Full Version: Trojan Horse Found
Hallo what it is my sisters computer, everytime she trys to get on the internet in tells her that Torjan Horse has been found and she can't connect to the net.Shes with aol .The computer works ok when she sign her name and password it tells Torjan horse has been found and then the computer just starts again i have not looked at it yet.What should i do all i know is she has not got Security she got AVAASTI can you help
Hello aliboy66
Whats the name of this Trojan Horse? What OS (Win XP/2000, etc) is your sister using? Has she performed any anti-virus scans in "SAFE MODE"? Has she performed any anti-spyware scans?
If she is running Win XP/2000, download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware.) Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.
Then perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall <- Use "Autoclean" and manually delete what it can't clean.
Panda ActiveScan <- Accept default settings. (does not remove adware/spyware but will autoclean for viruses & worms...and scan for rootkits).
Whats the name of this Trojan Horse? What OS (Win XP/2000, etc) is your sister using? Has she performed any anti-virus scans in "SAFE MODE"? Has she performed any anti-spyware scans?
If she is running Win XP/2000, download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware.) Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.
Then perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall <- Use "Autoclean" and manually delete what it can't clean.
Panda ActiveScan <- Accept default settings. (does not remove adware/spyware but will autoclean for viruses & worms...and scan for rootkits).
Hi i've looked at my sisters computer.c:\windows system 32 jbhook.dll\vspack\aspack trojan horse vps version 0662-0. 22.12.2006.she got windows xp home edition service pack 2 security she got AVAST HOME edition and ad adwear se personal she did a boot time scan computer went wild the process cannot acess file c\windows in use someone said i should do hjt log whats that? i'm not so good at this stuff one moore thing she can't access the internet.so help please!
HijackThis is an advanced tool which displays common areas in the Windows registry where the majority of malware reside. Hijackthis will scan certain areas of your system and then create a log to help diagnose the presence of undetected malware in these known hiding places. It then relies on experts to interpret the log entries and determine what needs to be fixed. We will give you instructions on how to do this if necessary.
Did you run the AVG Anti-Spyware scan as I instructed? A typical log will look like this after AVG AS has found and removed that file.
Did you run the AVG Anti-Spyware scan as I instructed? A typical log will look like this after AVG AS has found and removed that file.
QUOTE
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:05:57 AM 1/4/2007
+ Scan result:
[700] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
[732] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
Files\Content.IE5\A4KOY8RY\jb[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jbhook.dll -> Trojan.Small.br : Cleaned with backup (quarantined).
::Report end
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:05:57 AM 1/4/2007
+ Scan result:
[700] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
[732] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
Files\Content.IE5\A4KOY8RY\jb[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jbhook.dll -> Trojan.Small.br : Cleaned with backup (quarantined).
::Report end
Hi all, my sisters computer had a trojan horse i used system restore it seams ok now she's got no internet access ,so is there anything else to do.Will it be safe for her access the internet now,and what security should i put on her computer that don't cost to much.and how will i know everythings ok on the computer is ok any tips thank you 
You need to clarify. Your asking if it will be safe to access the Internet but prior to that you say she's got no Internet access.
There are lots of free security protection apps to use.
See BC's List of Virus & Malware Resources.
See BC's Freeware Replacements For Common Commercial Apps.
There are lots of free security protection apps to use.
See BC's List of Virus & Malware Resources.
See BC's Freeware Replacements For Common Commercial Apps.
Hi all, sorry about the duplicate message my mistake.What it is since she's had the trojan horse she could not access the internet so she stop paying for aol until she sorted her computer out which i think i have done finally.It seams ok working a bit slow ,i don't know if its because her computer is old.Now she wants to get back on aol will it be safe to do so or is there something i should do before she signs up aol thank you
Make sure she has an Anti-virus which is current and a Firewall. There are several free ones availabe in the previous links I provided. Make sure Windows is updated with all the latest patches.
It would also be good practice to download and run weekly scans with these:
Ad-Aware SE Personal 1.06, Spybot S&D 1.4, and SUPERAntiSypware Free for Home Users.
Use these free programs to help prevent spyware, homepage hijacking and increase your browser security:[/COLOR][/B]
SpywareGuard - (protects your homepage from being hijacked)
SpywareBlaster - (blocks known malware sites by adding them to IE's restricted sites zone)
IE-SPYAD - (blocks even more malware sites by adding them to IE's restricted sites zone)
IE-SPYAD for ZonedOut - (an easier alternative to IE-SPYAD)
Microsoft Windows Defender - {offers real-time protection)
It would also be good practice to download and run weekly scans with these:
Ad-Aware SE Personal 1.06, Spybot S&D 1.4, and SUPERAntiSypware Free for Home Users.
