Curse

Age · Jul 20, 2008, 04:51 AM // 04:51

I would like to know what you would do to get rid of a bad Trojan I used everythin on my other older system AVG8.0,Lavssoft,Spybot and I did a Tend micro online scan insafe mode.

This is on my older system with windows XPSP2 as I was trying to upgrade to sP3 bu this won't let it also is affecting me from burning cds.I want to move some files over from one to another system and I need my cd burner working.what are your seggestion?Thank

what do you think of this.

Trojan

Lord Sojar · Jul 20, 2008, 05:29 AM // 05:29

Give Stinger a try. it is a small program that can detect and eliminate many common trojans.

The trojan also can't mask itself, because stinger doesn't use standard anti virus based removal. Give it a shot and see how it works.

http://vil.nai.com/VIL/stinger/

screen317 · Jul 20, 2008, 06:22 AM // 06:22

If Rahja the Thief will permit my intervention, I would be more than happy to assist you if you provided a HijackThis log. If not, please disregard the following text.

Please download HijackThis from here.

Save it to a permanent folder (such as C:\HJT).

Next, open HijackThis, and select Do a system scan and save a logfile.

A Notepad document will open. Please post the contents of that document.

-screen317

Lord Sojar · Jul 20, 2008, 06:27 AM // 06:27

^ his method will work to. And Screen, I never mind people posting helpful stuff. Welcome to the tech forum.

Alexandra-Sweet · Jul 20, 2008, 10:51 AM // 10:51

From what I've heard Hijackthis is probably the best way to get rid of nasty things, though it requires some "professional" help.

I've always wondered what these people do with the logs, do they just Google for all the .exe's running and see if they're harmfull? Sounds dull...

Snograt · Jul 20, 2008, 06:42 PM // 18:42

Welcome to Guru, and Tech Corner in particular, screen317. Are you capable of deciphering HijackThis logs? If so, stick around - having someone like you aboard will be most welcome

Oh, and I should point out a limitation of this forum. There is a size restriction of 19.5KB for a .txt file. An unofficial workaround is to rename the file from .txt to .doc, because, bizarrely, you can have a potentially lethal, macro-filled .doc file of up to 488.3KB. Go figure ^^

Age · Jul 20, 2008, 11:43 PM // 23:43

I have downloaded stinger and ran it seemed pretty fine then I ran Spybot agian and the trojan came up 2 infact.Here is my HiJack this report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:51 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pre][Steam][/pre] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 4498 bytes

Lord Sojar · Jul 21, 2008, 12:07 AM // 00:07

You are infected with a variant of the Cozit worm.

See that getright.exe program? Get rid of that immediately. You want to make sure that it is totally cleared from the system. The version you downloaded included the Cozit worm. That was immediately apparent.

screen317 · Jul 21, 2008, 04:03 AM // 04:03

Hello,

Quote:

I've always wondered what these people do with the logs, do they just Google for all the .exe's running and see if they're harmfull? Sounds dull.

Not quite... I trained extensively for a year and a half to learn about the many intricacies of malware in all of its horrific facets.

Quote:

Welcome to Guru, and Tech Corner in particular, screen317. Are you capable of deciphering HijackThis logs? If so, stick around - having someone like you aboard will be most welcome

Yes, see tidbit above.

I graduated from SpywareInfo's Boot Camp a year ago, was promoted to Trusted Advisor in January 2008, and promoted to Expert in June 2008. Hope my qualifications are adequate. See my profile if any sort of proof is required: http://www.spywareinfoforum.com/inde...showuser=74524

I will be more than happy to stick around.

Unfortunately though, I'm leaving on Tuesday for a month to vacation in my home country (Croatia); I'll be without Internet access, but I'll certainly help here upon my return.

As for this user..

Rahja the Thief is correct in saying GetRight is an undesired program (it's a download manager). Previous versions bundled spyware; not sure where this report of the Cozit worm came from though. Either way Age, please uninstall it.

