Author Topic: Trojan Horse keeps coming back  (Read 13819 times)

0 Members and 1 Guest are viewing this topic.

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Trojan Horse keeps coming back
« on: July 19, 2009, 05:25:08 PM »
Hi! I've been using Avast! for quite some time now and this is the first time I encountered this kind of problem. After Avast! updated I turned off my laptop because I was done using it and then after turning it on again it always shows an explorer.exe error then Avast! detects a trojan horse under the location C:/user/update.exe which I can delete but it keeps coming back. I've got experiences with worms before but Avast! immediately solves my problems. This time its different Avast! cannot detect what or where the worm is just the Trojan Horse. I wasn't going to conclude that due to the update that this happened but the same thing happened to my other laptop. Same issue. Same problem. Please help me out. I did everything scanned everything even the memory test but nothing can be detected except for the trojan on the said folder. I dont know what to do.. My virus database version is 090719-0, 07/19
Thanks alot!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69560
  • No support PMs thanks
Re: Trojan Horse keeps coming back
« Reply #1 on: July 19, 2009, 06:02:29 PM »
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2021/ Outpost Firewall Pro9.1/ Firefox 30.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #2 on: July 19, 2009, 06:15:33 PM »
Thanks but I installed AVG and found out that I have a Torjan Horse Agent2.IIE infection it is still currently running it's scan I'm not sure if AVG could get rid of this. BTW this laptop is new i'm still exploring it. not yet a week old and it's infected already. :(

Offline ajay

  • Newbie
  • *
  • Posts: 1
Re: Trojan Horse keeps coming back
« Reply #3 on: July 19, 2009, 08:07:59 PM »
You should probably do a boot time scan. That should fix the problem!

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 65058
Re: Trojan Horse keeps coming back
« Reply #4 on: July 19, 2009, 08:17:37 PM »
If avast is detecting it, a boot time scanning should take care of it. Anyway, when a virus is recurrent, better is:

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #5 on: July 20, 2009, 05:48:01 AM »
Avast! could only detect the trojan horse located as C:\user\update.exe in both my laptops. When I ran Avg it detected a Trojan Horse agent2.IIE located at C:\Driver\Files\DT.exe again in both my laptops. How could I have gotten the same infection in different laptops. I didn't do anything that could transfer the infection to the other laptop. Thanks for all your help.

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
Re: Trojan Horse keeps coming back
« Reply #6 on: July 20, 2009, 02:28:16 PM »
This link explains what this virusDT.exe  does. It seems a nasty bit of kit.One of its aliases is Update.exe. So it would seems related to what Avast found. Has AVG removed it ?

http://spywarefiles.prevx.com/spywarefiles.asp?FXC=IEGJ790070
I Sandboxie

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 65058
Re: Trojan Horse keeps coming back
« Reply #7 on: July 20, 2009, 02:42:49 PM »
I suppose you're not using avast and AVG at the same time in the same computer.
Maybe the infection come from the same website visited on both computers...
The best things in life are free.

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #8 on: July 20, 2009, 03:11:36 PM »
Well Avast does detect the update.exe trojan but not the AVG. Although it does detect the DT.exe virus but the avast cannot. I installed malwarebytes and super antispyware I was surprised that there are about 8 trojans in the system restore detected by the super antispyware whereas the malwarebytes detected OGa\RD\GOx.exe. BTW i removed the avast temporarily. Both laptops wasn't use for any other similar apps except for Avast update. I have a friend who is also using Avast. He used AVG to scan his laptop and found similar trojans. I did a little experimentation with this laptop and opted not to delete the OGa\RD\GOx.exe file and for sure it threw that update.exe trojan it messes with my start up a little window will pop out.
this was the infections found by malwarebytes:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-01we-aax2-314cca554372} (Generic.Bot.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-01we-aax5-314cca322142} (Generic.Bot.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\OGa\RD\GOx.exe (Generic.Bot.H) -> No action taken.

Offline Mr.Agent

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2774
  • Proud to be an avast! user.
Re: Trojan Horse keeps coming back
« Reply #9 on: July 20, 2009, 03:44:16 PM »
Send GOx.exe to virustotal and show us the result. Also if the virus total is detecting a lot virus then please feel free to send the file trought Avast! chest then send it to ALWIL. So they can improve our detection.

Thank.

Mr.Agent

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #10 on: July 20, 2009, 04:00:05 PM »
I'll do what you suggested. I already removed it from this laptop coz its scaring the heck out of me. I'll be fixing my other laptop tomorrow since they're both infected with the same thing. Thanks alot!
BTW how do I send it? its still in my quarantine in malwarebytes.
« Last Edit: July 20, 2009, 04:05:38 PM by mark1123emily »

Offline samuelvirucide

  • Full Member
  • ***
  • Posts: 134
  • Destroying malware
Re: Trojan Horse keeps coming back
« Reply #11 on: July 21, 2009, 12:41:00 PM »
 ;D hi kabayan,

   Do you currently use P2P file sharing software?

  Please read this article: So how did I get infected in the first place?" © Tony Klein    8)

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #12 on: July 22, 2009, 03:21:38 PM »
nope don't do p2p file sharing. Im using firefox as my browser. This laptop is new, just a week old. Although i already cleared the infections I had earlier, Im still getting a few ones mostly they land on my system restore. Thanks alot for all your help. The other laptop sad to say got 53 infections!  :(  But I haven't connected both laptops by any means. It has the same infection as this one has. But it has a trojan downloader inserted to one of it's programs (Flushcode.exe). II'm currently downloading Spybot search and destroyer hope this will end my infection streak.

Offline mark1123emily

  • Jr. Member
  • **
  • Posts: 25
Re: Trojan Horse keeps coming back
« Reply #13 on: July 22, 2009, 04:36:04 PM »
i can't download spybot search and destroy. It's either being canceled or if I could download it, it says I have no permission to access it. Why is that? I can't even download spyware blaster nor the avast anti rootkit!!! what's going on!!!!!!
« Last Edit: July 22, 2009, 04:50:04 PM by mark1123emily »

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 65058
Re: Trojan Horse keeps coming back
« Reply #14 on: July 22, 2009, 05:31:00 PM »
i can't download spybot search and destroy. It's either being canceled or if I could download it, it says I have no permission to access it. Why is that? I can't even download spyware blaster nor the avast anti rootkit!!! what's going on!!!!!!
Most probably you're infected and the malware is preventing you to get protection/cleaning software.
It sounds like a hosts file problem. Check the contents of the file at the location for your operating system.

Windows 95 - C:windows
Windows 98 - C:\windows
Windows Me - C:\windows
Windows 2000 - C:windows\system32\drivers\etc
Windows XP - C:\windows\system32\drivers\etc
Windows NT - C:\winnt\system32\drivers\etc
Windows Vista - C:\windows\system32\drivers\etc

Note the file does not have an extention, it's simply hosts

The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1       localhost

You can get a good replacement and more info on what the hosts file does from here

http://www.mvps.org/winhelp2002/hosts.htm
HostsMan could be the best tool for having it updated: http://www.abelhadigital.com

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware. Check your HOSTS file using notepad or a text editor of your choice and look for entries with avast.com on the line, you may well see other AV sites.
The best things in life are free.