another trojan.....

[kute_kittyvii]

 
ok i have a trojan on my computer...and i cant get rid of it! I tried avast and it still cant get rid of it. The trojan is called... Win32: Trojano-214 [Trj] C:WINDOWS\ polall1r.exe. but the only time avast detects it is when i restart my computer, as soon as my active desktop starts, avast tells me that i have this trojan. I tried deleting it, and avast "deletes" it but it still shows up on my next system restart. I also used hi-jack this and spybot, but it is still there. Can anyone help me?
 ps. if my picture is still too big, i apologize...im working on it!

[kute_kittyvii]

heres my hijack this log....

Logfile of HijackThis v1.98.2
Scan saved at 6:55:18 PM, on 06/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe

[Spyros]

First of all, a question: Are you running NAV together with avast?

[whocares]

Hi,

here's an analysis:
http://hijackthis.de/logfiles/b35707ba845692d58997c53a049f0b43.html

1) MOVE/unpack the hijackthis.exe to a new, empty folder of its own; DON't run it from the archiv/Temp-folder, or you might loose its backups

2) Disable system RESTORE (how-to: -> Link "VirusRemoval" below in my sig)

3) boot your PC to SafeMode (F8-Boot)

4) rerun hijackthis.exe from its new folder, click "scan", then Checkmark the items marked RED in above analysis/link, and then press "Fix Checked"

5) reboot normally

6) scan & fix with Ad-Aware & SPYBOT, reboot, and afterwards scan with uptodate avast (thorough&archiveScan)

7)  Secure your System&Browser better, apply all Windowsupdates, especially for IE6

if needed: reenable system restore

more Details/Links: also in link "VirusRemoval" below
 

[kute_kittyvii]

An answer to your question spyros. Yes i do  have norton and avast, i also have spybot and ad-aware. will this be causing a confusion on my computer? also i noticed that im getting error messages everytime i go on the internet (or everytime i close IE) it says "<unknown> caused an error in (random number), explorer will now close"...what is this all about? i will try what you suggested who, and i will keep you updated. thank you for your help.

[DavidR]

It is not advisable to run two resident active AV programs, NAV does not like to play nice (there is a high likelihood of conflict). I'm surprised that avast installed properly, because when it finds NAV (or some other AVs), it gives a warning and doesn't fully set itself up.

Unless you installed avast first then NAV? Even so I'm surprised they are playing properly together. There are many posts in these forums that report conflicts with NAV, not being properly uninstalled, let alone fully installed.

[kute_kittyvii]

 
hmmmm, well if avast and NAV don't get along, which one should i take off of my system? I like both of them, since NAV was already installed on this comp when i bought it, i don't have the disc to re-install it. But I like avast. What sort of "problems" does this cause? so far avast and NAV have been getting along on mine...and there was no error message when i installed avast. Which one should I pick?.... I also just ran avast >>thorough (with archive scanning) it found 19 trojans, all trojano 214 and another trojano....but one was different and avast couldnt get rid of it.  >:(this is really starting to get on my nerves...I did the hi-hack this thing, updated my system, scanned with avast and spybot...do you think the two anti-viruses are "fighting" and causing this? I also have Warez (kinda like Kazaa but with no spy/adware....i hope)  What should i do now??

[Spyros]

hmmmm, well if avast and NAV don't get along, which one should i take off of my system?

Well, I guess this is just a matter of personal preferences.
But of course I' ll vote against NAV (I have already dumped NAV for avast!)

As for the trojan, you can try 2 other (free) anti-trojan programes: Ewido & a². You will find links on my web-page {press the "earth" button under my avatar}

[whocares]

ANd you should tell us exactly WHERE each trojan was found (Folder/Filename)

-> Please reread "VirusRemoval" below and give speicifc info

also post a new hijackthis-Log after reboot here
 

[kute_kittyvii]

ok this is a log of all the viruses found on my computer since i bought it (roughly 2 months ago)

