Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 5th, 2008, 5:49am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Persistent Trojans		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Persistent Trojans  (Read 1020 times)
sacerdos
Newbie
*





   


Posts: 44
Persistent Trojans
« on: Jan 21st, 2008, 4:20pm »		 Quote Quote  Modify Modify
After installing SuperAntispyware 4.0  I ran scans in both normal and safe mode that detected three (3) trojans, but the trojans could not be removed. (see below)
 
I also ran a full TH 5 scan... but with no trojans detected.
 
I'd appreciate any suggestion as to what to try next.
 
 
Trojan.WinLoad32/system (2 detected)
Trojan.DeskAdp  
 
 
 
 
 
« Last Edit: Jan 21st, 2008, 4:26pm by sacerdos » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #1 on: Jan 21st, 2008, 11:27pm »		 Quote Quote  Modify Modify
Sorry that you are seeing infections and that TrojanHunter is not helping you remove them.
 
Please submit the files that are supposedly infected to Mischel Internet Security for analysis.  Gavin/Magnus will analyze them and incorporate the appropriate rules for removal.  The link below describes how to submit files.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Once you get confirmation from Gavin/Magus that the files are truly infections and that rules have been incorporated in TH,
 
-  Run LiveUpdate to obtain the latest rules.
 
-  Reboot your computer into SAFE MODE and run a FULL scan with TrojanHunter.
 
After you have submitted the files above, please post a Hijackthis log back here and I'll take a look-see as to what infection you have and what can be done immediately while waiting for the analysis.
 
If you do not have Hijackthis on your system, see the link below.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
sacerdos
Newbie
*





   


Posts: 44
Re: Persistent Trojans
« Reply #2 on: Jan 22nd, 2008, 3:45pm »		 Quote Quote  Modify Modify
I have submitted the above trojan files to Magnus\Gavin
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:21 PM, on 1/22/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\TrojanHunter 5.0\THGuard.exe
C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files (x86)\TrojanHunter 5.0\TrojanHunter.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =  
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =  
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files (x86)\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Windows Mail] C:\Program Files\Windows Mail\WinMail.exe
O4 - HKCU\..\Run: [Internet Explorer] C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Internet Explorer983] C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Windows Mail331] C:\Program Files\Windows Mail\WinMail.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O13 - Gopher Prefix:  
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files (x86)\SiteAdvisor\6253\SAService.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - Unknown owner - C:\Windows\System32\TuneUpDefragService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 6146 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #3 on: Jan 22nd, 2008, 3:55pm »		 Quote Quote  Modify Modify
What were the names of the files that you submitted?  
 
Have you done a full scan of your system with Kaspersky V7.0 since this all started and did it detect anything?  
« Last Edit: Jan 22nd, 2008, 3:55pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #4 on: Jan 22nd, 2008, 4:07pm »		 Quote Quote  Modify Modify
In addition to my post above, I can see problems via your HiJackthis log.   Please do this:
 
1.  Go to the link below and download Combofix.exe and save it on your desktop.
 
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
2.  Close down all your security programs Except your software firewall.  This will prevent them from interfering with ComboFix.exe
 
3.  Double click combofix.exe & follow the prompts.  
When finished, it will produce a log for you.  
 
Note:  
Do not mouseclick combofix's window while it is running. That may cause it to stall.
 
4.  After Combofix completes its work, please post back here the log from Combofix.
 
5.  Post a new Hijackthis log.
 
Also, it looks like all your services are disabled.  Either that or you may not be running a normal standalone home computer?  Would you please do this:
 
1.  Go to START>RUN and type in   services.msc
 
2.  Click on OK
 
3.  When the Services window opens, scan down through the services and see if they are all disabled.
« Last Edit: Jan 22nd, 2008, 4:22pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
sacerdos
Newbie
*





   


Posts: 44
Re: Persistent Trojans
« Reply #5 on: Jan 23rd, 2008, 12:24am »		 Quote Quote  Modify Modify
Kaspersky zapped the trojans that SuperAntispyware detected
earlier today. Interesting point ...  that SuperAntispyware couldn't remove what it detected! As it turn out, I didn't need ComboFix. By the way, Kaspersky flagged ComboFix as a virus carrier when I tried to download it!
 
As for services.exe, the information there appears normal to me.
 
You mentioned that my HJT scan contained certain data that caught your attention. Could you elaborate this point a bit?
Should I post another HJT scan now?
 
Thanks
« Last Edit: Jan 23rd, 2008, 12:29am by sacerdos » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #6 on: Jan 23rd, 2008, 12:31am »		 Quote Quote  Modify Modify
Quote:
O4 - HKCU\..\Run: [Internet Explorer] C:\Program Files (x86)\Internet Explorer\iexplore.exe  
O4 - HKCU\..\Run: [Internet Explorer983] C:\Program Files (x86)\Internet Explorer\iexplore.exe

 
The two startup items above caught my attention.  There is a Worm that uses the name iexplore.exe placed in the System32 folder as an infection.  It is not normal for iexplore.exe to be a startup entry.  
 
