TechSpot

Hijackthis log, possible Trojan? (phony "critical system alerts" keep popping up)

By ThorH
Sep 17, 2006
  1. Hi Techspot,

    Thanks for taking time to help fight malware!

    I’m helping my mother clean a pc which has been severely infected. I have formatted the hard disc and re-installed Win2000PE (and upgraded to SP3 + installed Firefox). I immediately installed a Sygate firewall, yet somehow a Trojan survived (I still get the phony "critical system alert" messages). I’ve followed the steps you recommend (scanned using Kaspersky, Ad-Aware, Trend Micro, rebooted in safe mode and scanned using S-S&D and Ewido). None of these programs seemed to find anything serious.

    I then rebooted again and scanned using Hijackthis. Using your guide, I went through the list, but I wasn’t able to find anything to fix apart from three 016s. The Trojan alerts keep appearing (or at least, I assume that the phony "critical system alert"s are caused by a Trojan; there's at least five different messages, recommending causes of action and webpages). I’ve posted the log as a txt-file. I've also posted the Ewido log. I hope someone can help.

    Thanks!

    Best regards,
    Thor
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Other than the above, your HJT log is clean.

    Delete all files in Ewido quarantine.

    If you`re still getting popups, go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs.

    Regards Howard :wave: :wave:

    This thread is for the use of ThorH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ThorH

    ThorH TS Rookie Topic Starter

    Hello Howard,

    Thanks for replying! I've gone through the steps in your post, but the messages still appear. I'm now following the link you gave to your general post on Trojans and following the steps recommended there. Meanwhile, I'm posting fresh logs.

    Best regards Thor

    Hello again,

    I went through the extended list, but unfortunately I still receive the alerts when using my Firefox browser.

    I've pasted a fresh Hijackthis log. Ewido found nothing.

    Best regards,
    Thor

    P.S. I haven't filled in my specs yet, because it would risk confusing matters, since right now I'm not meddling with my own pc.

    /Thor
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these entries.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    Click the fix checked button.

    Other than the above your HJT log is clean.

    It appears you`re not running any antivirus or firewall software. This is a hugh security risk.

    Download and install the free AVG antivirus programme and either the free Zonealarm or Kerio firewall programmes. You can get them HERE, HERE and HERE.

    Install whichever firewall you chose, followed by AVG and reboot your system the required number of times. Run the AVG updates.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with AVG and delete whatever it finds. This includes anything in the virus vault.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.


    Regards Howard :)

    This thread is for the use of ThorH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. ThorH

    ThorH TS Rookie Topic Starter

    I fixed the entries in HJT, then installed AVG, updated and ran the full scan in safe mode (with hidden and system files shown). I also have a Sygate Personal firewall and Ewido. AVG fould nothing, the R0-entries have not re-appeared, but somehow the alerts still keep popping up (in system-message-lookalike windows with the heading Messenger Service (in Danish)).

    Howcome none of the virus scanners can find this thing?

    Best regards - and thanks again,
    ThorH
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, do the following.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Messenger

    Close the services window.

    Hopefully the popup messages should now stop.

    Regards Howard :)
     
  7. ThorH

    ThorH TS Rookie Topic Starter

    Terminating and disabling Messenger finally worked, thanks! :)

    But then the Trojan must still be there, just blocked/disabled temporarily? Can this pose a security risk? (it doesn't matter that Messenger can't be used)

    Best regards,
    Thor
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Popups you have been receiving are not caused by a trojan, but rather Microsoft partners. Infact with the Windows messenger service enabled, virtually anyone can pop an advertisement onto your computer. How good is that?

    The messenger service has nothing to do with MSN messenger etc.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of ThorH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. ThorH

    ThorH TS Rookie Topic Starter

    Ok, thanks.

    So it's a Microsoft partner somehow bypassing the firewall and for some reason targeting this pc with malware?

    Regards Thor
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d say it`s more a case of the Windows OS allowing anyone to put adds on your computer. That`s why I said you should disable the Windows messenger service. This stops it dead in it`s tracks.

    Regards Howard :)
     
  11. ThorH

    ThorH TS Rookie Topic Starter

    Wow, that seems to be a wonderful service from Microsoft! :S I've disabled the service on my own pc as well.

    But thanks again, everything is running smooth now..

    Best regards Thor
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...