Author Topic: rapid reproducing trojan  (Read 4472 times)

0 Members and 1 Guest are viewing this topic.

snicklefritz

  • Guest
rapid reproducing trojan
« on: June 28, 2004, 02:32:01 PM »
Avast scan says I have the win32:TROJANO-180. i n less than one hour it showed up 19 times each with a different file name. Examples;addzt32.exe, apinkexe, apist.exe, syshu32.exe.,atdi.exe, etc.
I deleted each as they appeared on screen. I don't know much about computers but will try to follow some very simple instructions.
am using win xp home,avast4.1,vps vers. 6-25-2004,

ran102

  • Guest
Re:rapid reproducing trojan
« Reply #1 on: June 28, 2004, 06:40:43 PM »
I have exactly the same thing, trojano-180.  I posted a topic in another section, and was told to come here.  After a while on the internet, the virus seems to shut down all internet communication, and I have to redial.  I get an insane amount of popups even when not using IE, and my home page is changed.  Here is a post of my hijack this log.

Logfile of HijackThis v1.97.7
Scan saved at 5:08:06 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\apiid32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll
O4 - HKLM\..\Run: [mswspl] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [apiid32.exe] C:\WINDOWS\apiid32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38164.8623263889
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF97B015-1FF3-46FD-A784-709AC574A598}: NameServer = 63.93.64.20 63.93.64.21

thank you.  

whocares

  • Guest
Re:rapid reproducing trojan
« Reply #2 on: June 28, 2004, 06:50:50 PM »
Hi,

booting in safeMode or a boot-time scan with avast (and moving the file to quarantine) doesn't help ?

-->
it can be cleaned with avast + some manual digging, but here's a
quick'n'dirty solution ;)

Download ESCAN from here:
http://www.mwti.net/antivirus/free_utilities.asp

deactivate systemRESTORE &
reboot to safeMode (f8-Boot)
Then start ESCAN, set the options according to screenshot in this link:
http://www.trojaner-board.de/forum/ultimatebb.php?ubb=get_topic;f=24;t=000001

let escan scan & clean everything..

reboot normally..
maybe set your startpage again in IE

also read the link below "VirusRemoval" to secure your System/IE, or the trojan/hijacker will come back... ;)
« Last Edit: June 28, 2004, 06:53:38 PM by whocares »

ran102

  • Guest
Re:rapid reproducing trojan
« Reply #3 on: June 29, 2004, 12:39:51 AM »
I downloaded Escan, but it won't let me use it because it says that it is more than 30 days old.  Do you happen to know where I can find a newer version?  Also, yes, the pre windows Avast! scan didn't work for me.  I really apreciate your time.  

ran102

  • Guest
Re:rapid reproducing trojan
« Reply #4 on: June 29, 2004, 01:38:55 AM »
got it.  one of the links must have been old.  using it now.

ran102

  • Guest
Re:rapid reproducing trojan
« Reply #5 on: June 29, 2004, 07:32:53 PM »
escan did find some viruses that avast missed, and I did the scan twice in safe mode.  I did another scan before windows loaded, and ran all of my other virus software.  I also deleted all cookies and history.  This was all done before dialing up the internet.  Unfortunately, the trojan is still here.  Exactly the same.  I have been trying to delete this thing for 4 or 5 days now, and I think I am just going to have to reformat.  Thanks for trying.   :-\