Author Topic: Help! lots of trojans on my computer (Read 6847 times)

jzureich21 · « **on:** November 10, 2007, 03:01:37 AM »

My Avast keeps notifying me that i have trojans on my computer and i have put them all in the chest. Some are ones i thought i had gotten rid of and some are new. I have no idea what to do now

jzureich21 · « **Reply #1 on:** November 10, 2007, 03:04:08 AM »

heres a list of some of them
Win32:ABC-trj

jzureich21 · « **Reply #2 on:** November 10, 2007, 03:07:20 AM »

Win32:Zlob-ZK 5 of them
Win32:Zlob-TC
Win32:Zlob-ZW 2 of them
Win32:Zlob-UR 2 of them
Win32:Zlob-ZZ

DavidR · « **Reply #3 on:** November 10, 2007, 03:27:29 AM »

What you don't mention is there location and infected file names, (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

It looks like you have got either a hidden or undetected trojan downloader on your system.

What is your firewall, it should be capable of blocking unauthorised outbound Internet Connections ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. If using winXP SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

oldman · « **Reply #4 on:** November 10, 2007, 03:31:15 AM »

Hi, let's see what we can do. Added to what DavidR has posted.

Download superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post the log in your next reply if you wish.

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

jzureich21 · « **Reply #5 on:** November 10, 2007, 03:43:52 AM »

C:/System Volume Information/_restore{21D7D692-4662-421F-93B0-877BC3820711}-/RP1 to most of them and some have C:/Program Files/Video ActiveX Access

jzureich21 · « **Reply #6 on:** November 10, 2007, 03:50:05 AM »

I have windows firewall and thanks a lot for helping me

oldman · « **Reply #7 on:** November 10, 2007, 04:15:33 AM »

You may be luck. Turn off system restore and reboot your computer. The file you posted is a system restore point. When you reboot all the restore points will be removed.

oldman · « **Reply #8 on:** November 10, 2007, 04:29:07 AM »

Hi

After clearing the restore points, boot into safe mode, in your usual user account, not the administer account.

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK.

Go to C:\Program Files and delete the entireVideo Access ActiveX Object folder.

Reboot to normal windows.

post a HJT log.

oldman · « **Reply #9 on:** November 10, 2007, 05:29:49 AM »

Sorry I forgot to say welcome to the forum.

And sorry about the split instructions above, got interupted and posted it before I was done.

Turn system restore back on. A leaky boat is better than no boat at all.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point.

Run SAS as I posted above. It may pick up anything left. Post that log and a new HJT log with your next reply.

DavidR · « **Reply #10 on:** November 10, 2007, 02:51:32 PM »

Quote from: jzureich21 on November 10, 2007, 03:50:05 AM

I have windows firewall and thanks a lot for helping me

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. Many forum members (not myself) are using Comodo firewall.
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.

Welcome to the forums.

jzureich21 · « **Reply #11 on:** November 18, 2007, 05:22:50 AM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2007 at 11:14 PM

Application Version : 3.9.1008

Core Rules Database Version : 3342
Trace Rules Database Version: 1343

Scan type : Complete Scan
Total Scan Time : 05:37:45

Memory items scanned : 384
Memory threats detected : 2
Registry items scanned : 4077
Registry threats detected : 10
File items scanned : 115435
File threats detected : 74

Trojan.Downloader-LDCORE
   C:\WINDOWS\SYSTEM32\LDCORE.DLL
   C:\WINDOWS\SYSTEM32\LDCORE.DLL

Trojan.WinFixer
   C:\WINDOWS\SYSTEM32\MLJJJ.DLL
   C:\WINDOWS\SYSTEM32\MLJJJ.DLL
   HKLM\Software\Classes\CLSID\{525EC465-1FBA-47E6-9484-5C069EA98EC0}
   HKCR\CLSID\{525EC465-1FBA-47E6-9484-5C069EA98EC0}
   HKCR\CLSID\{525EC465-1FBA-47E6-9484-5C069EA98EC0}\InprocServer32
   HKCR\CLSID\{525EC465-1FBA-47E6-9484-5C069EA98EC0}\InprocServer32#ThreadingModel
   HKLM\Software\Classes\CLSID\{52CAF739-D10B-43F8-9631-B3541C497D11}
   HKCR\CLSID\{52CAF739-D10B-43F8-9631-B3541C497D11}
   HKCR\CLSID\{52CAF739-D10B-43F8-9631-B3541C497D11}\InprocServer32
   HKCR\CLSID\{52CAF739-D10B-43F8-9631-B3541C497D11}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{525EC465-1FBA-47E6-9484-5C069EA98EC0}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52CAF739-D10B-43F8-9631-B3541C497D11}