Quote:
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)  
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)  

 
I am wondering why your services like the ones shown above are all "Unknown owner"  
 
Yes, please post another HJT log.
 
As far as KAV detecting combofix.exe, this is normal because of what combofix.exe is/does.  It uses some of the same techniques to clean as the cybercriminals use to infect.  
 
« Last Edit: Jan 23rd, 2008, 12:34am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
sacerdos
Newbie
*





   


Posts: 44
Re: Persistent Trojans
« Reply #7 on: Jan 23rd, 2008, 12:33am »		 Quote Quote  Modify Modify
Could it have anything to do with the 64-bit OS that I'm running.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32, on 2008-01-22
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\TrojanHunter 5.0\THGuard.exe
C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files (x86)\TrojanHunter 5.0\TrojanHunter.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =  
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files (x86)\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files (x86)\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Windows Mail] C:\Program Files\Windows Mail\WinMail.exe
O4 - HKCU\..\Run: [Internet Explorer] C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Internet Explorer983] C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Windows Mail331] C:\Program Files\Windows Mail\WinMail.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O13 - Gopher Prefix:  
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files (x86)\SiteAdvisor\6253\SAService.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - Unknown owner - C:\Windows\System32\TuneUpDefragService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 5953 bytes
« Last Edit: Jan 23rd, 2008, 12:36am by sacerdos » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #8 on: Jan 23rd, 2008, 12:35am »		 Quote Quote  Modify Modify
ahhh....okay, that may be the problem.  HJT may not be fully compatible with Vista 64-bit.
 
As far as KAV detecting combofix.exe, this is normal because of what combofix.exe is/does.  It uses some of the same techniques to clean as the cybercriminals use to infect.  
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
sacerdos
Newbie
*





   


Posts: 44
Re: Persistent Trojans
« Reply #9 on: Jan 23rd, 2008, 12:38am »		 Quote Quote  Modify Modify
Please see the new HJT scan above your last post!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #10 on: Jan 23rd, 2008, 12:46am »		 Quote Quote  Modify Modify
The only thing in your new HJT log that bothers me is the two startup entries below.
 
Quote:
O4 - HKCU\..\Run: [Internet Explorer] C:\Program Files (x86)\Internet Explorer\iexplore.exe  
O4 - HKCU\..\Run: [Internet Explorer983] C:\Program Files (x86)\Internet Explorer\iexplore.exe

 
I don't know why iexplore.exe is automatically started up on your system on reboot...much less why there are 2 entries for starting it up.  Does your home page automatically open when you reboot?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #11 on: Jan 23rd, 2008, 12:55am »		 Quote Quote  Modify Modify
Would you please check something on your system.
 
1.  First make all your files and folders visible as per the link below.  
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Then do a search for the named vrmst32.exe  Do you find a file by this name?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #12 on: Jan 23rd, 2008, 1:08am »		 Quote Quote  Modify Modify
In addition to my posts above,
 
Have you updated your KAV V7.0 to the new KAV 7.0.1.321a yet?  If not, you may wish to do so.  The Kaspersky forum is at  
 
http://forum.kaspersky.com/index.php?showforum=4
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
sacerdos
Newbie
*





   


Posts: 44
Re: Persistent Trojans
« Reply #13 on: Jan 23rd, 2008, 1:10am »		 Quote Quote  Modify Modify
Live Search HomeHotmailSpacesOneCare Sign in  
 
Only from CanadaAdvanced· OptionsWeb results 1-1 of 1
See also:Images, News, Maps, Sympatico / MSN, More ▼AcademicBeta
FeedsBeta
Spaces
Edit Macros
Find MacrosSponsored sitesRepair .exe:- Errorsmart.com  
 
 
vrmst32.exe results...
 
Fix your computer errors. Takes only 3 Mins.  
Results
iexplore.exe appears on bootup - Safer Networking Forums  
it was called vrmst32.exe and had another file called vrmst32 with no file extention, i put .txt on the end of the file and opened it up and found all this information from ...  
 
forums.spybot.info/showthread.php?t=11066 · Cached pageAre you satisfied with Live Search? Tell us about it.© 2008 Microsoft | Privacy | LegalAdvertise | For Webmasters | Help Central | Account | Feedback
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: Persistent Trojans
« Reply #14 on: Jan 23rd, 2008, 1:16am »		 Quote Quote  Modify Modify
Did you see my post concerning KAV just above your post?
 
So are you saying that you need iexplore.exe to start up on system reboot because of "Live Search HomeHotmailSpacesOneCare Sign in".  
 
I'm a bit confused about your last post.  Sorry.  Huh
 
In my post above, I was asking you to search your system disks for vrmst32.exe....not the internet.
« Last Edit: Jan 23rd, 2008, 1:17am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register