Use these free programs to help prevent spyware, homepage hijacking and increase your browser security:[/COLOR][/B]
SpywareGuard - (protects your homepage from being hijacked)
SpywareBlaster - (blocks known malware sites by adding them to IE's restricted sites zone)
IE-SPYAD - (blocks even more malware sites by adding them to IE's restricted sites zone)
IE-SPYAD for ZonedOut - (an easier alternative to IE-SPYAD)
Microsoft Windows Defender - {offers real-time protection)
--------------------------------------------------------------------------------
Hi all, what it is my sisters computer now every time she sign her name and password to connect to the internet she gets error message unavailable [24-01-08-033 attempt 2] broadband [cable/dsl/dns sever unreachable or unavailable [24-01-033].She got windows xp home edition her modem BT voyager 105.Theres power going to the modem i check all the connection they seam ok.any tips thank you.
Hi all, what it is my sisters computer now every time she sign her name and password to connect to the internet she gets error message unavailable [24-01-08-033 attempt 2] broadband [cable/dsl/dns sever unreachable or unavailable [24-01-033].She got windows xp home edition her modem BT voyager 105.Theres power going to the modem i check all the connection they seam ok.any tips thank you.
Hi,just tryied to back up files using Cobian Backup and this happened what next.ERR 1/30/2007 11:33:33 AM The engine is not found
1/30/2007 11:33:31 AM Welcome to Cobian Backup Black Moon
1/30/2007 11:33:31 AM Engine version: 8.2.0.152 OS version: 5.1.2600 Service: No
1/30/2007 11:33:34 AM Use interface ready
1/30/2007 11:33:34 AM The engine has been found
1/30/2007 11:37:49 AM The settings have been reloaded
1/30/2007 11:43:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:43:32 AM Error while checking for new versions: Socket Error # 11004
1/30/2007 11:53:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:53:32 AM Error while checking for new versions: Socket Error # 11004
1/30/2007 12:00:59 PM The task "Backup 1" has been modified and saved
1/30/2007 12:01:01 PM The current list have been reloaded
1/30/2007 12:03:32 PM Checking for new versions. Wait...
ERR 1/30/2007 12:03:32 PM Error while checking for new versions: Socket Error # 11004
1/30/2007 11:33:31 AM Welcome to Cobian Backup Black Moon
1/30/2007 11:33:31 AM Engine version: 8.2.0.152 OS version: 5.1.2600 Service: No
1/30/2007 11:33:34 AM Use interface ready
1/30/2007 11:33:34 AM The engine has been found
1/30/2007 11:37:49 AM The settings have been reloaded
1/30/2007 11:43:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:43:32 AM Error while checking for new versions: Socket Error # 11004
1/30/2007 11:53:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:53:32 AM Error while checking for new versions: Socket Error # 11004
1/30/2007 12:00:59 PM The task "Backup 1" has been modified and saved
1/30/2007 12:01:01 PM The current list have been reloaded
1/30/2007 12:03:32 PM Checking for new versions. Wait...
ERR 1/30/2007 12:03:32 PM Error while checking for new versions: Socket Error # 11004
I have never used Cobian Backup and the problems you describe appear to be software specific. You might want to post about this in their Support Forum or start a new topic in BC's All other Applications Forum.
Had the same problem,
To correct it I did the following.
Installed AVG Anti spyware 7.5 from Grisoft, I used the free edition,
it is capable of finding the spyware, it claims it can remove it, however om my PC the trojan was immediatly back, still it is a one of the powerful tools against this trojan.
My observations:
this was my trojan file:
C:\program files\1014d089\9CEB4757.DLL ( found with AVG anti spyware 7.5 free edition).
It can use different directories.
the directory is hidden and can by found with:
open a command box.
type
attrib "c:\program files"
you will find a hidden folder
type ( 1014d089 might be different In your case, I have seen 3 different directory names all similar ).
attrib -H "c:\program files\1014d089"
the directory becomes visible.
do a
cd "c:\program files\1014d089"
and type
attrib "c:\program files\1014d089"
you should see the actual trojan dll.
with
attrib -S -H -R "C:\program files\1014d089\9CEB4757.DLL"
it became visible for me.
If this file is removed by AVG or in any other way, it is recreated after a restart.
according to me this was on my PC done by 4 files, 3 DLL's and 1 executable.
the executable is a service, and the DLL's hide the same way as the trojan in the folder :
I made them visible with these commands:
attrib -S -H -R "C:\Program Files\Common Files\System\MS1014D0.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS1A9C88.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS5A2DCA.DLL"
these files I found by using ( sysinternals : ProcessMonitor, searching for 9CEB4757.DLL).
this are the only hidden DLL's in the folder c:\program files\common files\system
and last but not least.
i deleted the file :
C:\WINDOWS\system32\Security.exe
it is installed as a service: with a name like "Advanced Server", it had a chinees description.
you can remove this from the registry by deleting this tree:
HKLM\system\CurrentControlset\services\ServerAC
I did all deletions by first starting from a Windows PE CD, however it might also work in safe mode with dosbox
then deleted all DLL's and executables.
then I restarted normal windows,
and cleaned up the service list by deleting
HKLM\system\CurrentControlset\services\ServerAC
It might by wise to search for sercurity.exe It is started from the registry, I removed that part with HIJACK.
