Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Dropper.small.29.e Infection And


  • Please log in to reply
3 replies to this topic

#1 wfrazier

wfrazier

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 07 April 2007 - 08:16 PM

Hello all,

Hope someone will be able to help me. Yesterday I was struck by these two infections. AVG seemed to catch them, and they show up in the virus vault, but something is still causing problems.

When I boot all seems fine. But shortly after I start a program, Sunbelt/Kerio Personal Firewall pops up and gives the following message:


Sunbelt Kerio Personal Firewall has detected and blocked an intrusion attempt of type Code injection. The technical details about the attack are provided in the window below.

Intrusion Attempt Blocked

Intruder: unknown

Technical details about each intrusion incident are very useful to Kerio. Please allow that information to be transmitted to Sunbelt for further analysis. Only the contents of this window will be sent to Sunbelt.



Here is the information in the Details window.



Technical details about the intrusion attempt:

Injector application: <unknown>
Description: <unknown>
File version:
Product name:
Product version:
Created: N/A
Modified: N/A
Accessed: N/A

Target application: \??\C:\WINDOWS\system32\winlogon.exe
Description: winlogon
File version:
Product name:
Product version:
Created: N/A
Modified: N/A
Accessed: N/A

Address of injection: 0x7C801D77



Note, previous to this episode the Target application was Explorer.exe


After I close the Kerio pop-up the following message appears:


---------------------------
Microsoft Visual C++ Runtime Library
---------------------------
Runtime Error!

Program: ...gram Files\Sunbelt Software\Personal Firewall\assist.exe

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
---------------------------
OK
---------------------------


Sometimes these two messages keep repeating until it is impossible to use the computer, but not always.



I've scanned with AVG Anti-Virus, AVG Anti Spyware, Spybot Search & Destroy, and AdAware Personal in normal mode. They do not detect anything now. I got the virus names from AVG in the Virus Vault.

I also scanned with AVG Anti-Virus, AdAware, and Spybot in Safe mode. Nothing is detected. but, something is going on.

Someone please help if you can.

Thanks in advance......Bill

BC AdBot (Login to Remove)

 


m

#2 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:06:02 PM

Posted 07 April 2007 - 11:57 PM

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

Now...
* Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Under Browsing History, click "Delete".
* Click "Delete Files", "Delete cookies" and "Delete history"
* Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu..
* Click the Clear now button below.. A new window will popup what to clear.
* Select all and click the Clear button again.
* Click OK to close the Options window

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

If that does not clear up matters than please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

After you have run the cleanmanager, prior to go over the steps for HiJackThis please post back how this computer is running now

#3 wfrazier

wfrazier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 08 April 2007 - 12:02 PM

Master5270,

Thanks for the quick reply. I will perform the steps you've given me today. If possible I'll post the results late this afternoon (PDT) or this evening. Again, thanks.....Bill

#4 wfrazier

wfrazier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 08 April 2007 - 09:19 PM

Master5270,

I've tried the fixes given in the first part of the post. No good. I will go on to the guide for posting a HijaakThis log.

Thanks anyway & take care.....Bill




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users