Author Topic: Win32:Trojano-998 [Trj] in QB.exe  (Read 7944 times)

0 Members and 1 Guest are viewing this topic.

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Win32:Trojano-998 [Trj] in QB.exe
« on: May 30, 2005, 01:43:46 PM »
Windows XP SP2,    Win32:Trojano-998 in C:\Windows\System\QB.exe. This file keeps rebuilding itself. I boot in safe mode, delete it, move it, flush the temps, and the little bugger keeps comong back.  Any Ideas?    ???

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #1 on: May 30, 2005, 02:27:26 PM »
1. Do you use Quick Basic as this may be associated with that program.

2. You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

3. Since you have XP, you could enable a boot time scan.
Try the, schedule boot-time scan in avast's menu (or try the 'Schedule Boot-Time Scan' using RejZoR's AEC avast! External Control Tool

To truely get rid of it you will probably need to disable system restore because XP will probably save a copy in the system volume information folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #2 on: May 30, 2005, 02:36:09 PM »
This file keeps rebuilding itself.
It's not enough just boot in safe mode and delete it.
You should run avast there and clean your system.
Or, better, if you have Windows XP, schedule a boot-time scanning: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

You should disable System Restore of Windows too.
The best things in life are free.

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #3 on: May 30, 2005, 02:44:28 PM »
System Restore is already disabled. 

Infected files deleted with boot time scan but QB.exe and randomly named infected windows system files keep appearing.

What exactly is Trojano-993?

This system belongs to a family friend's teenager and the kid doesn't strike me as even knowing what QuickBasic is.

Thanks,

It is good to see that live people actually look at this stuff.

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #4 on: May 30, 2005, 03:16:59 PM »
Running full scan in safe mode at present.

Will post again when complete.

 ???

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #5 on: May 30, 2005, 03:22:11 PM »
With XP the best option is to schedule a boot-time scan, that way windows isn't running. It is also likely to be quicker.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #6 on: May 30, 2005, 03:34:32 PM »
David,
   I have run multiple boot time scans and used the delete all option. C:\windows\system\QB.exe has been deleted, moved and renamed multiple times. The file keeps re-appearing at next boot. I look at HJT and don't see anything that jumps out at me. Please give it a look I may have missed something. Sometime a fresh perspective will see something obvious.

Thanks,

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #7 on: May 30, 2005, 06:15:41 PM »
Safe Mode scan complete.

c:\RECYCLER\NPROTECT\00000334.exe, infected with Trojano-998, successfully deleted.

A multitude of files indicate that they are corrupted archives, Is this normal?

 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #8 on: May 30, 2005, 07:53:47 PM »
1. For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

I wouldn't say that corruption is normal, but corrupted archives currently be scanned by avast, if they are corrupt they can't/shouldn't be a problem. Just because they are corrupt and avast can't scan them, it doesn't mean they are infected.

Can you give a few examples of the file names and location of the corrupted archives?
example (C:\windows\system32\corrupted-filename.xxx)?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #9 on: May 30, 2005, 08:56:13 PM »
The online analysis is AWESOME!!!.  SOmething unknown to me must have happened during the safe mode scan as QB.exe went away and there was QBUninstaller.exe in its' place ??? ???. Anyway, I disposed of some 11 additional items per the online tool. Thanks a bunch.  Hmmmmmm let's see.... Fix somebody's problem = good , Show somebody how to diagnose and fix their own problem  = much better.

Well Done  ;)
Serverboats

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #10 on: May 30, 2005, 09:21:52 PM »
I am now down to only 1 problem... I think.   When I reboot I get an exe file in the windows/system directory with a random name. Infected with Trojano-998 of course. How do I figure out where this thing is unpacking itself at?

 ???

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #11 on: May 30, 2005, 10:49:26 PM »
Run another HJT scan (normal not safe mode), save the results and paste the contents here and we will see if there is anything we can pin down.

It is likely that this is some form of adware/spyware.

If you haven't already got this software (freeware), download, install, update and run it.
1. Ad-Aware
2. Spybot Search and Destroy
3. Spywareblaster
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #12 on: May 30, 2005, 11:19:57 PM »
1. How do I close the other thread?  my apologies...

2. Spybot S&D done several times.

3. Adaware Personal SE done several times.

4. Haven't tried spywareblaster yet but if you say so...

5. HTJ is attached.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #13 on: May 30, 2005, 11:40:50 PM »
Please, answer again to clarify what's wrong:
1. Is System Restore enable or not right now?
2. Did you run a boot-time scanning selecting archives scanning? Which results did you get?
3. Did you clean your temporary Internet files (cache)?
The best things in life are free.

Offline Serverboats

  • Jr. Member
  • **
  • Posts: 25
  • I am not a Llama!
Re: Win32:Trojano-998 [Trj] in QB.exe
« Reply #14 on: May 30, 2005, 11:51:05 PM »
system restore is disabled.

boot time scan now only finds 1 randomly named exe file in windows/system and deletes same.

I am flushing every cache I can think of   :'(  maybe I am not getting them all?

If I leave the .exe file there another one is not built. If I rename or delete it a new one, different name with .exe appears. always 11 KB and modified on 3/16/2005.

Any idea you can provide is welcome as I have been at this thing for going on 12 hours straight now.   please??