Avast WEBforum
Other => Viruses and worms => Topic started by: jimmy2u on January 14, 2008, 06:13:58 PM
-
Avast Home Edition keeps reporting a Trojan. The name that Avast gives it is "HTML:IFrame-F[trj] and it lists it as a Trojan Horse. When the pop-up warning window comes up I choose to move it to the chest as recommended but it says that it is locked and can't be accessed so I click on the delete button. That only help temporarily as the Trojan keeps coming back. I've run Avast, Spyware Remover, Trojan Remover during regular modes and safe modes but nothing I do will get rid of this Trojan. Avast will list the location but when I try to go there the location doesn't exist. Other than a nuisance, I don't see where it has done any harm to my PC's. I have this Trojan on 2 desktop PC's. The warning comes up more often on my main computer. The systems on both computers are the same. I am running WinXP Pro with Service Pack 2. All updates are current and installed. I use Mozilla Firefox as my browser. This is the actual location that Avast reports but I cannot find.
C:\Documents And Settings\Local Service\Local Settings\Temporary Internet File\Content.IE2LVEMX21\organicauthority_info(1).htm
I've cleaned out all Temp and Temp Internet Files. Nothing seems to work. Please tell me what to do. Thank you for your time and effort.
-
It looks like a web page containing an exploit in a browser cache.
Have you tried using CCleaner to remove temp files?
http://www.ccleaner.com/ (http://www.ccleaner.com/)
Another option is CleanUp!
http://www.stevengould.org/index.php?Itemid=69&id=15&option=com_content&task=view (http://www.stevengould.org/index.php?Itemid=69&id=15&option=com_content&task=view)
-
I want to take time to thank you very much for your suggestions. I never gave the cache much of a thought but it makes sense now that you mentioned it. I downloaded and installed both of the programs that you gave links for and I ran both of them. Neither on listed the particular file that I am having a problem with but I will keep an eye out and see. Just maybe it was cleaned out by one of programs. I may have to let it ride for a day or two to see. I will post another reply to let you know if the problem is solved or not. Thanks again.
-
Other good utility to do it automatically (scheduled) is Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
-
Thank you for your suggestion on the program Advanced Window Care. I downloaded and ran it. I really like that program. Thanks again.
-
Well, I've run all 3 programs in both regular and safe modes but none of them permanently removes this Trojan. It keeps coming back and Avast keeps finding it. If only windows would allow me to find that folder and file then maybe I could get rid of it but it is hidden and will not show itself. I am at a loss. I really don't want to reformat but that seems like the only hope. Any more suggestions? Thank you all.
-
I suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware (http://www.superantispyware.com) and/or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Please disable 'Hide protected operating system files' (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and enable 'View Hidden Files and Folders' (http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp), and upload the file to VirusTotal (http://www.virustotal.com/) for analysis.
C:\Documents And Settings\Local Service\Local Settings\Temporary Internet File\Content.IE2LVEMX21\organicauthority_info(1).htm
If it is confirmed as an exploit, you are either visiting an infected web page, or malware on your computer is directing you to an infected web page.
To rule out the latter, you should try some other scans as Tech suggests.
You could also try some online scans: (Disable avast! while scanning.)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender (http://www.bitdefender.com/scan8/ie.html)
Panda (http://www.pandasoftware.com/products/activescan.htm)
Trend Micro Housecall (http://housecall.trendmicro.com/)
And these scanners:
AVG Anti-Spyware Free (http://www.ewido.net/en/product/) (Requires Win2k/XP)
Ad-Aware Free (http://www.download.com/3000-2144-10045910.html)
Spybot Search & Destroy (http://www.safer-networking.org/en/download/index.html)
-
Again thank you for your help. A special thanks to "Tech" for his help. I have completed the 8 steps that "Tech" suggested. During the boot time scan, Avast did find the Trojan file and I moved it to the chest. How long should I keep it in the chest? Can't I just delete it out of there? I can't say for sure if my computer's infection is gone now or not but I do know one thing for sure and that is my browser opens up faster than it ever did. I'll have to wait and see if the Trojan returns or not. Also to Freewheelin Frank I want to say thanks for noting the step disable 'Hide protected operating system files'. That made the Temp Internet files locations appear, however the one in question is no longer there. I'll have to wait and see. Thanks again for all of your help. Hopefully my computer is healthy again. Only time will tell.
-
How long should I keep it in the chest?
Two weeks should be good. Scan the file into Chest again (right clicking it) and if it still marked as infected, you can delete it.
I can't say for sure if my computer's infection is gone now or not
If you post your HijackThis log, other experienced users can say the final verdict ;)
-
I ran the Hijack this and looked over it but I couldn't see anything that looked suspicious. The log is quite lengthy. How would I go about posting the log? Just copy and paste it into this open space? Thanks. I apologize to one and all if I am posting too often and asking too many questions. I am just not that familiar with proper procedures in Forums and it kind of scares me to do any posting. I guess you could say that I'm not the sharpest tool in the shed but I get by. If it is OK to post the lengthy log file into this open space I will do it.
-
I ran the Hijack this and looked over it but I couldn't see anything that looked suspicious. The log is quite lengthy. How would I go about posting the log? Just copy and paste it into this open space? Thanks.
Post it by parts, dividing it if needed (1000 characters are the limit for one post).
I apologize to one and all if I am posting too often and asking too many questions. I am just not that familiar with proper procedures in Forums and it kind of scares me to do any posting.
Not here: friendship and help are side by side here.
I guess you could say that I'm not the sharpest tool in the shed but I get by. If it is OK to post the lengthy log file into this open space I will do it.
No problem, go ahead ;)
-
Here is my HiJackThis log file;
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4 AntiVirus\aswUpdSv.exe
C:\Program Files\Avast4 AntiVirus\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4 AntiVirus\ashMaiSv.exe
C:\Program Files\Avast4 AntiVirus\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DVD Programs\AnyDVD\AnyDVD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\REGRUN~1\WatchDog.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: IE7pro - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\DVD Programs\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKCU\..\RunOnce: [UnHackMe] C:\PROGRA~1\REGRUN~1\UnHackMe.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: e-Backup 1.42 Scheduler.lnk = ?
O4 - Global Startup: Event Planner Reminder 2008.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_link
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_exclude
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_report
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187949444640
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B2306F1-CFB9-416D-827B-41D06BD66D98}: NameServer = 24.247.15.53,24.247.24.53
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
-
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4 AntiVirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks again!
-
Hmmm..... cleanest log I've seen in awhile. Updated java and a backup plan to boot. ;D
You may want to consider a firewall.
-
This will be my last posting with this thread. It seems that both of my computers are now infection free thanks to the advise/suggestions that I got here. Ik have to admit though that computer #2 did not clean up without some additions to the list of advise/suggestions that I received. Since Avast could not move the infected file to 'chest' (the file was locked), and deletion of the file didn't work, I had to do the following.
1. I unlocked the infected file using the program 'unlocker' v1.8.5. This program brings up a window that identifies the location and name of the infected file. I wrote that location down.
2. After unlocking the infected file I deleted it using the program 'Eraser'.
3. I then went to the System 32 folder (the location that was in the Unlocker Window) and renamed it and removed it to another location for deletion in the future. That file was called 'routing.exe' and so far my computer is working infection free. Once again thanks for all your help and you may want to test out my suggestion and incorporate in your response to others.
-
This will be my last posting with this thread.
Hope you keep logging from time to time to enjoy avast forums... ;)
Since Avast could not move the infected file to 'chest' (the file was locked), and deletion of the file didn't work, I had to do the following.
Couldn't avast manage this at boot time?