Help removing trojan

I have the same problem as previous poster [OGzr]Tracker6, as shown below.

"I run AVG 6.0 in the background, and when I boot it finds the following 2 viruses:

(1) Trojan Horse Proxy.5.AS (C:\Windows\system32\asuigg.dll)
(2) Trojan Horse Proxy.5.AQ (C:\Windows\system32\adarros.dll)

AVG then reports that it successfully cleans the viruses, but when I reboot, the same two appear. "


I followed the advice as posted by noahdfear, however, in C/documents and settings i could not find a username file/folder.

I deleted all the other temp files as advised but the trojans still reappears on reboot.

I using XP and AVG as my antivrus.

Also, when i reboot i get a message that sys.exe will not function and do i want to send an error report.

Please help

Thanks

 

Welcome to windows BBS forums

Provided you have done this "Scanned with Spybot and Ad-Aware" : http://www.windowsbbs.com/showpost.php?p=159029&postcount=2

the next step is to post a hijackthis log for review
How to post a hijackthis log:
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

 

Additionally, scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here.

 

Thanks for the prompt reply.

I ran the spybot and the adware programs, the seemed to pick up lots of nasty stuff

Below is the log from the Hickjackthis


Logfile of HijackThis v1.98.0
Scan saved at 18:06:18, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\x0r\svnhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Graham Davies\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://crackspider.net/ie/sbar.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://crackspider.net/ie/assist.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [x0r] C:\WINDOWS\System32\x0r\svnhost.exe
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O4 - HKLM\..\RunServicesOnce: [washindex] D:\Program Files\washer\washidx.exe "Graham Davies "
O4 - HKCU\..\RunServicesOnce: [washindex] D:\Program Files\washer\washidx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DF70BB7-963F-40FC-9CC5-CD798A0E6133}: NameServer = 212.159.13.49 212.159.13.50



noahdfear

I also ran the rav scan

It found no infected files and no viruses

Although my AVG still says i have the two original trojans.

Any ideas?

 

Well if you had done the online we would see a new active x
Please do, another houscall would be a good idea to.

first in case a mistake is made you need to have hijackthis unzipped and in a folder of its own, not in a temp folder, so do so then post bak with a new one and a log from rav or one of the others.

 

Have you stopped the malware running before you deleted the files? See this

 

Ok, humour me Lonny, i am not sure what you mean by "Well if you had done the online we would see a new active x "

I think you mean an online virus check such as rav or housecall, but i have no idea by, we would see a new active x.

Below is a further log from Hickjack this which was definetly unzipped in its own folder this time.

I also ran another rav scan, and got the same results as last time, i have copied those below aswell.

Logfile of HijackThis v1.98.0
Scan saved at 19:29:13, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\x0r\svnhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
D:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://crackspider.net/ie/sbar.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://crackspider.net/ie/assist.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [x0r] C:\WINDOWS\System32\x0r\svnhost.exe
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O4 - HKLM\..\RunServicesOnce: [washindex] D:\Program Files\washer\washidx.exe "Graham Davies "
O4 - HKCU\..\RunServicesOnce: [washindex] D:\Program Files\washer\washidx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DF70BB7-963F-40FC-9CC5-CD798A0E6133}: NameServer = 212.159.13.49 212.159.13.50

Scanned
============================
Objects: 16818
Directories: 1645
Archives: 493
Size(Kb): 627477
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 70

 

Its there now.

Fallow that link sparrow posted that exactly what needs to be done
if you have any trouble killing the proccess tell us(great find Sparrow)

Hijackthis can do it
Run hijackthis Hit "config" then "misc tools" > "open proccess manager'
select and choose KILL Proccess
C:\WINDOWS\System32\x0r\svnhost.exe
C:\WINDOWS\System32\x0r\svshost.exe
Hit refresh and see if it came back, (did it)wheather or not it did move on to the next steps. which is an online at housecall, if you just did a houecall ?
and it wasnt able to do anything ,

With hijackthis scan then fix these
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://crackspider.net/ie/sbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://crackspider.net/ie/assist.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
O4 - HKLM\..\Run: [x0r] C:\WINDOWS\System32\x0r\svnhost.exe
O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup144.cab
=========

Then restart the PC and delte these folder and files
C:\WINDOWS\System32\x0r
C:\Program Files\websx
and do a file search for adarros.dll, asuigg.dll, svshost.exe, _keys.log
if found delete them,
If Possible zipp up a copy of that folder x0r before deleting it.

 

Thanks Lonny that appears to have done the trick, i used the hijackthis method you posted and i am now trojan free.

Whilst i am here i have a couple of quick questions for you people who know these sort of things.

Firstly, when i had the viruses and ran AVG it said they were healed ok, but, as you know, they reappeared on reboot. Does this mean that they were healed when AVG said so and they came back on rebbot, or were they there all along and were not in facy healed? I hope this question makes sense.

Also, when i had the viruses i was tempted to use system restore to get the pc back in shape. However, i resisted because i suspected it may have made the problem worse. So, can system restore be used to get rid of viruses, or is it a bad idea?

Ta.

 

System Restore is NOT recommended for eliminating viruses. In fact, if I were you, I would delete all my existing Reatore Points to be sure the viruses are not inadvertently put back.

A better solution is prevention. Run an up to date firewall, scan everything coming in and out of the PC w/ AV and NEVER go online w/o protection enabled.

Johanna

 

From what I understand (thats not much) was Avg targeted only part of the problem thus it started itself again and again, I think the problem is becouse whomever wrote that virus/trojan (whatever it was) used an open source code/program to create what-ever, baddie they think they need,
that way each one is difficult for any cleanup program to target.

were you able to zip up a copy ?

First thing to try when a cleanup program cant finish the job,, ie antivirus antispyware, is to use them while in safe mode, usualy

another common problem is we need to tell our av program to delete rather than attempt cleaning/repairing, when its not a system file..

You should post another log to.