Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have a Win32 trojan horse I can't get rid of.


  • Please log in to reply
6 replies to this topic

#1 dandk1997

dandk1997

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 27 June 2010 - 01:27 PM

Last week I had to do some research for an online class I am taking, and unfortunately, ever since then, I am having problems with my computer and a trojan/virus. I got a warning from Avast on Wednesday or Thursday that a site I was trying to access was infected, so I followed the recommended action from Avast and left the site. Ever since then, I have been getting full-page pop-ups in Internet Explorer (which I do not routinely use- I use Firefox as my internet browser.)

I am running Windows XP on my Acer Aspire One- my resident virus protection is Avast and I use Windows Firewall, neither of which is obviously doing the job I need. I also periodically run Spybot and AdAware.

After I noticed the problem, I updated and ran Spybot and found nothing. I then ran AdAware and found nothing. I ran Malwarebytes and found several problems, which it said it had handled. I thought things were fixed, and my computer ran fine for two days with no pop-ups, and then last night the problems started again. Avast keeps saying it is finding a trojan, but it cannot remove it. I ran a bootscan and it said it found 4 or 5 problems, but there was one it couldn't get rid of. I ran all the programs again after that bootscan and they found nothing, but still the warning from Avast. I ran another bootscan, and it found 2 more problems, which it said it moved.

I'm now getting the same Avast warning. This is what it is telling me the problem is:
C:\system volume information\microsoft\smss.exe
Win32:Cycler-H [Trj]


When I try to move it to the chest, it tells me it is in use.

Obviously, I don't know what to do, but I am extremely good at following directions, so if someone could talk me through this, I would be really grateful- I need my computer to keep working properly so that I can take a microbiology test later this week. Just let me know what to run/post/etc and I will.

Thanks!

ETA that in the midst of this, I got a suspicious "AV" anti-virus security warning, which was MUCH worse when I disabled my wireless network and had no internet access. This has stopped, though, so this may be one of the two things found and corrected on my last Avast bootscan.

Edited by dandk1997, 27 June 2010 - 01:38 PM.


BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:09:25 AM

Posted 27 June 2010 - 05:08 PM

Hello,
Maybe you can show us some of MBAM's logs? They might tell us a lot. And just out of curiosity, what did Avast find besides this trojan you're currently dealing with now? Some things I'd suggest are one, to try scanning with Avast in safe mode, and then two, back in normal mode, go to eset.com/onlinescan, and use their online scanner to see if they can remove that little bugger. When you go to the site, make sure the following are checked: scan archives, scan email files, and remove threats. Post back that log for review.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 dandk1997

dandk1997
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 27 June 2010 - 08:24 PM

I did run Avast in safe mode last night, but I can't tell you what happened because my battery stopped working before I got to see what it had pulled up. I just finished a 4 hour scan SAS scan in safe mode, and other than tracking cookies, it came up with nothing.

If it weren't for the very occasional IE window opening to an ad, and the complete loss of sound from my computer (something I only discovered just before I started that 4 hour scan,) I would think all the warnings were just false positives from conflicting malware programs- I didn't realize that AdAware and Malwarebytes were both in my system tray, and it is only when they start that I am getting any warnings from Avast. Once I turn them off, things other than the sound are fine...until the random pop-up IE.

The very first MBAM log came up with nothing.

This one is from a little later that same day:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4233

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/24/2010 12:53:05 PM
mbam-log-2010-06-24 (12-53-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 183322
Time elapsed: 54 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Diane\Application Data\Sun\Java\Deployment\cache\6.0\4\3c0ae784-740a3830 (Trojan.Downloader) -> Quarantined and deleted successfully.



In three days, I ran two clean scans in between this and the next one, which I ran earlier today:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4246

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

6/27/2010 1:00:34 PM
mbam-log-2010-06-27 (13-00-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 175848
Time elapsed: 1 hour(s), 41 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ynwqyueiy\nhicjbttssd.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6.6751922063233025E7.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.


I'm sorry to say that I don't remember what else Avast hit on- I thought the programs I had would take care of the problem because they always have, so I didn't really start paying attention till today.

I'd really like to figure this out, get my sound back, and stop the ads. Any help you can provide would be very much appreciate. Thanks!!

ETA- Discovered that whatever I had didn't touch my master volume, but turned Wave all the way down, and that is why my sound wasn't working. It seems to be functioning now. Feeling like an idiot.......... Running the eset scan now.

Edited by dandk1997, 27 June 2010 - 08:32 PM.


#4 dandk1997

dandk1997
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 28 June 2010 - 11:33 AM

Avast is still unable to handle the problem. I did run eset, though, and it found FIVE instances of the stupid bugger (a variant of trojandownloader.unruy.bv) and said it quarantined or contained the items. If it is contained but still in the memory, is it really handled? I don't want the stupid thing coming back, which it seems to be doing. Two of the 5 instances were where Avast had moved it, but it was still found in two more files and in my memory. This program seems to have done a better job with the memory problem, though.

Also, it is obvious to me that Avast and the standard windows firewall aren't doing anything for me...suggestions for better programs? Free would be good, if possible. Thanks!

Here's the eset info:

C:\Program Files\Alwil Software\Avast4\DATA\moved\services.exe.vir a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting - quarantined
C:\Program Files\Alwil Software\Avast4\DATA\moved\smss.exe.vir a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting - quarantined
C:\System Volume Information\Microsoft\services.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting (after the next restart) - quarantined
C:\System Volume Information\Microsoft\smss.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/TrojanDownloader.Unruy.BV trojan contained infected files

#5 dandk1997

dandk1997
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 29 June 2010 - 11:21 PM

So if anybody is following at all...I left things as they were after the last scan- everything has been okay for the last 24 hours. Today I rebooted my computer, and the virus is back. Avast is giving me the same warning as before.

So how do I get rid of this for good?

As I am not sure how long it is going to take for someone to be available to help, I'm going to run the eset scan again to at least keep things clear till I get some other advice, but have no fears- we can apparently get back to this point by just rebooting the computer. :thumbsup:/

Thanks!

ETA Sorry- I thought I had read the appropriate "read-before-posting" instructions, but I see that by adding that last bit, I've just put myself last in line. Live and learn....

Edited by dandk1997, 29 June 2010 - 11:43 PM.


#6 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:09:25 AM

Posted 17 July 2010 - 03:10 PM

Good. Let me know if that takes care of it. And you can find the log at C:\Program Files\Eset\Eset Online scanner\Log.TXT.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:25 AM

Posted 17 July 2010 - 03:33 PM

Hello, After posting the ESETl og. You need to update MBAM.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post all logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users