1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trojan Horse

Discussion in 'Security and Privacy' started by roy66, 2004/06/06.

Thread Status:
Not open for further replies.
  1. 2004/06/06
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    I wanted to post this message just in case there are some people out
    there who have had this Trojan Horse trot it's way into their
    C:\Program Files\Common Files\updater\wupdater.exe It's name is Trojan
    Horse Downloader.Keenval.J

    AVG is unable to eliminate it and I did not have any success by turning off System Restore.

    Has anybody else had trouble with this blighter and if so what options are available to eliminate it?

    Thanks
    roy66
     
    roy66,
    #1
  2. 2004/06/06
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Run HijackThis, check the 04run entry for wupdater.exe, close all other windows and click fix. Open task manager and kill the wupdater.exe process, then delete the folder updater. Wouldn't hurt to post a HJT log.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2004/06/06
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks for your prompt response, this is the HJT log prior to any action and as you said it carries the 04 info you related to.

    I will post again after following your instructions

    Roy66

    Logfile of HijackThis v1.97.7
    Scan saved at 6:36:37 AM, on 7/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\AVG6\avgcc32.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\PROGRA~1\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17932D31-5BDB-41D8-829A-D10C7B0AFDA9}: NameServer = 203.12.160.35,203.12.160.36
     
    roy66,
    #3
  5. 2004/06/06
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Other than the mentioned 04 entry, I see nothing bad. But I will say you could remove these, they aren't doing anything for you as no file is listed to run.

    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
     
    markp62,
    #4
  6. 2004/06/06
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Couldn't find any entry in Task Manager.
     
    roy66,
    #5
  7. 2004/06/06
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Install MoveOnBoot to delete it. After the reboot, then take out the 04 entry for it, then delete the C:\Program Files\Common Files\updater folder.
     
    markp62,
    #6
  8. 2004/06/06
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks a MILLION,

    U guys are AWESOME.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:34:33 AM, on 7/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\AVG6\avgcc32.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\PROGRA~1\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17932D31-5BDB-41D8-829A-D10C7B0AFDA9}: NameServer = 203.12.160.35,203.12.160.36

    roy66
     
    roy66,
    #7
  9. 2004/06/06
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good Roy66 :)
     
    noahdfear,
    #8
  10. 2004/06/07
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Looks good to me, glad to be of help.
     
    markp62,
    #9
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...