Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Found


  • Please log in to reply
16 replies to this topic

#1 aliboy66

aliboy66

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 January 2007 - 12:16 PM

Hallo what it is my sisters computer, everytime she trys to get on the internet in tells her that Torjan Horse has been found and she can't connect to the net.Shes with aol .The computer works ok when she sign her name and password it tells Torjan horse has been found and then the computer just starts again i have not looked at it yet.What should i do all i know is she has not got Security she got AVAASTI can you help

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 09 January 2007 - 02:53 PM

Hello aliboy66

Whats the name of this Trojan Horse? What OS (Win XP/2000, etc) is your sister using? Has she performed any anti-virus scans in "SAFE MODE"? Has she performed any anti-spyware scans?

If she is running Win XP/2000, download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware.) Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions.

Then perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall <- Use "Autoclean" and manually delete what it can't clean.
Panda ActiveScan <- Accept default settings. (does not remove adware/spyware but will autoclean for viruses & worms...and scan for rootkits).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 13 January 2007 - 09:06 AM

Hi i've looked at my sisters computer.c:\windows system 32 jbhook.dll\vspack\aspack trojan horse vps version 0662-0. 22.12.2006.she got windows xp home edition service pack 2 security she got AVAST HOME edition and ad adwear se personal she did a boot time scan computer went wild the process cannot acess file c\windows in use someone said i should do hjt log whats that? i'm not so good at this stuff one moore thing she can't access the internet.so help please!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 13 January 2007 - 09:17 AM

HijackThis is an advanced tool which displays common areas in the Windows registry where the majority of malware reside. Hijackthis will scan certain areas of your system and then create a log to help diagnose the presence of undetected malware in these known hiding places. It then relies on experts to interpret the log entries and determine what needs to be fixed. We will give you instructions on how to do this if necessary.

Did you run the AVG Anti-Spyware scan as I instructed? A typical log will look like this after AVG AS has found and removed that file.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:05:57 AM 1/4/2007
+ Scan result:

[700] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
[732] C:\WINDOWS\System32\jbhook.dll -> Downloader.Delf.mm : Cleaned with backup (quarantined).
Files\Content.IE5\A4KOY8RY\jb[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jbhook.dll -> Trojan.Small.br : Cleaned with backup (quarantined).

::Report end


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 22 January 2007 - 06:07 PM

Hi all, my sisters computer had a trojan horse i used system restore it seams ok now she's got no internet access ,so is there anything else to do.Will it be safe for her access the internet now,and what security should i put on her computer that don't cost to much.and how will i know everythings ok on the computer is ok any tips thank you :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 22 January 2007 - 07:05 PM

You need to clarify. Your asking if it will be safe to access the Internet but prior to that you say she's got no Internet access.

There are lots of free security protection apps to use.
See BC's List of Virus & Malware Resources.
See BC's Freeware Replacements For Common Commercial Apps.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 23 January 2007 - 05:21 AM

Hi all, sorry about the duplicate message my mistake.What it is since she's had the trojan horse she could not access the internet so she stop paying for aol until she sorted her computer out which i think i have done finally.It seams ok working a bit slow ,i don't know if its because her computer is old.Now she wants to get back on aol will it be safe to do so or is there something i should do before she signs up aol thank you

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 23 January 2007 - 11:11 AM

Make sure she has an Anti-virus which is current and a Firewall. There are several free ones availabe in the previous links I provided. Make sure Windows is updated with all the latest patches.

It would also be good practice to download and run weekly scans with these:
Ad-Aware SE Personal 1.06, Spybot S&D 1.4, and SUPERAntiSypware Free for Home Users.

Use these free programs to help prevent spyware, homepage hijacking and increase your browser security:[/COLOR][/B]
SpywareGuard - (protects your homepage from being hijacked)
SpywareBlaster - (blocks known malware sites by adding them to IE's restricted sites zone)
IE-SPYAD - (blocks even more malware sites by adding them to IE's restricted sites zone)
IE-SPYAD for ZonedOut - (an easier alternative to IE-SPYAD)
Microsoft Windows Defender - {offers real-time protection)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 January 2007 - 10:30 AM

--------------------------------------------------------------------------------

Hi all, what it is my sisters computer now every time she sign her name and password to connect to the internet she gets error message unavailable [24-01-08-033 attempt 2] broadband [cable/dsl/dns sever unreachable or unavailable [24-01-033].She got windows xp home edition her modem BT voyager 105.Theres power going to the modem i check all the connection they seam ok.any tips thank you.

