Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan Won't Delete With Avast


  • Please log in to reply
16 replies to this topic

#1 martinlh77

martinlh77

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 06 May 2008 - 08:16 PM

I have a Win98 HP that has a trojan that keeps showing up. Bascially, every time the computer is booted up, Avast says it discoverd the following trojan: 24dbe1a7.exe. SpyBot Search and Destroy did not successfully get rid of it either. Avast is not able to delete the file but rather quarantines it and keeps it from executing. That's about it. The trojan has been there for several years.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:08 AM

Posted 06 May 2008 - 08:31 PM

If it is quarantined thanit cannot harm your PC.
But let's see if this will remove it.
After installing,setup and update run it from safe mode if you can.

Using the F8 Method

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
When you have the menu on the screen. Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 martinlh77

martinlh77
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 06 May 2008 - 11:42 PM

SuperAntiSpyware did not load in safe mode. It did work in regular mode. I ran it anyway. It took a long time to scn, but here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/06/2008 at 09:48 PM

Application Version : 4.0.1154

Core Rules Database Version : 3454
Trace Rules Database Version: 1446

Scan type : Complete Scan
Total Scan Time : 01:25:49

Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 3335
Registry threats detected : 0
File items scanned : 43278
File threats detected : 5

Adware.Tracking Cookie
C:\WINDOWS\Cookies\brent l. martin@estat[1].txt
C:\WINDOWS\Cookies\brent l[1].txt
C:\WINDOWS\Cookies\brent l. martin@2o7[1].txt
C:\WINDOWS\Cookies\brent l. martin@bizrate[1].txt
C:\WINDOWS\Cookies\brent l. martin@palmone.112.2o7[2].txt

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:08 AM

Posted 07 May 2008 - 12:09 AM

you have to install super and update it from normal mode and then reboot into safe mode where you open super back up and run the scan

those 5 cookies were not the problem . run super from safe mode

see if avast will let you empty the quarantine now that you have rebooted

Edited by DaChew, 07 May 2008 - 12:11 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 martinlh77

martinlh77
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 May 2008 - 12:28 AM

Super will not load in Safe Mode. It is fully updated, but it gives me the following message:

Error Starting Program
The IPHLPAPI.DLL file cannot start. Check the file to determine the problem.

#6 martinlh77

martinlh77
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 May 2008 - 12:30 AM

Previously, Avast pretends to clean the quarantine. We've even gone to the file and manually deleted it. It re-appears every time we re-boot the computer.

I did not try to do it at this time. it did not have anything in its quarantine list.

Edited by martinlh77, 07 May 2008 - 12:38 AM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:08 AM

Posted 07 May 2008 - 12:35 AM

http://download.nai.com/products/mcafee-avert/stng380.exe

try this older program, it was originally developed back in W98 days?

http://vil.nai.com/vil/Stinger/

it might run in safe mode?
Chewy

No. Try not. Do... or do not. There is no try.

#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 07 May 2008 - 06:55 PM

http://download.nai.com/products/mcafee-avert/stng380.exe

try this older program, it was originally developed back in W98 days?

http://vil.nai.com/vil/Stinger/

it might run in safe mode?

as I have discovered, that second link is 'inoperative' :thumbsup:



you could try a scan with asquared on a 98se computer


http://download6.emsisoft.com/a2FreeSetup.exe install it in NORMAL mode, fully update the definitions, reboot the computer and run a full deep computer scan OFF line ; see what it finds?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:08 AM

Posted 07 May 2008 - 07:01 PM

http://download.nai.com/products/mcafee-avert/stinger3.exe

broken links are just a thing you have to overcme with old web pages
Chewy

No. Try not. Do... or do not. There is no try.