Adware.Tracking Cookie
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@statse.webtrendslive[1].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@ad.yieldmanager[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@html[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@revsci[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@2o7[1].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@tacoda[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@interclick[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@advertising[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@www.burstnet[1].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@burstnet[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@atwola[1].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@doubleclick[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@atdmt[1].txt
   C:\Documents and Settings\John.AARON-FFF79CF13\Cookies\john@bizrate[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@2o7[2].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@2o7[3].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@ad.yieldmanager[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@adrevolver[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@adrevolver[2].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@advertising[2].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@atdmt[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@atwola[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@doubleclick[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@fastclick[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@go.drivecleaner[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@realmedia[2].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@revsci[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@stats.drivecleaner[2].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@tripod[1].txt
   C:\Documents and Settings\Kaiko\Cookies\kaiko@zedo[2].txt
   C:\Documents and Settings\Kaiko.AARON-FFF79CF13\Cookies\kaiko@ads3.think-adz[2].txt

Browser Hijacker.Favorites
   C:\DOCUMENTS AND SETTINGS\KAIKO\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Downloader-AUPD
   C:\DOCUMENTS AND SETTINGS\KAIKO.AARON-FFF79CF13\LOCAL SETTINGS\TEMP\AUPD.EXE

Adware.ZenoSearch-NVON
   C:\DOCUMENTS AND SETTINGS\KAIKO.AARON-FFF79CF13\LOCAL SETTINGS\TEMP\T0CHD001.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009462.EXE
   C:\WINDOWS\SYSTEM32\DWDSRNGT.EXE

Trojan.ZenoSearch
   C:\DOCUMENTS AND SETTINGS\KAIKO.AARON-FFF79CF13\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WH8VOJS7\DQ[1].EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009463.EXE

Adware.ClickSpring/Yazzle
   C:\PROGRAM FILES\COMMON FILES\YAZZLE1560OINADMIN.EXE
   C:\PROGRAM FILES\COMMON FILES\YAZZLE1560OINUNINSTALLER.EXE

Trojan.Downloader-Gen/Insider
   C:\PROGRAM FILES\INETGET2\INSTALLEUR.EXE

Trojan.Downloader-Gen/WinAble-Installer
   C:\PROGRAM FILES\TEMPORARY\WININSTALL.EXE

Adware.WinUpdates
   C:\PROGRAM FILES\WINUPDATES\A.TMP
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP56\A0003320.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP59\A0005866.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0006124.EXE

Adware.AdRotator/RightOnz
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP46\A0002091.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP53\A0002236.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0007451.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0007676.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0007679.DLL

Adware.webHancer
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP53\A0002197.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP53\A0002199.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP54\A0003308.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP54\A0003310.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP54\A0003311.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP58\A0003336.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP58\A0003338.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0007432.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP72\A0007444.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009466.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009467.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009468.EXE

Malware.VirusProtectPro
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP67\A0005946.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP85\A0009472.EXE

Trojan.Unknown Origin
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECF6C83E-2E23-416D-882D-1EDBE4AAEB92}\RP83\A0009404.EXE
   C:\WINDOWS\B147.EXE

Trojan.Downloader-Gen/Installer
   C:\WINDOWS\B122.EXE

Adware.Vundo-Variant/Small
   C:\WINDOWS\SYSTEM32\GEBABYV.DLL

Trojan.Downloader-Gen
   C:\WINDOWS\SYSTEM32\WINPFZ32.SYS

Adware.Unknown Origin
   C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

oldman · « **Reply #12 on:** November 18, 2007, 05:30:59 AM »

Please post a new HJT log. SAS found and removed a lot of things.

Did you remove the folder "Video Access ActiveX Object"?

Author Topic: Help! lots of trojans on my computer (Read 6847 times)

jzureich21

Help! lots of trojans on my computer

jzureich21

Re: Help! lots of trojans on my computer

jzureich21

Re: Help! lots of trojans on my computer

DavidR

Re: Help! lots of trojans on my computer

oldman

Re: Help! lots of trojans on my computer

jzureich21

Re: Help! lots of trojans on my computer

jzureich21

Re: Help! lots of trojans on my computer

oldman

Re: Help! lots of trojans on my computer

oldman

Re: Help! lots of trojans on my computer

oldman

Re: Help! lots of trojans on my computer

DavidR

Re: Help! lots of trojans on my computer

jzureich21

Re: Help! lots of trojans on my computer

oldman

Re: Help! lots of trojans on my computer