Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Serverboats on May 30, 2005, 01:43:46 PM
-
Windows XP SP2, Win32:Trojano-998 in C:\Windows\System\QB.exe. This file keeps rebuilding itself. I boot in safe mode, delete it, move it, flush the temps, and the little bugger keeps comong back. Any Ideas? ???
-
1. Do you use Quick Basic as this may be associated with that program.
2. You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive.
3. Since you have XP, you could enable a boot time scan.
Try the, schedule boot-time scan in avast's menu (or try the 'Schedule Boot-Time Scan' using RejZoR's AEC avast! External Control Tool (http://www.excessive-software.eu.tt/)
To truely get rid of it you will probably need to disable system restore because XP will probably save a copy in the system volume information folder.
-
This file keeps rebuilding itself.
It's not enough just boot in safe mode and delete it.
You should run avast there and clean your system.
Or, better, if you have Windows XP, schedule a boot-time scanning: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
You should disable System Restore of Windows too.
-
System Restore is already disabled.
Infected files deleted with boot time scan but QB.exe and randomly named infected windows system files keep appearing.
What exactly is Trojano-993?
This system belongs to a family friend's teenager and the kid doesn't strike me as even knowing what QuickBasic is.
Thanks,
It is good to see that live people actually look at this stuff.
-
Running full scan in safe mode at present.
Will post again when complete.
???
-
With XP the best option is to schedule a boot-time scan, that way windows isn't running. It is also likely to be quicker.
-
David,
I have run multiple boot time scans and used the delete all option. C:\windows\system\QB.exe has been deleted, moved and renamed multiple times. The file keeps re-appearing at next boot. I look at HJT and don't see anything that jumps out at me. Please give it a look I may have missed something. Sometime a fresh perspective will see something obvious.
Thanks,
-
Safe Mode scan complete.
c:\RECYCLER\NPROTECT\00000334.exe, infected with Trojano-998, successfully deleted.
A multitude of files indicate that they are corrupted archives, Is this normal?
-
1. For an on-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php)
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
I wouldn't say that corruption is normal, but corrupted archives currently be scanned by avast, if they are corrupt they can't/shouldn't be a problem. Just because they are corrupt and avast can't scan them, it doesn't mean they are infected.
Can you give a few examples of the file names and location of the corrupted archives?
example (C:\windows\system32\corrupted-filename.xxx)?
-
The online analysis is AWESOME!!!. SOmething unknown to me must have happened during the safe mode scan as QB.exe went away and there was QBUninstaller.exe in its' place ??? ???. Anyway, I disposed of some 11 additional items per the online tool. Thanks a bunch. Hmmmmmm let's see.... Fix somebody's problem = good , Show somebody how to diagnose and fix their own problem = much better.
Well Done ;)
Serverboats
-
I am now down to only 1 problem... I think. When I reboot I get an exe file in the windows/system directory with a random name. Infected with Trojano-998 of course. How do I figure out where this thing is unpacking itself at?
???
-
Run another HJT scan (normal not safe mode), save the results and paste the contents here and we will see if there is anything we can pin down.
It is likely that this is some form of adware/spyware.
If you haven't already got this software (freeware), download, install, update and run it.
1. Ad-Aware (http://www.lavasoft.de/support/download)
2. Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)
3. Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
-
1. How do I close the other thread? my apologies...
2. Spybot S&D done several times.
3. Adaware Personal SE done several times.
4. Haven't tried spywareblaster yet but if you say so...
5. HTJ is attached.
-
Please, answer again to clarify what's wrong:
1. Is System Restore enable or not right now?
2. Did you run a boot-time scanning selecting archives scanning? Which results did you get?
3. Did you clean your temporary Internet files (cache)?
-
system restore is disabled.
boot time scan now only finds 1 randomly named exe file in windows/system and deletes same.
I am flushing every cache I can think of :'( maybe I am not getting them all?
If I leave the .exe file there another one is not built. If I rename or delete it a new one, different name with .exe appears. always 11 KB and modified on 3/16/2005.
Any idea you can provide is welcome as I have been at this thing for going on 12 hours straight now. please??
-
avast seems that is not doing a fully job :P
Did you try scanning with antispywares and antitrojans?
Antispyware applications (freeware): download, install, update and run it.
Ad-Aware (http://www.lavasoft.de/support/download)
Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
A-squared (http://www.emsisoft.com/en/software/free)
Ewido (http://www.ewido.net/en)
-
Ewido scan currently running. MSWsearch and Delphin Media viewer found so far. Here comes another one.....
-
1. The other thread can't be closed/deleted (only edited/modified) once created, only the forum moderator can delete a thread, which is why I said to keep things in this thread to avoud duplication and confusion.
Run another HJT scan (normal not safe mode), save the results and paste the contents here and we will see if there is anything we can pin down.
Rather than attach it you can copy the contents and paste them into a post. That way anyone assisting you doesn't have to download the file open it and then comment.
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (what is this norton process?)
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
You have remnants of Norton on your system (Or the System Works/ Security Suite), you need to ensure any anti-virus elements are removed. You should be able to use msconfig to stop those AV elements, Windows Start, Run, type msconfig, startup tab, find the NORTON entry/s for NPROTECT.EXE (I'm assuming this is a nortpn AV element?) and untick it/them.
Is this something you installed
X C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Check - suspicious (to me and on-line analyser)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
Very Suspect - Fix in HJT
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
See - http://www.liutilities.com/products/wintaskspro/processlibrary/wtoolss/
-
This system has Norton Systemworks installed. The A/V components have been removed.
NPROTECT I believe is the Norton protected wastebasket.
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
is the Norton defragmenting tool.
Is this something you installed
X C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
I think this one has something to do with AIM?
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
I keep tagging this line and HJT can't seem to get it out. I went into the services and disabled it maybe it will get it next time.
-
The Ewido suite found an additional 68 items....WOW! No more self gererating .exe files. Thanks for the help folks. ;D
Well Done,
Serverboats
-
See these links that a google search for 'wintools removal' without the quotes returned.
http://www.wilderssecurity.com/showthread.php?t=43104
http://www.pchell.com/support/wintools.shtml
PCHell is a good resource to bookmark for the future.
Google is your friend and a great tool, you just need to spend a little time learning how to get the best from it, like any tool.