win32 trojano-169 help

[angi_]

i did an online scan and was told i had this  trj/downloader.kq  in c:\windows\sbcs.exe     i did a full scan with avast and nothing came up so i scanned that file  it came up with  win32 trojano-169  found in file C:\WINDOWS\sbcs.exe   it wont let me repair it or move it to chest   any ideas?     and is that the same virus the other place found?

[Eddy]

Yes it is the same. Unfortunatly there still is not some sort of agreement on how to name malware so different av companies can use different names for the same thing. Confusing for many users, I admit. But that's the way it is. Let's hope there will be a uniforming naming someday.

To deal with this trojan, run a boottime scan with Avast and it should be taken care of. Very likely the infection is active and that prevents Avast from deleting/moving it. The boottime scan should be able get around this.

Let us know if the problem is solved after the scan.

[angi_]

ok i deleted at bootime scan     went to wins sbcs right clicked scanned folder was ok   clicked to open it and virus warning came up same one as before  so i scanned sherv warning came up so i moved to chest it went from screen    then i clicked sbcs agin warning came back up  and it put sherv back on screen even though its still in my chest???  am i being thick here?

[whocares]

Hi,

what Windows-version do you have.. ?
(if it's ME or XP, then first disable system restore)
- try deleting again manually in safeMode (F8-Boot)
 or via avast boot-time scan
- and post a Hijackthis-log for diagnosis

More details & instructions can be found in the link " VirusRemoval" below inmy sig..

[angi_]

ok did that  cant se it now but darent click on  sbcs just in case lol  heres my log
Logfile of HijackThis v1.98.2
Scan saved at 12:23:31, on 17/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\angi\My Documents\My Received Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15BEA083-B823-49E9-B86A-35C77C5C8D63}: NameServer = 194.72.9.39 194.74.65.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{15BEA083-B823-49E9-B86A-35C77C5C8D63}: NameServer = 194.72.9.39 194.74.65.68

[Eddy]

The log file is clean.

- Remove everything from the virus chest. (delete them)
- Disable system restore.
- reboot
- Check your system and remove the following files (if they are there)
c:\windows\sbcs.exe
c:\windows\msbb.exe
C:\windows\Prefetch\sbcs.exe-xxxxxxxx.pf (the xxxxxxxx can be numbers or letters)
c:\windows\Prefetch\msbb.exe-xxxxxxxx.pf (the xxxxxxxx can be numbers or letters)
- reboot

It looks like there are some leftovers from malware you had installed.

[angi_]

ok i only found sbcs in windows no exe  should i delete that?   i found the exe in prefetch and deleted it    i couldnt find  the other one at all     i deleted chest files too      

[angi_]

ok i waited for answer yesterday but hmmmm    i deleted sbcs  file too it is sitting in recycle bin do i get rid???    afterwards do i system restore back on??

[Eddy]

Empty the bin (remove it)

Only reenable system restore if you really have a need for it.

Personally I have it always disabled.