Question on Trogan viruses.

Hi,

I ran RAV online and am totally embarrassed to tell you how many files it found to be infected w/trogan viruses. It did not clean them. I run Norton anti virus and update regularly. Why doesn't it catch these viruses?

And what would be the best thing to get rid of them? My Trogan Killer program has expired. So I need to find something else to do the job. Any and all help greatly appreciated. Thanks, JBH

 

Most trojans these days are added by spyware/adware/malware, and most antivirus programs, although they may recognize them, don't have the reference files to remove them. Many of them can be removed with anti-spyware programs. The two I recommend using are Spybot and Ad-aware. Both are free and available from the links in my signature. Download, install and immediately check for updates. Run Spybot and fix all it finds that is prechecked. Run Ad-aware in full scan mode and delete all it finds. Then do another Rav scan. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a HijackThis log. You can download HijackThis.exe from here. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet!

 

Hi Dave,

I already run Adware and Spybot fairly often and keep them updated. I also clean out my temporary internet files and temp files.

I have been trying to keep my computer cleaned up without bothering you guys too much.

Here is my HJT log. I need to put my RAV report on another reply as this is too long a reply with it.

Thanks, JBH

Logfile of HijackThis v1.98.2
Scan saved at 7:41:17 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\atlpt32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\netam32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\64s-hh.exe
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\Mom\LOCALS~1\Temp\51pxgu8nce.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\emnfc.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\emnfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\emnfc.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\emnfc.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\emnfc.dll/sp.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {124FAA2B-986B-4226-EDE4-73956513EB6C} - C:\WINDOWS\system32\apptn32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [netam32.exe] C:\WINDOWS\system32\netam32.exe
O4 - HKLM\..\Run: [d3bz.exe] C:\WINDOWS\system32\d3bz.exe
O4 - HKLM\..\RunOnce: [atlpt32.exe] C:\WINDOWS\system32\atlpt32.exe
O4 - HKLM\..\RunOnce: [tpehm] C:\WINDOWS\switchagreement.txt:tpehm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [64s-hh] C:\WINDOWS\system32\64s-hh.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Corel Network monitor worker - {1CEA7F77-2D1C-4786-BD42-8AE2A5ABC8CA} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1CEA7F77-2D1C-4786-BD42-8AE2A5ABC8CA} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Corel Network monitor worker - {1CEA7F77-2D1C-4786-BD42-8AE2A5ABC8CA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1CEA7F77-2D1C-4786-BD42-8AE2A5ABC8CA} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA6E0DF-1A09-4954-BDD6-AC7AC0101B50}: NameServer = 209.63.0.6 207.173.86.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA6E0DF-1A09-4954-BDD6-AC7AC0101B50}: NameServer = 209.63.0.6 207.173.86.6
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

My RAV report is so large I can't put it all in this one post, so this is just part of it. If you want me to post the rest, let me know.

Embarrassing, isn't it? JBH


Scanned files: 27779
Scanned directories: 3198
Scanned archives: 683
Size of the scanned files: 828994030
Packed files: 1135
Known viruses found: 426
Virus bodies: 5
Suspicious files: 0
Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 113325
Mail files: 57




Found viruses
File: C:\WINDOWS\addab.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\addgl.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\addia32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\addjv.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\addmr.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\addpu.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\apibp.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\apibr32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\apihh32.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\apixi.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\apixw.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\apixx32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\appaa32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\appae.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\appkc32.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\appus32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\asmel.dat->ADS:xkscf
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\asmel.dat->ADS:klmgg
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\atlgd.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\atliu.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\atloi32.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\atltg.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bdsxk.dat->ADS:suodd
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bdsxk.dat->ADS:fgvsj
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\benic.log->ADS:wuktu
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\benic.log->ADS:sqkud
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Blue Lace 16.bmp->ADS:luhjx
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:krdzx
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:eypez
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bootstat.dat->ADS:cagwm
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\bxlxi.dat->ADS:ixcgd
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\cffsb.log->ADS:uuwzf
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\cjbuo.dat->ADS:uaybp
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\cjbuo.dat->ADSyajb
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Coffee Bean.bmp->ADS:zpqjm
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Coffee Bean.bmp->ADS:zjtzv
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\cohbf.txt->ADS:gtjik
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\comsetup.log->ADS:iaoky
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\comsetup.log->ADS:furbs
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\crcs32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\crpj.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\crqo32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\crue.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\cryy.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\ctvkw.dat->ADS:vnlqz
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\ctvkw.dat->ADS:qfhjm
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\d3fe32.exe
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: C:\WINDOWS\d3gs.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\d3hz32.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\d3nh.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\d3tw32.exe
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\d3vg32.dll
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\desktop.ini->ADShqyj
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\desktop.ini->ADS:bmqkw
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dfgoo.dat->ADS:lhipj
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dfgoo.dat->ADS:fhkrt
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dgmlb.txt->ADS:zuffu
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DirectX.log->ADS:qhcen
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DirectX.log->ADSprib
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DirectX.log->ADS:hijed
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DirectX.log->ADS:dfsms
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dkgvi.log->ADSurrh
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dmwdj.log->ADS:ehbvl
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\dnick.log->ADS:dwsmb
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\DtcInstall.log->ADS:gqjnd
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\equwh.log->ADS:nkhjv
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\ewccy.txt->ADS:flsox
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\ewccy.txt->ADS:cizfd
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:yyegh
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:wtcod
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADSratu
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:cygsy
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\explorer.scf->ADS:aotld
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\fajft.dat->ADS:mpioc
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\fajft.dat->ADS:jplcf
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\FaxSetup.log->ADS:wupfu
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\FaxSetup.log->ADS:tplqg
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\fqepc.dat->ADS:whkbb
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\fzisp.dat->ADS:wsgoq
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\fzisp.dat->ADS:hdxnx
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gfact.ini->ADSuzsw
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gfact.ini->ADS:jdnyo
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gfact.ini->ADS:hcoqi
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gqmay.dat->ADS:akrnx
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Greenstone.bmp->ADS:triqz
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\Greenstone.bmp->ADS:ceyej
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gupni.txt->ADS:htjhn
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gvqim.log->ADS:vnmpg
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gvqim.log->ADS:slcsr
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gvqim.log->ADS:msavb
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\gyhnu.txt->ADS:fahhf
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\hcqsf.log->ADSoeui
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: C:\WINDOWS\heojy.dat->ADS:jwdpz
Virus: Trojan:Win32/Agent.BQ Status: Infected

 

WOW! Are you using the current builds of Spybot and Ad-aware? 1.3 and SE, with updated reference files? Do you want to clean this up, or can you easily enough backup data and format? You also have a nasty CoolWebSearch infection.

 

Yes, I'm using Adware 6.0 build 6.181, updated regularly and Spybot 1.3, also updated regularly.

I guess it's going to be a pain to fix, huh?

Yeah, I'll go ahead and backup and format.

I actually formatted this drive not long ago. Anything else I can do to ward off this nasty stuff?

Thanks, JBH

 

Ad-aware has a newer build than that. It's now SE. With updated reference files and run in full scan mode, along with running CWShedder and maybe Stinger and/or A², it might not be too bad cleaning up afterwards.