#10 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 30 January 2007 - 07:18 AM

Hi,just tryied to back up files using Cobian Backup and this happened what next.ERR 1/30/2007 11:33:33 AM The engine is not found
1/30/2007 11:33:31 AM Welcome to Cobian Backup Black Moon
1/30/2007 11:33:31 AM Engine version: 8.2.0.152 OS version: 5.1.2600 Service: No
1/30/2007 11:33:34 AM Use interface ready
1/30/2007 11:33:34 AM The engine has been found
1/30/2007 11:37:49 AM The settings have been reloaded
1/30/2007 11:43:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:43:32 AM Error while checking for new versions: Socket Error # 11004

1/30/2007 11:53:32 AM Checking for new versions. Wait...
ERR 1/30/2007 11:53:32 AM Error while checking for new versions: Socket Error # 11004

1/30/2007 12:00:59 PM The task "Backup 1" has been modified and saved
1/30/2007 12:01:01 PM The current list have been reloaded
1/30/2007 12:03:32 PM Checking for new versions. Wait...
ERR 1/30/2007 12:03:32 PM Error while checking for new versions: Socket Error # 11004

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 30 January 2007 - 08:29 AM

I have never used Cobian Backup and the problems you describe appear to be software specific. You might want to post about this in their Support Forum or start a new topic in BC's All other Applications Forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Ikketoch

Ikketoch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 04 February 2007 - 01:19 PM

Had the same problem,

To correct it I did the following.

Installed AVG Anti spyware 7.5 from Grisoft, I used the free edition,
it is capable of finding the spyware, it claims it can remove it, however om my PC the trojan was immediatly back, still it is a one of the powerful tools against this trojan.

My observations:
this was my trojan file:
C:\program files\1014d089\9CEB4757.DLL ( found with AVG anti spyware 7.5 free edition).
It can use different directories.

the directory is hidden and can by found with:
open a command box.
type
attrib "c:\program files"

you will find a hidden folder
type ( 1014d089 might be different In your case, I have seen 3 different directory names all similar ).
attrib -H "c:\program files\1014d089"
the directory becomes visible.
do a
cd "c:\program files\1014d089"
and type
attrib "c:\program files\1014d089"
you should see the actual trojan dll.
with
attrib -S -H -R "C:\program files\1014d089\9CEB4757.DLL"

it became visible for me.

If this file is removed by AVG or in any other way, it is recreated after a restart.

according to me this was on my PC done by 4 files, 3 DLL's and 1 executable.
the executable is a service, and the DLL's hide the same way as the trojan in the folder :

I made them visible with these commands:
attrib -S -H -R "C:\Program Files\Common Files\System\MS1014D0.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS1A9C88.DLL"
attrib -S -H -R "C:\Program Files\Common Files\System\MS5A2DCA.DLL"
these files I found by using ( sysinternals : ProcessMonitor, searching for 9CEB4757.DLL).

this are the only hidden DLL's in the folder c:\program files\common files\system

and last but not least.

i deleted the file :
C:\WINDOWS\system32\Security.exe

it is installed as a service: with a name like "Advanced Server", it had a chinees description.
you can remove this from the registry by deleting this tree:
HKLM\system\CurrentControlset\services\ServerAC

I did all deletions by first starting from a Windows PE CD, however it might also work in safe mode with dosbox

then deleted all DLL's and executables.
then I restarted normal windows,
and cleaned up the service list by deleting

HKLM\system\CurrentControlset\services\ServerAC

It might by wise to search for sercurity.exe It is started from the registry, I removed that part with HIJACK.

This is no procedure an inexperienced user should try, but it solved it for me.
I hope others will benefit from it.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 04 February 2007 - 03:51 PM

The service Server Advance (ServerAC) - C:\WINDOWS\system32\Security.exe is related to a backdoor (IRCBot) Trojan. There is a easier solution for the inexperienced by using Hijackthis and a specialized fix tool for this infection under the guidance of one of our HJT Team experts.

IMPORTANT NOTE: Backdoor Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech. Because your computer was compromised please read How to report ID theft, fraud, drive-by installs, hijacking and malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 aliboy66

aliboy66
  • Topic Starter

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 08 February 2007 - 02:08 PM

Hi not sure what to do i've got avg i scan all the it shows nothing I've got Mcafee and spyblaster,AD Adwear,aol spywear.My computer seems ok bit slow connecting to the net but once i'm on it ok.Had a few problems downloading stuff from the net,but don't we all.Have i got enough Security,is my computer at risk I don't understand the reply sorry what next?

Edited by aliboy66, 08 February 2007 - 02:09 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 08 February 2007 - 02:26 PM

In my last reply, I was responding to Ikketoch who advised he had the same problem although I doubt it was. Ikketoch advised he found Security.exe on his system. As such, I warned him about the dangers of such a file and precautions to take.

aliboy66 if your scans are clean and the only problem that remains is slowness, try following some of the suggestions in "Slow Computer Checklist", "Help! My computer is slow!" and "Restore Your Computer's Performance with Windows XP" There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so regular maintenance is essential.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users