Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Backdoor.generic4.smp


  • Please log in to reply
9 replies to this topic

#1 newbie666

newbie666

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 12 January 2008 - 05:18 PM

Hello please help, im a newbie and i think my computer may be infected. It runs quite slowly wile on the net so i ran ad aware and it found loads of stuff but they were just traking cookies and mru's. Bad? also run spybot and it finds the occasional double click, but i read up on this and blocked traffic from this site and it does'nt come up any more. Had some thing about virus protection disable (2 entries) pressed fix and they went away. Does this mean there sorted? most off all ive been running avg. There's always been a top line (result/infection change) but its always said no new threats so i thought it was ok. However on investigating a bit more i found in the details section the following:

lexplores.exe
object path s:\
file size:63.5kb
healable: no
source: back up copy
status: infected

It seems to be in qaurentine. As you can tell i don't realy know much about pc's. Some help would be greatley appreciated.
oh and one other thing im suspisious of is my little realtek icon in the bottom right tool bar seems to have spawned a baby brother, who's graphics don't look so good. And the menu it brings up looks like windows 95 hmmm?????

thanks so much in advance
yours mr newbie

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 12 January 2008 - 06:58 PM

Hello newbie666 and welcome
The AVG quarantine folder is named $VAULT$.AVG .See if it is in there.

First have you tried your AVG scan in Safe Mode, update the program and scan. How to start Windows in Safe Mode

You should also perform a scan with SUPERAntiSpyware from safe mode.
After installing and updating it. Close and reboot to safe mode.
OPen from the desktop icon. Perform a Complete scan.
Quarantine ALL items found. Reboot to normal mode.
NEXT:Please copy and paste the Scan Log results in your next reply.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Click Close to exit the program.

EDIT: I meant to ask was that L or I in first letter of lexplores.exe

An important thing to consider here is the Trojan that you probably have is a backdoor trojan. These being the most dangerous and possibly is that your PC is compromised to the extent that it cannot be truly termed trustworthy without a reformat. That is as of now all financials ,password and Credit card type info that is on this PC has probably been taken by nature of the malware. IT SHOULD ALL BE CHANGED.

Edited by boopme, 12 January 2008 - 07:34 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 newbie666

newbie666
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 13 January 2008 - 06:14 PM

Thanks so much for your reply just about to start with it all, its a bit mind boggling. I know about safe mode as i have tried a system restore. Just picking stuff up on the net as i go along. Gonna do all that stuff than look up how to cut and paste lol. Its the log that super anti spyware will bring up that you want? plus when you say reformat, you mean reinstall windows? is this something i can do myself?

Once iv'e followed these steps is my computer fixed or does it depend on what said log says?

Sorry for all the questions i really am a newbie aint i?
Thanks alot

#4 newbie666

newbie666
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 13 January 2008 - 06:59 PM

Here is the log.



Generated 01/13/2008 at 11:43 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:16:20

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 5673
Registry threats detected : 0
File items scanned : 52352
File threats detected : 38

Adware.Tracking Cookie
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\phillip@bs.serving-sys[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\phillip@atdmt[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\phillip@serving-sys[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@1.marketbanker[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@adbrite[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@adecn[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@adopt.euroclick[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@ads.adbrite[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@ads.techguy[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@adtech[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@advertising[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@atdmt[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@atdmt[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@azjmp[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@bs.serving-sys[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@clickbathrooms.co[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@doubleclick[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@ehg-bskyb.hitbox[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@hitbox[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@imrworldwide[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@indextools[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@keywordmax[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@mediaplex[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@overture[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@philips.112.2o7[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@revsci[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@server.iad.liveperson[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@server.iad.liveperson[3].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@serving-sys[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@statcounter[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@tradedoubler[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[2].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[3].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[4].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[5].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[6].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@www.googleadservices[7].txt

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 13 January 2008 - 07:34 PM

Hi yes we need to see the lods to seee what is found and removed. I need you to run the SUPER scan once again from SAfe mode. Since it is installed we need only check a few things before the scan. Seems there were only tracking cookies.

Open SUPER from icon and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

NOW Scan with SUPER from SAFE MODE
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log,in the pane.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 newbie666

newbie666
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 14 January 2008 - 07:18 AM

Soooo iv'e done all you said but unfortunatly the problem persists. Computer still running slow when on the net and still trojan horse in avg vault. Also i have noticed that on the front screen of AVG under file its says Ntoskrnl. Under result/ infection it says change. Under path it says c:\windows\system32\Ntoskrnl.exe

This is different however to whats being shown in virus vault which as i said above is Lexplores (I beieve its an L)
anyway here's the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2008 at 11:47 AM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Custom Scan
Total Scan Time : 00:35:49

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 5676
Registry threats detected : 0
File items scanned : 59086
File threats detected : 2

Adware.Tracking Cookie
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@findaphd[1].txt
C:\Users\Phillip\AppData\Roaming\Microsoft\Windows\Cookies\Low\phillip@findapostdoc[2].txt


Thankyou

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 14 January 2008 - 09:52 AM

Yiu look clean,just a cople more tracking cookies.
Now to prevent possible reinfection by accident set a new Restore Point.
The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 newbie666

newbie666
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 14 January 2008 - 02:05 PM

I dont get it. The superspyremover never found anything but cookies, wich i think are ok? and never removed any thing but cookies however the computer is still running slow on the internet. Its only 3 months old so is not full. Also defraged the other day so its not that, aaaand i have have 16 mg broadband so it should'nt be that either. Plus that trojan virus is still quarantined in Avg. Any ideas how to fix it? can it still cause problems locked in the vault? and one more thing is that now i have super spy remover i get a pop up when i start the pc wich i don't want. Just don't fancey clearing all the restore points when im still not sure of the state of my computer.

sorry to be a pain and thanks so much for your help so far, i have learnt alot.

p.s that suspissious looking realtek icon that i said about in my first post is still there.......

Edited by newbie666, 14 January 2008 - 02:10 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 14 January 2008 - 02:52 PM

Maybe you should post a HiJackThis log and have them look deeper to certify you are clean.
Preparation Guide for Posting an HiJackThis Log
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 PM

Posted 14 January 2008 - 03:04 PM

i have noticed that on the front screen of AVG under file its says Ntoskrnl. Under result/ infection it says change. Under path it says c:\windows\system32\Ntoskrnl.exe

Reported changes in system files such as kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe are normal for AVG.

There are many valid reasons for those files to show changed, a Windows update, file system check that replaced them if corrupted, and others. As long as AVG doesn't say they are infected it is ok. If it continues to show changed, delete the following file(s) in the C:\ directory and AVG will create a new one(s)...AVG7DB_F.DAT, AVG7QT.DAT

kernel32.dll, wsock32.dll, user32.dll, shell32.dll and ntosknrl.exe have "changed"

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in the %ALLUSERSPROFILE%\Application Data\avg7\ folder and AVG will rebuild it the next time it is run.

The %ALLUSERSPROFILE% is different for each version of Windows. The following are the typical locations for XP and Win9x

XP - C:\Documents and Settings\All Users\Application Data\avg7
Win9x -C:\Windows\All Users\Application Data\avg7

Another method suggested by DEStucki to remove the MBR changed alert if the above method didn't help...
Go to the System Area Test settings
Select the "Remove MBR" button to remove the MBR from the list of items in the System Area test list
Click on OK so that the list has been up dated
Now go back into the System Area Test settings and push the "Default" button to put the MBR back in the list.

Changed File Alerts

Perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users