joined:
    Nov 24, 2003
    Posts:
    18
    Sorted done a full re-install :D :D :D Everything seems to be working.
    Thanks for all your help
    :cool:
     
  15. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ah that's great news Mak !

    Good job :)

    Take care

    Cheers,
     
Loading...
Thread Status:
Not open for further replies.