TechSpot

Help needed trojan problems

By michoz
Mar 15, 2008
  1. Hi everyone, this is my first time on this forum so please be gentle!! You guys were recommended to me by a friend (who thinks your all great) you have helped him sort out a problem and I was hoping you could help me too plzzzzzzz.. I have the following Trojan's that are causing me trouble and I have absolutely no idea how to get rid of them. I run AVG free and advast Free on my system but it appears that all these trojan's keep appearing in my AVG. I have generic9.AYHW in my win32 system file, downloader zlob SNV, Download Zlob.Ll, Downloader. Zlob.GDC, Downloader.zlob.SOD, downloader.Zlob.CPH and Exploit.Dowloader some of these keep appearing in my program files....I'm not brill around the computer but know the basics can anyone help me as these Trojan's are causing absolute mayhem....and I don't know what to do....I know it's a lot to ask but any help would be grateful appriecated. Thanks
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hi michoz :wave:

    Download Smitfraud Fix
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Clean:

    Reboot your computer in Safe Mode
    (before the Windows icon appears, tap the F8 key continually)

    Double-click SmitfraudFix.exe

    Select 2 and hit Enter to delete infected files.

    You will be prompted: Do you want to clean the registry ? answer Y (yes)
    and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:

    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    ----------------------------------------------------

    Additional Steps:

    (Start -Run)
    sc stop Messenger
    sc config Messenger start= disabled

    Restart
     
  3. kritius

    kritius TS Guru Posts: 2,087

    Post the results back along with a Hijackhis log
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    " I run AVG free and advast Free on my system but it appears that all these trojan's keep appearing"

    Please advise this user that she is running two anti-virus programs, AVG free and Advast Free. This is most likely contributing to the fact of the repeated Trojan infections.
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please un-install Avast (you stated advast) fully, here is the HowTo
    You may want to re-install AVG, or uninstall that too, here's that Info

    Then install only one Anti-Virus, ie AVG Free, here's all AVG programs
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thanks you kimsland. It always puzzles me why this isn't caught when looking at the logs.
     
  7. kritius

    kritius TS Guru Posts: 2,087

    Its fairly easy to spot when viewing logs so for that reason it usually is spotted.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    No I've missed it :(
    This is because when viewing HJT logs, I look for Virus/Trojans and strange programs, I tend to skim past known OK programs.

    Thankfully one of you guys come back (usually) and say hey the revision is out, or where's your antivirus? or something like that.
    I suppose the lesson here is to check all files, not just the suspicious ones.
     
  9. kritius

    kritius TS Guru Posts: 2,087

    The best way to go through a Hijackthis log is to take each line at a time and eliminate them one by one, check every single process and if its good get rid of the line, if its bad keep it in, what you have left are the ones that most likely need fixed, by doing this then you can spot antivirus, firewall etc.

    Everybody misses things though, and Kimsland usually gets it right on when he does it.
     
  10. michoz

    michoz TS Rookie Topic Starter

    trojan problem

    Hi Kritius having a problem downloading hijackthis could you please direct me to the right link/website address as i think i may be in the wrong place....the one i keep coming up with is version 2.0 but when i click on download nothing happens. Thanks
     
  11. kritius

    kritius TS Guru Posts: 2,087

     
  12. michoz

    michoz TS Rookie Topic Starter

    right done that! rebooted into safe mode after screen appears with windows advanced options and click launch to go to the desktop it list some of the win32 system files. I cant get passed this to the desktop to launch hijackthis. Am i doing anything wrong!! (sorry but i think i'm totally a computer dunce!)
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  14. kritius

    kritius TS Guru Posts: 2,087

  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes and to get support with Windows you can go to MS or just use TechSpot's links !
     
  16. michoz

    michoz TS Rookie Topic Starter

    Thanks attached the log
     
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    kritius is better at checking HJT logs than me, so I would follow his advice fully.
    But I cannot see any Malware present, just invalid entries and cleaning up.

    Looks as though you have Avast AntiVirus and AVG AntiVirus installed together.
    Please un-install Avast AntiVirus fully from Add/Remove Programs.

    You have many missing file entries of files picked up through scanning, good the files have gone, but those missing file entries can be removed.

    You have many startups going on, including HP (your system) and Dell (your Printer) and others (Webcam etc)

    I would recommend downloading Startup and unticking everything on all tabs except AVG7_CC.
    This will stop all those printer popups and you will need to run your Webcam manually from Start -->All Programs; but your system will be better for it.

    Once all Startups have been deselected, you will then need to Restart your computer (to see the difference)

    If you decide to do this, then you will need to post another HJT log
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sure wish these users who throw out the hijack logs would also pay attention when we tell them about excess startups! For a while, I was listing then, defining them and telling the user what to remove, but must didn't reply back, so for the most part, I've stopped

    But printers don't need to be on startup- m....., you have two printers running- HP and Dell- why is that? Can't you just call one up when you need it? Real Player and Java should NOT be set to automatically check for updates, neither should Google, which what the Google Notifier is for. The can be a security risk., DVD launchers don't need to be on startup, and you also have a USB diagnostic tray tool running instead of calling it up when needed:

    Speedtouch USB Diagnostics: external Alcatel ADSL high-speed modem. A diagnostic tool and can be run from the Start menu when required.

    And this is puzzling: USB Disk Win98 Driver\Res.EXE

    Ah well, I wasn't asked but it makes me nuts when I see all this 'stuff' running!
     
  19. kritius

    kritius TS Guru Posts: 2,087

    These are just a few of the problems in that log,

    O2 - BHO: (no name) - {6430CCA7-032A-4EB0-BCFF-838998E73EF5} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O9 - Extra button: (no name) - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - javascript:window.location.href="http://www.justmoresex.com" (file missing)
    O9 - Extra 'Tools' menuitem: adult - {16930DCA-0910-4C00-86FF-0C73872D4ABA} - javascript:window.location.href="http://www.justmoresex.com" (file missing)
    O9 - Extra button: (no name) - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - javascript:window.location.href="http://www.morecelebrities.com/default.asp?id=" (file missing)
    O9 - Extra 'Tools' menuitem: celebrities - {A2199168-22AC-44A3-BA5F-8A83E693FEBF} - javascript:window.location.href="http://www.morecelebrities.com/default.asp?id=" (file missing)
    O9 - Extra button: (no name) - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - javascript:window.location.href="http://www.usearchufind.com" (file missing)
    O9 - Extra 'Tools' menuitem: search - {FF55FC7B-F2EB-4F50-9409-2F726DD0E112} - javascript:window.location.href="http://www.usearchufind.com" (file missing)
    O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
    O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
    O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)


    The first thing that you need to do is follow all the instructions HERE eactly as they are described and post back in this thread with the three requested logs,
    • ComboFix
    • HJT and
    • AVG antispware
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.