Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: brian1234 on February 06, 2005, 06:42:39 AM
-
Hey guys, I have keep getting a Trojano - 931 warning about every hour. I have put the file in the virus chest, ran a boot time scan, ran adaware and spybot with my system restore disabled. This thing just keeps comming back.
The files I have in my avast chest as a result of this Trojano message are all in my 'system32" folder, thier names are as follows:
50kzh.exe
d40nfd.dll
trz15.tmp
trz16.tmp
I dont notice any system performance or browser problems. Included below is my hijack log file.
I would GREATLY appriciate any advise as I have spent most of my evening messing with this thing.
Thanks for your time.
Logfile of HijackThis v1.99.0
Scan saved at 9:39:13 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Conceiva\DownloadStudio\DownloadStudioScheduleMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/launchcast/stations/default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeMonitor - {8170D7DC-BDD6-461e-88EB-F047257898C9} - C:\Program Files\Conceiva\DownloadStudio\DLMonitr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &DownloadStudio - {CB789373-04D5-4ef4-9C16-871463FD0830} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [DownloadStudio] C:\Program Files\Conceiva\DownloadStudio\DownloadStudioScheduleMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [hj3o5t5.exe] C:\WINDOWS\system32\hj3o5t5.exe /k
O4 - HKCU\..\RunOnce: [hj3o5t5.exe] C:\WINDOWS\system32\hj3o5t5.exe /k
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Image Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_img.htm
O8 - Extra context menu item: Download Page Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_all.htm
O8 - Extra context menu item: Download Selection Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_sel.htm
O8 - Extra context menu item: Download Target Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show Page Links Using DownloadStudio... - C:\Program Files\Conceiva\DownloadStudio\ds_link.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {4D0C4820-53F7-4d79-A2E1-5252683CF69C} - C:\Program Files\Conceiva\DownloadStudio\DownloadStudio.exe
O9 - Extra 'Tools' menuitem: &DownloadStudio - {4D0C4820-53F7-4d79-A2E1-5252683CF69C} - C:\Program Files\Conceiva\DownloadStudio\DownloadStudio.exe
O9 - Extra button: DownloadStudio - {7FCA7BD7-8F4D-4a81-BE72-A470F4E517D5} - C:\Program Files\Conceiva\DownloadStudio\WebDLBar.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101870149852
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
-
This is the result of my HijackThis Log File Analyzer:
--------------------------------------------------------------------------------
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
\windows\system32\p2p networking\p2p networking.exe
o4 - hklm\..\run: [p2p networking] c:\windows\system32\p2p networking\p2p networking.exe /autostart
o4 - hklm\..\runonce: [hj3o5t5.exe] c:\windows\system32\hj3o5t5.exe /k
o4 - hkcu\..\runonce: [hj3o5t5.exe] c:\windows\system32\hj3o5t5.exe /k
o16 - dpf: {1d0d9077-3798-49bb-9058-393499174d5d} - file://c:\counter.cab
o16 - dpf: {1d6711c8-7154-40bb-8380-3dea45b69cbf} (web p2p installer) -
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1101870149852
--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
--------------------------------------------------------------------------------
o4 - hklm\..\run: [icq lite] c:\program files\icqlite\icqlite.exe -minimize
o4 - hklm\..\run: [downloadstudio] c:\program files\conceiva\downloadstudio\downloadstudioschedulemonitor.exe
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
More information about the log file analyzer and HijackThis can be found if you click on the link in my signature.
-
The files trz15.tmp and trz16.tmp are in your system32 folder?
They seem to be avast! temporary files created when a file is being moved to Chest...
What build of avast! do you have?
-
Hi,
to me these three entries of hiJack sound suspicious:
o4 - hklm\..\runonce: [hj3o5t5.exe] c:\windows\system32\hj3o5t5.exe /k
o4 - hkcu\..\runonce: [hj3o5t5.exe] c:\windows\system32\hj3o5t5.exe /k
o16 - dpf: {1d0d9077-3798-49bb-9058-393499174d5d} - file://c:\counter.cab
First i would right-click the hj305t5.exe and look in the settings, if there is a version -page and a company named - if not, then isolate this file (but first you should end the process in task-manager) [the 'hf" in the filename points to HiJack namely but i think HiJack wouldn't see it's own files to be dangerous]
Second i woul look in the "counter.cab" if there are suspicious files in it and/or move it to the chest as a precaution.
hope it's useful.
so long
-
Advising someone to look in a suspect file to check and see whats in them seems flawed and an unnecessary risk. HiJackThis reports them and Eddy's HJT analyaer flags them as harmful, the path is also suspicious, so shouldn't warrant examining the file.
An on-line scan of your Hijackthis log file would also provide a second opinion. http://hijackthis.de/index.php
-
Well guys, I think I have this one licked :)
Think :) It hasnt appeared in the last couple hours and usually it manefests its self about every 10 min.
I used the hijack analysis tool to identify the high risk processes/files. I then uses hijack to delete them all from safe mode with restore turned off.
So far, Ive been up and running for a while with no problems.
My fingers are crossed:)
Thanks again for all your help. It was very much appreciated!
Take care everyone and thanks for your replies.