#10 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 07 May 2008 - 07:05 PM

http://download.nai.com/products/mcafee-avert/stinger3.exe

broken links are just a thing you have to overcme with old web pages

could you post the URL to which it belongs ; I am a disliker of direct links to exe's for various reasons which is why I try to post the main link to the download as well as the exe :thumbsup:

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:08 AM

Posted 07 May 2008 - 07:23 PM

that link is only for polip

finally found a working link

http://vil.nai.com/vil/averttools.aspx#002

http://download.nai.com/products/mcafee-avert/stinger.exe
Chewy

No. Try not. Do... or do not. There is no try.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:08 AM

Posted 07 May 2008 - 07:58 PM

The IPHLPAPI.DLL file cannot start. Check the file to determine the problem.


Iphlpapi.dll is required for windows to operate. If iphlpapi.dll is unavailable, windows will not function correctly.

iphlpapi.dll is flagged as a system process and does not appear to be a security risk. However, removing IP Helper Api LIbrary may adversly impact your system.

The Process Server database currently registers iphlpapi.dll to Microsoft.

This is part of Microsoft Windows.

AuditMyPC
The file may have been corrupted by the malwaer and needs replacing.
Fixing the iphlpapi error
If you have Windows 95, 98, or Me:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 martinlh77

martinlh77
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 07 May 2008 - 08:46 PM

My computer will not let me replace the bad iphlpapi.dll file. It just says access denied. I can't run the other virus scan without it.

The trojan showed up again today. This is the full message:

Win32Small-DKF
Trojan Horse
24DBE1A7.EXE

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:08 AM

Posted 07 May 2008 - 10:27 PM

Let's try an Online scan

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 martinlh77

martinlh77
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 08 May 2008 - 08:03 AM

It took a long time, but here are the BitDefender Results:

BitDefender Online Scanner







Scan report generated at: Wed, May 07, 2008 - 23:20:17









Scan path: A:\;C:\;D:\;















Statistics

Time


02:18:18

Files


120972

Folders


4143

Boot Sectors


2

Archives


2898

Packed Files


9280







Results

Identified Viruses


6

Infected Files


7

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


7







Engines Info

Virus Definitions


1190432

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


16

Archive plugins


42

Unpack plugins


6

E-mail plugins


6

System plugins


5







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\WINDOWS\TEMP\24dbe1a7.exe


Infected with: Trojan.Proxy.Agent.DF

C:\WINDOWS\TEMP\24dbe1a7.exe


Disinfection failed

C:\WINDOWS\TEMP\24dbe1a7.exe


Deleted

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\outlook.pst=>[Subject: I'm back][From: j]=>Happy99.exe


Infected with: Win32.Worm.Happy99.A

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\outlook.pst=>[Subject: I'm back][From: j]=>Happy99.exe


Deleted

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\outlook.pst


Updated

C:\WINDOWS\hosts.20071224-130116.backup


Infected with: Generic.Qhost.3FAD0223

C:\WINDOWS\hosts.20071224-130116.backup


Disinfection failed

C:\WINDOWS\hosts.20071224-130116.backup


Deleted

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>wise0037


Detected with: Adware.Netsonic.A

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>wise0037


Disinfection failed

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>wise0037


Deleted

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe


Update failed

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>(Embedded EXE r)=>wise0037


Detected with: Adware.Netsonic.A

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>(Embedded EXE r)=>wise0037


Disinfection failed

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>(Embedded EXE r)=>wise0037


Deleted

C:\My Documents\My Music\Unknown Artist\Martin\netsonic.exe=>(Embedded EXE r)


Update failed

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSUNINST.EXE


Detected with: Adware.Timesink.F

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSUNINST.EXE


Disinfection failed

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSUNINST.EXE


Deleted

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)


Updated

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSINST.EXE


Detected with: Application.Timesink.C

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSINST.EXE


Disinfection failed

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)=>TSINST.EXE


Deleted

C:\apps\downs\PK270WSP.EXE=>(ZIP Sfx o)


Updated

C:\apps\downs\PK270WSP.EXE


Update failed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users