| Prestine |
| (new user) |
| Wed Apr 30 2008 07:31 PM |
How to get rid of trojan downloader?
|
I found the trojan horse virus in my PC when scan by using ClamWin and AVG. Please help me to get rid of it. Thank you.
The following is the report from ClamWin scan:
c:\_RESTORE\ARCHIVE\FS267.CAB: Trojan.Downloader-25615 FOUND
WARNING: Can't open file c:\WINDOWS\WIN386.SWP, Permission denied
c:\WINDOWS\TEMP\GA1D6-TMPui.exe: Trojan.Downloader-24929 FOUND
The following is the HijackThis result:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:31 AM, on 5/1/2008
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3APPHK.EXE
C:\PROGRAM FILES\CLAMWIN\BIN\CLAMTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\MS\MSNAPPAU.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.my/0SEENMY/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tw.rd.yahoo.com/customize/ycomp/defaults/sp/*http://tw.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tw.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://tw.rd.yahoo.com/customize/ycomp/defaults/su/*http://tw.yahoo.com
O2 - BHO: MSN smart tags - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\MS\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\MS\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\ms\msnappau.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ____ - res://C:\PROGRAM FILES\YAHOO!\ASSISTANT\ASSIST\YASBAR.DLL/203
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
--
End of file - 4698 bytes
| Joe_London |
| (HijackThis Helper) |
| Wed Apr 30 2008 08:35 PM |
|
Re: How to get rid of trojan downloader?
|
Hi Prestine,
Quote:
The following is the report from ClamWin scan:
c:\_RESTORE\ARCHIVE\FS267.CAB: Trojan.Downloader-25615 FOUND
WARNING: Can't open file c:\WINDOWS\WIN386.SWP, Permission denied
c:\WINDOWS\TEMP\GA1D6-TMPui.exe: Trojan.Downloader-24929 FOUND
You need to clean out the system restore to remove this.
WindowsME
Right click the My Computer icon on the Desktop and click on Properties.
Click on the Performance tab.
Click on the File System button.
Click on the Troubleshooting tab.
Put a check mark next to 'Disable System Restore'.
Click the 'OK' button.
You will be prompted to restart the computer. Click Yes.
Note: You should re-enable the System Restore Utility immediately, to do this follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.
It is not recommended to run two Anti-Virus programmes. You will need to disable/uninstall one of them:
AVG7
ClamWin antivirus
Open Hijackthis, take another scan and place a checkmark next to these entries.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Close all open Windows except Hijackthis and click on "fix Checked".
Reboot the Computer.
Hope that resolves the problem.
Joe.
| Prestine |
| (new user) |
| Tue May 06 2008 04:33 AM |
Re: How to get rid of trojan downloader?
|
I have follow the steps as instructed. Now the PC run smoother .Thank you for your help. I am really appreciate. But the virus vault in AVG still have 2 infected files (Trojan horse PSW.OnlineGames.AEVO C:\Window\ntuser.com Backup copy infected, C:\_RESTORE\TEMP\A0063471.CPY Backup copy infected)how to get rid of them?
| Joe_London |
| (HijackThis Helper) |
| Thu May 08 2008 11:15 AM |
|
|
|
Re: How to get rid of trojan downloader?
|
Quote:
But the virus vault in AVG still have 2 infected files (Trojan horse PSW.OnlineGames.AEVO C:\Window\ntuser.com Backup copy infected, C:\_RESTORE\TEMP\A0063471.CPY Backup copy infected)how to get rid of them?
Open AVG and go to the virus vault. Then delete everything in the virus vault.
Joe.