Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan that keeps coming back?


  • Please log in to reply
16 replies to this topic

#1 bakkukid

bakkukid

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 May 2009 - 01:24 AM

i use windows XP home edition, mozilla to browse

about a month ago someone else was using my laptop and a bunch of infections were detected by the free version of AVG. i removed all the selected infections then ran malwarebytes which detected some more things and removed them. after rebooting and running malwarebytes again my laptop seemed clean. however, every time i have run malwarebytes since then (about 3 times), there will be no objects detected. BUT, AVG will pop up and say there are infections on my computer. so today, suddenly a bunch of internet popups show up on my laptop and AVG also shows up with a bunch of infections. i'll list some of the trojans that have been detected by AVG.

Trojan horse Pakes.DDT
Virus found Win32/Heur
Trojan horse Downloader.Zlob_r.EX
Trojan horse SHeur2.YNO
Trojan horse Small.BHD
Trojan horse Pakes.DDT
Trojan horse SHeur2.ZZF
(then there were a bunch of tracking cookies detected by AVG)
Trojan horse Agent2.DZZ
Trojan horse Generic13.ADTY
Trojan horse Agent2.EJA
Trojan horse Downloader.Generic8.AHTY

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 03 May 2009 - 06:53 PM

Run scans with Super Antispyware free and MalwareBytes AntiMalware free.
Links to download and instructions in link below.

Be sure to update both programs after downloading, installing and before scanning.

http://www.bleepingcomputer.com/forums/ind...t&p=1087935

Follow the instructions and post the logs in your next reply.

Note that Super Antispyware scan is best run in safe mode per instructions.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 May 2009 - 07:04 PM

the link you posted doesn't work

#4 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 03 May 2009 - 08:58 PM

Try it now.

http://www.bleepingcomputer.com/forums/ind...t&p=1087935
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 04 May 2009 - 12:41 AM

thanks for the help, seems malwarebytes wasn't catching a lot of things. anything else need to be done?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2009 at 10:23 PM

Application Version : 4.26.1002

Core Rules Database Version : 3875
Trace Rules Database Version: 1823

Scan type : Complete Scan
Total Scan Time : 02:45:47

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 5811
Registry threats detected : 1
File items scanned : 85460
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@adrevolver[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@insightexpressai[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@cdn.at.atwola[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@atdmt[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@2o7[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@zedo[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@imrworldwide[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@advertising[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@ads.pointroll[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@media6degrees[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@at.atwola[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@trafficmp[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@ar.atwola[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@atwola[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@ad.yieldmanager[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@adsrevenue[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@ads.bridgetrack[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@tribalfusion[1].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@doubleclick[2].txt
C:\Documents and Settings\Mike Kuo\Cookies\mike_kuo@media.adrevolver[1].txt

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Mike Kuo\Local Settings\Temporary Internet Files\fbk.sts

Rogue.Component/Trace
HKU\S-1-5-21-2351525325-1868086920-2027089220-1006\Software\Microsoft\FIAS4051


Malwarebytes' Anti-Malware 1.36
Database version: 2072
Windows 5.1.2600 Service Pack 3

5/3/2009 10:40:45 PM
mbam-log-2009-05-03 (22-40-45).txt

Scan type: Quick Scan
Objects scanned: 90847
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 04 May 2009 - 04:21 AM

It appears for now that you have removed the malware.
Best to update SAS and run another scan till it comes up all zeros.

You should open AVG's quarantine and permanently delete all that it found.

You can block the third party ad/tracking cookies from installing on your computer by following the directions
in the link below. After changing the settings, run SAS again to remove the third party cookies that are already installed
on your comp. http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/

You need to cleanup your temporary files and logs.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Some of your restore points are infected. The only way to remove them is to delete all of them.
Instructions in link below if needed.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Allow Secunia online scanner to scan your programs for missing security updates. It only takes a minute.
http://secunia.com/vulnerability_scanning/online/

Edited by buddy215, 04 May 2009 - 05:42 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 04 May 2009 - 02:30 PM

i left my laptop on last night planning on doing all the steps in your last post when i woke up. when i opened my laptop this morning AVG had detected another infection

Trojan horse Downloader.Generic8.AHTY it's located in C:\System Volume Information\_restore{bunch of numbers and letters}\RP801\A0127592.exe

#8 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 04 May 2009 - 03:01 PM

That is in system restore. Once you delete all the restore points following my last post,
AVG want detect that anymore.

The malware in the restore points want reinfect your computer unless you use the infected
restore point to restore to an earlier date.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 05 May 2009 - 02:46 PM

i think my laptop is ok now, thanks for your help

#10 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 09 May 2009 - 12:37 AM

ugh, so AVG picked up this trojan: Trojan horse Boxed.NH located in C:\Documents and Settings\My Name\Local Settings\Temp\tr.exe

i update SAS and ran it again in safe mode and it didn't detect any infections. am i infected or is this a false alarm?

#11 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 09 May 2009 - 07:34 AM

You can submit the file to VirusTotal and they will scan it with multiple security programs.
http://www.virustotal.com/

I did a search for that file name and one site said there were 5 known legit files (tr.exe) and none known malicious.
Another said it was used by a trojan. Best to have VirusTotal scan the file.

Another option would be an online scan using Kaspersky. Here is a link and instructions.
http://www.bleepingcomputer.com/forums/ind...t&p=1045589

Did AVG delete or quarantine the file?

Since you have MBAM installed on your computer, update it and run a scan with it, too. Both SAS and MBAM
are excellent programs and often one finds what the other misses.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 09 May 2009 - 04:36 PM

the file is gone now so i can't submit it to virustotal.com


i tried using Kaspersky with IE but when i try to install the activex components i get a popup that says:
Windows has blocked this software because it can't verify the publisher.
Name: default/
Publisher: Unknown Publisher


i'm not sure if AVG deleted or quarantined the file. i emptied out my virus vault so i can't look in there either


edit: using mozilla to run kaspersky right now, will update when that's finished

Edited by bakkukid, 09 May 2009 - 04:39 PM.


#13 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 09 May 2009 - 07:06 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 09, 2009 23:02:00
Records in database: 2152438
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 85474
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:01:32


File name / Threat name / Threats count
C:\Documents and Settings\Mike Kuo\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-701162ca Infected: Exploit.Java.Gimsh.a 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.

#14 buddy215

buddy215

  • Moderator
  • 13,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:36 PM

Posted 09 May 2009 - 07:45 PM

Have you ever installed Internet Relay Chat client or similar? That is what Kaspersky is indicating in this line:
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The other item found is in the Java Cache. Running the ATF Cleaner should have cleaned up the Java Cache.
Did you run it per my other instructions? Want hurt to run it again.
QUOTE my other post:
You need to cleanup your temporary files and logs.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

If AVG finds tr.exe try to submit to VirusTotal.

EDIT:
If you do not have the Firefox addons NoScript and AdBlock Plus you should get them. They will protect you from driveby installs of malware and many other forms of malware.

Edited by buddy215, 09 May 2009 - 08:01 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 bakkukid

bakkukid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 09 May 2009 - 10:13 PM

yes i have mirc installed. i think i downloaded it off of a torrent site a long time ago so that may be why it's infected. will uninstalling the program get rid of the infection?


i've run the ATF-cleaner many times since you posted the link so maybe the infection is preventing the java cache from being cleared? just ran the cleaner again


i will dl noscript and adblock plus right now. thanks again for all the help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users