I need help with stubborn trojans

Discussion in 'malware problems & news' started by complete, Aug 3, 2008.

Thread Status:
Not open for further replies.
  1. complete

    complete Registered Member

    Joined:
    Jul 1, 2005
    Posts:
    16
    I suspect that my problem started when my spouse
    downloaded what she thought was an anti-virus program
    (these hackers are clever).

    I have seen this program pop-up. The name is something
    like "Anti-Virus 2008 XP".

    I have a lot of questions in solving this problem.

    First of all, the computer is using Windows Vista.
    Isn't there some way to set the computer back to
    a previous setting like you used to be able to do
    with XP?

    Secondly, the anti-virus program that caught the
    the problem and yet did not fix it was AVG. All it
    did is continue to pop up annoying notices that there
    was a trojan but did not remove it. I did some
    search and I found on a forum that it might be a
    false positive. Is it?

    Here is a screen shot of what AVG said:

    http://i67.photobucket.com/albums/h292/Athono/studythis.jpg

    I never saw anything online about the Trojan Horse SHeur.BZZL.
    So I wonder if it is a false positive.

    I ran BullDog anti-virus and it seemed to notice it but
    instead it wanted me to send a notice to its server about
    the problem and it too did not seem to fix the problem.

    Thinking it is a false positive, I removed the AVG program
    because I could not do anything really with all of the AVG
    pop-up warning messages.

    On the other hand, where AVG pointed was a bit troubling.

    C:\Program Data Secure Solutions\Antispyware 2008 XP\as2008xp.exe
    does seem to be the culprit. I tried to delete this file but
    it seemed to appear and then disappear and/or seemed to be protected.
    So this leads me to this question. How do I start Vista in safe
    mode so that I can remove a program or file?

    I also tried to delete the temp file shown here.

    http://i67.photobucket.com/albums/h292/Athono/studythis.jpg

    C:\Users\Gelsana\AppData\Local\Temp\win61D3.exe

    But this file was also protected or would appear and disappear.

    It seems that Antispyware 2008 XP is an evil program.

    After I removed AVG from the program, I ran BullDog and it
    gave different errors.

    http://i67.photobucket.com/albums/h292/Athono/bullguard01.jpg

    Now I have Trojan.Mezzia.DP

    and BullDog seemed to say that it could not remove it.

    http://i67.photobucket.com/albums/h292/Athono/bullguard02.jpg
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  4. complete

    complete Registered Member

    Joined:
    Jul 1, 2005
    Posts:
    16
    someone PM's me to try Malwarebyte's Anti-Malware
    Malwarebyte's Anti-Malware seemed to fix the problem according to their output log:


    Malwarebytes' Anti-Malware 1.24
    Database version: 1020
    Windows 6.0.6000

    5:36:48 PM 8/3/2008
    mbam-log-8-3-2008 (17-36-4:cool:.txt

    Scan type: Quick Scan
    Objects scanned: 37097
    Time elapsed: 18 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 26
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 9
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    C:\ProgramData\Secure Solutions\Antispyware 2008 XP\LOG\20080803114425025.log (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\ProgramData\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I've read several times about different variants of this rogue, and generally MBAM, and often Superantispyware do the job.
    PS doesn't say much about the abilities of the programs you tried. (No slight intended.)
    What version of AVG is itWhen you clicked "OK" to the Bullguard alert, did it actually "turn up the heat" and do anything?
     
Loading...
Thread Status:
Not open for further replies.