 "Win32:Trojan-gen. {Other}" has been found in "c:\temp\salm.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "c:\windows\system\ijdgka.exe" file.  
"Win32:Trojan-gen. {Other}" has been found in "c:\temp\salm.exe" file.  
 "Win32:NcaseSpy [Trj]" has been found in "c:\windows\bwfat.exe" file.  
 "Win32:Adware-sbar [Trj]" has been found in "c:\program files\bullseye network\bin\bargains.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "c:\windows\system\ijdgka.exe" file.  
"Win32:Trojan-gen. {VC}" has been found in "c:\windows\conscorr.exe" file.  
"Win32:Trojano-213 [Trj]" has been found in "c:\windows\2_0_1browserhelper2.dll" file.  
 "Win32:NcaseSpy [Trj]" has been found in "c:\_RESTORE\TEMP\A0022397.CPY" file.  
 "Win32:Adware-sbar [Trj]" has been found in "c:\_RESTORE\TEMP\A0022398.CPY" file.  
 "Win32:Trojan-gen. {VC}" has been found in "c:\_RESTORE\TEMP\A0022404.CPY" file.  
 "Win32:Adware-sbar [Trj]" has been found in "c:\WINDOWS\SYSTEM\mac80ex.idf\C:\Program Files\BullsEye Network\bin\bargains.exe" file.  
 "Win32:Trojano-213 [Trj]" has been found in "C:\WINDOWS\UnstSA2.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
"Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
"Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
"Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-214 [Trj]" has been found in "C:\WINDOWS\polall1r.exe" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI562A.TMP\localNrd.cab\polall1l.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI562A.TMP\polall1l.exe\[UPX]" file.  
 "Win32:Trojan-gen. {VC}" has been found in "c:\WINDOWS\TEMP\conscorr.cab\conscorr.exe" file.  
 "Win32:Trojan-gen. {VC}" has been found in "c:\WINDOWS\TEMP\conscorr.exe" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI3060.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI3060.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI5B76.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
"Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI5B76.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI6C28.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
"Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI6C28.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI1933.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
"Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI1933.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI1BAE.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
"Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI1BAE.TMP\polall1r.exe\[UPX]" file.  
"Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI4B76.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI4B76.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI21B9.TMP\polall1r.cab\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-490 [Trj]" has been found in "c:\WINDOWS\TEMP\THI21B9.TMP\polall1r.exe\[UPX]" file.  
 "Win32:Trojano-631 [Trj]" has been found in "c:\WINDOWS\Temporary Internet Files\Content.IE5\88U63T1J\loud[1].chm\bridge-c32.cab\WinCommX.dll" file.  
 "Win32:Trojano-213 [Trj]" has been found in "C:\temp\Installer2.exe" file.  
 "Win32:Trojano-803 [Trj]" has been found in "C:\temp\NCasePackage.exe" file.  
 "Win32:Trojano-631 [Trj]" has been found in "C:\WINDOWS\Temporary Internet Files\Content.IE5\88U63T1J\loud[1].chm\bridge-c32.cab\WinCommX.dll" file.  

[Spyros]

ok this is a log of all the viruses found on my computer since i bought it

Do you mean you still have them all?
I can see most of them are in "temp" folders, try to empty them first [if you don't know how, you may use an excellent free programm called "IE Privacy Keeper", which you will find on my site]

Have you already done what whocares writes on his "virus removal" threat?
Have you tried Ewido or online AV scanners?

[kute_kittyvii]

yes ive tried every suggested thing....but those trojans in the temp folder...i tried deleting them, they just come back. I am becoming very frustrated.....late last night, i was typing an essay that is due tomorrow, and that error message came up...then my computer froze.....therefore i lost all my work ....I will be sooooooo happy if someone helps me get rid of this....believe me ive tried the online scanners, and they dont find anything, except housecall, but it cant delete them for some reason. ive tried erasing the temporary internet files and the cookies and offline content. ive tried deleting them in safe mode. i tried using hi-jack this.....and spybot! anymore suggestion?? any help will be greatly appreciated!!!!

[kute_kittyvii]

....spyros
of course i dont have all of those
that is my history, i just have trojano 214.....490....803...631...213.....

[Eddy]

Click on the link in my signature and follow the malware removal instruction carefully. That will take care of it.

[kute_kittyvii]

ok ive installed zone alarm....hopefully this will help....I have tried the suggested link and it helped a bit....avast doesnt go off when i restart my computer. thank you all for your help.