Author Topic: Trojan Horse!!!!!! (Read 563 times)

Edward · « **on:** May 02, 2005, 06:17:31 PM »

I was using Avg and i found that i have a Tojan Horse downloader.1stbar.a.AJ
How can i get rid of this??? when i keep searching with Avg it doesn't heal it no clue why.My comp is very veryslwo cuz of it..

Logfile of HijackThis v1.99.1
Scan saved at 7:17:11 PM, on 5/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USER\My Documents\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114828616128
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Edward · « **Reply #1 on:** May 02, 2005, 06:29:51 PM »

i really think it's from active X just to give you some feedback...i don't know how it's from active x thoguh because i got spyblaster... maybe i didn't update it in time.

guestolo · « **Reply #2 on:** May 02, 2005, 07:41:56 PM »

Where is AVG finding this file??

Edward · « **Reply #3 on:** May 02, 2005, 07:46:26 PM »

argh idk now i removed it from the virus vault and now it's says when i do another search no viruses found... but i can sorta tell it's still there... my coputer is really slow..

guestolo · « **Reply #4 on:** May 02, 2005, 08:28:50 PM »

I'm not seeing nothing bad

Try this
Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" UNCHECK "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Restart back to Normal mode
Back in Windows, post the report from Ewidos

Edward · « **Reply #5 on:** May 03, 2005, 02:45:57 PM »

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         3:43:31 PM, 5/3/2005
+ Report-Checksum:      3B9127E6

+ Date of database:      5/3/2005
+ Version of scan engine:   v3.0

+ Duration:            45 min
+ Scanned Files:         68761
+ Speed:            25.02 Files/Second
+ Infected files:         5
+ Removed files:         5
+ Files put in quarantine:      5
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\WINDOWS\Downloaded Program Files\PrevAdX.dll -> Spyware.WinAD.f -> Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\USER\Cookies\user@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

::Report End

It was indeed long.. i hope this isn't to bad..

guestolo · « **Reply #6 on:** May 03, 2005, 10:42:36 PM »

Looks like it found and deleted one nasty in your Downloaded program files
That may be the one you were worried about

How's everything on your end now??

Edward · « **Reply #7 on:** May 04, 2005, 01:46:40 PM »

it seems up now ... it's nice and fast.. ty for the help!

guestolo · « **Reply #8 on:** May 04, 2005, 11:31:29 PM »

I'll lock this topic as your problems appear to be resolved
If you need it reopened, Please PM myself or the site Admin and supply a link to this thread

Take Care

TheTechGuide Forum

News:

Author Topic: Trojan Horse!!!!!! (Read 563 times)

Edward

Trojan Horse!!!!!!

Edward

Trojan Horse!!!!!!

guestolo

Trojan Horse!!!!!!

Edward

Trojan Horse!!!!!!

guestolo

Trojan Horse!!!!!!

Edward

Trojan Horse!!!!!!

guestolo

Trojan Horse!!!!!!

Edward

Trojan Horse!!!!!!

guestolo

Trojan Horse!!!!!!