Author Topic: Please Help with A Trojan Removal  (Read 9132 times)

0 Members and 1 Guest are viewing this topic.

jimmy2u

  • Guest
Please Help with A Trojan Removal
« on: January 14, 2008, 06:13:58 PM »
Avast Home Edition keeps reporting a Trojan.  The name that Avast gives it is "HTML:IFrame-F[trj] and it lists it as a Trojan Horse.  When the pop-up warning window comes up I choose to move it to the chest as recommended but it says that it is locked and can't be accessed so I click on the delete button.  That only help temporarily as the Trojan keeps coming back.  I've run Avast, Spyware Remover, Trojan Remover during regular modes and safe modes but nothing I do will get rid of this Trojan.  Avast will list the location but when I try to go there the location doesn't exist.  Other than a nuisance, I don't see where it has done any harm to my PC's.  I have this Trojan on 2 desktop PC's.  The warning comes up more often on my main computer.  The systems on both computers are the same.  I am running WinXP Pro with Service Pack 2.  All updates are current and installed.  I use Mozilla Firefox as my browser.  This is the actual location that Avast reports but I cannot find.
C:\Documents And Settings\Local Service\Local Settings\Temporary Internet File\Content.IE2LVEMX21\organicauthority_info(1).htm
I've cleaned out all Temp and Temp Internet Files.  Nothing seems to work.  Please tell me what to do.  Thank you for your time and effort. 

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help with A Trojan Removal
« Reply #1 on: January 14, 2008, 07:14:10 PM »
It looks like a web page containing an exploit in a browser cache.

Have you tried using CCleaner to remove temp files?

http://www.ccleaner.com/

Another option is CleanUp!

http://www.stevengould.org/index.php?Itemid=69&id=15&option=com_content&task=view
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #2 on: January 14, 2008, 08:01:41 PM »
I want to take time to thank you very much for your suggestions.  I never gave the cache much of a thought but it makes sense now that you mentioned it.  I downloaded and installed both of the programs that you gave links for and I ran both of them.  Neither on listed the particular file that I am having a problem with but I will keep an eye out and see.  Just maybe it was cleaned out by one of programs.  I may have to let it ride for a day or two to see.  I will post another reply to let you know if the problem is solved or not.  Thanks again.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help with A Trojan Removal
« Reply #3 on: January 14, 2008, 08:55:34 PM »
Other good utility to do it automatically (scheduled) is Windows Advanced Care.
The best things in life are free.

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #4 on: January 14, 2008, 09:23:40 PM »
Thank you for your suggestion on the program Advanced Window Care.  I downloaded and ran it.  I really like that program.  Thanks again.

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #5 on: January 15, 2008, 07:36:24 PM »
Well, I've run all 3 programs in both regular and safe modes but none of them permanently removes this Trojan.  It keeps coming back and Avast keeps finding it.  If only windows would allow me to find that folder and file then maybe I could get rid of it but it is hidden and will not show itself.  I am at a loss.  I really don't want to reformat but that seems like the only hope.  Any more suggestions?  Thank you all.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help with A Trojan Removal
« Reply #6 on: January 15, 2008, 07:39:17 PM »
I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Please Help with A Trojan Removal
« Reply #7 on: January 15, 2008, 09:13:10 PM »
Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the file to VirusTotal for analysis.

C:\Documents And Settings\Local Service\Local Settings\Temporary Internet File\Content.IE2LVEMX21\organicauthority_info(1).htm

If it is confirmed as an exploit, you are either visiting an infected web page, or malware on your computer is directing you to an infected web page.

To rule out the latter, you should try some other scans as Tech suggests.

You could also try some online scans: (Disable avast! while scanning.)



F-Secure

BitDefender

Panda

Trend Micro Housecall

And these scanners:

AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #8 on: January 15, 2008, 11:24:36 PM »
Again thank you for your help.  A special thanks to "Tech" for his help.  I have completed the 8 steps that "Tech" suggested.  During the boot time scan, Avast did find the Trojan file and I moved it to the chest.  How long should I keep it in the chest?  Can't I just delete it out of there?  I can't say for sure if my computer's infection is gone now or not but I do know one thing for sure and that is my browser opens up faster than it ever did.  I'll have to wait and see if the Trojan returns or not.  Also to Freewheelin Frank I want to say thanks for noting the step disable 'Hide protected operating system files'.  That made the Temp Internet files locations appear, however the one in question is no longer there.  I'll have to wait and see.  Thanks again for all of your help.  Hopefully my computer is healthy again.  Only time will tell.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help with A Trojan Removal
« Reply #9 on: January 15, 2008, 11:26:56 PM »
How long should I keep it in the chest?
Two weeks should be good. Scan the file into Chest again (right clicking it) and if it still marked as infected, you can delete it.

I can't say for sure if my computer's infection is gone now or not
If you post your HijackThis log, other experienced users can say the final verdict ;)
The best things in life are free.

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #10 on: January 15, 2008, 11:54:34 PM »
I ran the Hijack this and looked over it but I couldn't see anything that looked suspicious.  The log is quite lengthy.  How would I go about posting the log?  Just copy and paste it into this open space?  Thanks.  I apologize to one and all if I am posting too often and asking too many questions.  I am just not that familiar with proper procedures in Forums and it kind of scares me to do any posting.  I guess you could say that I'm not the sharpest tool in the shed but I get by.  If it is OK to post the lengthy log file into this open space I will do it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Please Help with A Trojan Removal
« Reply #11 on: January 16, 2008, 01:16:28 AM »
I ran the Hijack this and looked over it but I couldn't see anything that looked suspicious.  The log is quite lengthy.  How would I go about posting the log?  Just copy and paste it into this open space?  Thanks.
Post it by parts, dividing it if needed (1000 characters are the limit for one post).

I apologize to one and all if I am posting too often and asking too many questions.  I am just not that familiar with proper procedures in Forums and it kind of scares me to do any posting.
Not here: friendship and help are side by side here.

I guess you could say that I'm not the sharpest tool in the shed but I get by.  If it is OK to post the lengthy log file into this open space I will do it.
No problem, go ahead ;)
The best things in life are free.

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #12 on: January 16, 2008, 11:41:10 AM »
Here is my HiJackThis log file;

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4 AntiVirus\aswUpdSv.exe
C:\Program Files\Avast4 AntiVirus\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4 AntiVirus\ashMaiSv.exe
C:\Program Files\Avast4 AntiVirus\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\AVAST4~1\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DVD Programs\AnyDVD\AnyDVD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\REGRUN~1\WatchDog.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2008\Planner\PLNRnote.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: IE7pro - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\DVD Programs\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKCU\..\RunOnce: [UnHackMe] C:\PROGRA~1\REGRUN~1\UnHackMe.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: e-Backup 1.42 Scheduler.lnk = ?
O4 - Global Startup: Event Planner Reminder 2008.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_link
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_exclude
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=483B89D1&id=menu_ie_report
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro   Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187949444640
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B2306F1-CFB9-416D-827B-41D06BD66D98}: NameServer = 24.247.15.53,24.247.24.53
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
« Last Edit: January 16, 2008, 11:45:51 AM by jimmy2u »

jimmy2u

  • Guest
Re: Please Help with A Trojan Removal
« Reply #13 on: January 16, 2008, 11:49:34 AM »
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4 AntiVirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4 AntiVirus\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please Help with A Trojan Removal
« Reply #14 on: January 16, 2008, 12:02:07 PM »
Hmmm..... cleanest log I've seen in awhile. Updated java and a backup plan to boot.  ;D

You may want to consider a firewall.