This is no procedure an inexperienced user should try, but it solved it for me.
I hope others will benefit from it.
To correct it I did the following.
Installed AVG Anti spyware 7.5 from Grisoft, I used the free edition,
it is capable of finding the spyware, it claims it can remove it, however om my PC the trojan was immediatly back, still it is a one of the powerful tools against this trojan.
My observations:
this was my trojan file:
C:\program files\1014d089\9CEB4757.DLL ( found with AVG anti spyware 7.5 free edition).
It can use different directories.
the directory is hidden and can by found with:
open a command box.
type
attrib "c:\program files"
you will find a hidden folder
type ( 1014d089 might be different In your case, I have seen 3 different directory names all similar ).
attrib -H "c:\program files\1014d089"
the directory becomes visible.
do a
cd "c:\program files\1014d089"
and type
attrib "c:\program files\1014d089"
you should see the actual trojan dll.
with
attrib -S -H -R "C:\program files\1014d089\9CEB4757.DLL"
it became visible for me.
If this file is removed by AVG or in any other way, it is recreated after a restart.
according to me this was on my PC done by 4 files, 3 DLL's and 1 executable.
the executable is a service, and the DLL's hide the same way as the trojan in the folder :
I made them visible with these commands:
attrib -S -H -R "C:\Program Files\Common Files\System\MS1014D0.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS1A9C88.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS5A2DCA.DLL"
these files I found by using ( sysinternals : ProcessMonitor, searching for 9CEB4757.DLL).
this are the only hidden DLL's in the folder c:\program files\common files\system
and last but not least.
i deleted the file :
C:\WINDOWS\system32\Security.exe
it is installed as a service: with a name like "Advanced Server", it had a chinees description.
you can remove this from the registry by deleting this tree:
HKLM\system\CurrentControlset\services\ServerAC
I did all deletions by first starting from a Windows PE CD, however it might also work in safe mode with dosbox
then deleted all DLL's and executables.
then I restarted normal windows,
and cleaned up the service list by deleting
HKLM\system\CurrentControlset\services\ServerAC
It might by wise to search for sercurity.exe It is started from the registry, I removed that part with HIJACK.
This is no procedure an inexperienced user should try, but it solved it for me.
I hope others will benefit from it.
The service Server Advance (ServerAC) - C:\WINDOWS\system32\Security.exe is related to a backdoor (IRCBot) Trojan. There is a easier solution for the inexperienced by using Hijackthis and a specialized fix tool for this infection under the guidance of one of our HJT Team experts.
IMPORTANT NOTE: Backdoor Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech. Because your computer was compromised please read How to report ID theft, fraud, drive-by installs, hijacking and malware.
IMPORTANT NOTE: Backdoor Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech. Because your computer was compromised please read How to report ID theft, fraud, drive-by installs, hijacking and malware.
Hi not sure what to do i've got avg i scan all the it shows nothing I've got Mcafee and spyblaster,AD Adwear,aol spywear.My computer seems ok bit slow connecting to the net but once i'm on it ok.Had a few problems downloading stuff from the net,but don't we all.Have i got enough Security,is my computer at risk I don't understand the reply sorry what next?
In my last reply, I was responding to Ikketoch who advised he had the same problem although I doubt it was. Ikketoch advised he found Security.exe on his system. As such, I warned him about the dangers of such a file and precautions to take.
aliboy66 if your scans are clean and the only problem that remains is slowness, try following some of the suggestions in "Slow Computer Checklist", "Help! My computer is slow!" and "Restore Your Computer's Performance with Windows XP" There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so regular maintenance is essential.
aliboy66 if your scans are clean and the only problem that remains is slowness, try following some of the suggestions in "Slow Computer Checklist", "Help! My computer is slow!" and "Restore Your Computer's Performance with Windows XP" There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so regular maintenance is essential.
Hi got two queries my sisters computer is slow I've read what to do when you got slow computer. I've tried to clean it up by deleting some old progams by going to add & remove but I've found on some progams I can't delete them.She's got no internet access,windows xp home edition she is waiting for me to sort her computer out.I've read on this site how to back up your files on windows sap home edition I need to put the windows xp disk my computer came with windows installed got no disk so how can I back up my files?anytips
Which programs are you trying to remove?