Next, Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u7.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
In the pull down menu next to Platform select Windows
Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.

Restart your computer, and post a fresh HijackThis log. Let me know what problems remain.

-screen317

Edit: I guess BBCode color isn't supported??

Snograt · Jul 21, 2008, 02:42 PM // 14:42

I assume the Kaspersky online scanner only works with IE, hence the instruction to use it? Damn, one of the few things in existance to force you to use the damn thing! I don't care how improved IE is, once bitten; twice shy!

Oh, and yes - color has been disabled in the BBcode in this forum. I assume the site admins wanted to avoid having an unsightly rainbow of threads (I know these people: It would happen ^^)

Kattar · Jul 21, 2008, 02:49 PM // 14:49

Off topic: Glad Screen is here. Looks like we have another awesome resource in the forum arsenal.

Anyway, that's the main reason I don't use (well, if I ever had occasion to) HijackThis. But that should take care of the problem.

Age · Jul 21, 2008, 03:52 PM // 15:52

Here isa copy of the report I could not scan it but I can if I rescan later on.I unintalled GetRight and deleted the installer No more Get Rights for me.

Here is the report/

Monday, July 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 06:42:41
Records in database: 979645
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Files scanned 130824
Threat name 4
Infected objects 8
Suspicious objects 0
Duration of the scan 05:23:06

File name Threat name Threats count
C:\Downloads\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
C:\Downloads\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1787\A0358299.msi Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1787\A0358299.msi Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1788\A0358304.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1788\A0358305.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1790\A0360702.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bb 1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1790\A0360702.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.fn 1
The selected area was scanned.

Tarun · Jul 21, 2008, 03:54 PM // 15:54

Have you run the built in Windows Malicious Removal Tool?

Start > Run > mrt.exe
Do a full scan.

Age · Jul 21, 2008, 03:55 PM // 15:55

No.I have not is that how you use it?

Tarun · Jul 21, 2008, 03:59 PM // 15:59

Yes, it is. You should also update to SP3.

You should also run NOD32's online scanner: http://www.eset.com/onlinescan/

If you really want to do a thorough check on your computer, snag my LunarDownloader and get the Professional package. Under Links, click PC Maintenance for a comprehensive guide to help you clean your computer.

Age · Jul 21, 2008, 04:04 PM // 16:04

I will wait untill screen sees the report.I can not update to Windows XPSP3 because of this and lunar downloader there is something wrong with the links I tried that yesterday.

I need to move my ISP cable over to my other computer to update it and it is where I now play GWS on not this one although it still has it on it.

Tarun · Jul 21, 2008, 09:12 PM // 21:12

The reports say you are infected in your System Restore, which can easily be cleaned. The reported WinVNC "virus" is a false positive and is not any threat.

Start > Run > rstrui.exe
Create a new restore point.

Next, Start > Run > cleanmgr.exe
More Options tab.
At the bottom, System Restore. Click Clean up...

You can try to get LunarDownloader from BetaNews. You can also get it from Softpedia.

I also highly recommend uninstalling Internet Download Accelerator. Those things never work and are more trouble than they're worth.

Age · Jul 21, 2008, 10:11 PM // 22:11

I was hoping not to do that yet I want to burn some files to a cd and transfer them over to my other computer.I amy have to get a usb memory stick.

Tarun · Jul 22, 2008, 01:09 AM // 01:09

Doing as instructed will not hurt you in any way. It may help resolve the issues you're experiencing.

screen317 · Jul 22, 2008, 02:21 AM // 02:21

I agree with Tarun's suggestions.

Quote:

I assume the Kaspersky online scanner only works with IE, hence the instruction to use it?

It also works with Firefox' IETab Addon...

Age, are you experiencing any actual problems? If so, please state them with a fair bit of detail. Malware does not appear to be on this computer.

-screen317