Please follow these steps :
Defrag your system. Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk when a file is opened. Disk Defragmenter consolidates fragmented files and folders on the hard disk so that each occupies a single space on the disk. This speeds up reading and writing to the disk. Read "The Importance of Disk Defragmentation" for instructions.
Check for disk errors by running CHKDSK. CHKDSK can be run from the Recovery Console, the command prompt or through the Windows GUI.
To run chkdsk from the Win XP GUI see these instructions.
To run chkdsk from the command prompt see these instructions.
To run chkdsk from the Recovery Console see these instructions.
The problem with running CHKDSK from Win XP is that it will not check files that are being used by Windows. Using chkdsk in the Recovery Console with the /r switch is a way to resolve this.
Check for damaged, altered or missing critical system files by running the System File Checker. If SFC discovers that a protected file has been damaged, altered or missing, it restores the correct version of the file from the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.
Clean up your hard drive by removing unused programs and transferring old data, pictures, music files to a CD or an external hard drive. When you have moved/saved the files you want to keep, run Disk Cleanup and let it scan your system for files to remove. "Dont clean out the Prefetch folder" - This is a common myth that will not improve performance.
Check for any unnecessary running services. If you have a typical installation, many services are configured as "automatic"; that is, they start automatically when the system starts or when the service is called for the first time. Use "Black Viper's Services Configuration" to help fine tune this area.
Check for any unnecessary applications loading at startup when Windows boots with MSConfig. Some startup programs are necessary so be careful what you disable. If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:
Startup Programs Database
StartupList Index
Note: MSConfig.exe is a troubleshooting utility used to diagnose system configuration issues. Although it works as a basic startup manager which allows you to enable/disable auto-start programs, msconfig should not be used routinely to disable startup programs.
A better alternative is to use a startup manager. If you have have Spybot S&D 1.4 installed, launch it, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Other startup managers you can download and use for free are Startup Control Panel, Autoruns and Starter by CodeStuff.
Remove any third party "Memory Manager" or "Optimizer". Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and by doing so, slow down your computer.
Disable some visual effects. While visual embellishments that may be attractive, they dont do anything else for you. Disabling some of them frees up system resources and makes the operating system perform better. Right click My Computer, choose > Properties > Advanced, click on "Settings" under performance...UNcheck all the visual effects, except for the last three. Click "Apply", then "OK", then "OK" again. Then right click your desktop and choose > Properties > Appearance > "Effects...Uncheck the first two boxes and hit "OK".
Please follow these steps :
Defrag your system. Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk when a file is opened. Disk Defragmenter consolidates fragmented files and folders on the hard disk so that each occupies a single space on the disk. This speeds up reading and writing to the disk. Read "The Importance of Disk Defragmentation" for instructions.
Check for disk errors by running CHKDSK. CHKDSK can be run from the Recovery Console, the command prompt or through the Windows GUI.
To run chkdsk from the Win XP GUI see these instructions.
To run chkdsk from the command prompt see these instructions.
To run chkdsk from the Recovery Console see these instructions.
The problem with running CHKDSK from Win XP is that it will not check files that are being used by Windows. Using chkdsk in the Recovery Console with the /r switch is a way to resolve this.
Check for damaged, altered or missing critical system files by running the System File Checker. If SFC discovers that a protected file has been damaged, altered or missing, it restores the correct version of the file from the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.
Clean up your hard drive by removing unused programs and transferring old data, pictures, music files to a CD or an external hard drive. When you have moved/saved the files you want to keep, run Disk Cleanup and let it scan your system for files to remove. "Dont clean out the Prefetch folder" - This is a common myth that will not improve performance.
Check for any unnecessary running services. If you have a typical installation, many services are configured as "automatic"; that is, they start automatically when the system starts or when the service is called for the first time. Use "Black Viper's Services Configuration" to help fine tune this area.
Check for any unnecessary applications loading at startup when Windows boots with MSConfig. Some startup programs are necessary so be careful what you disable. If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:
Startup Programs Database
StartupList Index
Note: MSConfig.exe is a troubleshooting utility used to diagnose system configuration issues. Although it works as a basic startup manager which allows you to enable/disable auto-start programs, msconfig should not be used routinely to disable startup programs.
A better alternative is to use a startup manager. If you have have Spybot S&D 1.4 installed, launch it, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Other startup managers you can download and use for free are Startup Control Panel, Autoruns and Starter by CodeStuff.
Remove any third party "Memory Manager" or "Optimizer". Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and by doing so, slow down your computer.
Disable some visual effects. While visual embellishments that may be attractive, they dont do anything else for you. Disabling some of them frees up system resources and makes the operating system perform better. Right click My Computer, choose > Properties > Advanced, click on "Settings" under performance...UNcheck all the visual effects, except for the last three. Click "Apply", then "OK", then "OK" again. Then right click your desktop and choose > Properties > Appearance > "Effects...Uncheck the first two boxes and hit "OK".
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.