Intrusion attempt - Do I have a trojan?

Status
Not open for further replies.
Please can I have your help...

I recently downloaded some files from a friend's website to try and help them remove the problem which was causing Google to ban it. In order to do this I had to download them to my PC with FTP.
However since then Kerio is saying I have an intrusion attempt.

Basically all their html files were infected with a javascript which should not be there occurring once in the header and a script at the end of the closing html tag. I removed them all and their site is working fine. HOWEVER.... my PC is not.

When I downloaded the files AVG quarantined a number of them and I identified the viruses as Psyme (which it healed) and JS/Downloader.Agent (which it said it did not heal) - however when I run AVG it says no threats are identified.

Since that time my Kerio firewall keeps on "identifying and blocking an intrusion attempt of type Code injection" (details pasted below)

Can anyone kindly advise me...
1) Is this a trojan?
2) Is there any fix?
________________________
Intruder: \??C:\\WINDOWS\systme32\winlogon.exe

Technical details about the intrusion attempt:

Injector application: \??\C:\WINDOWS\system32\winlogon.exe
Description: winlogon
File version:
Product name:
Product version:
Created: N/A
Modified: N/A
Accessed: N/A

Target application: C:\WINDOWS\system32\svchost.exe
Description: Generic Host Process for Win32 Services
File version: 5.1.2600.5512 (xpsp.080413-2111)
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.5512
Created: 2004/8/4, 10:00:00
Modified: 2008/4/14, 00:12:36
Accessed: 2008/10/16, 08:29:29

Address of injection: 0x026169B6
________________________

Can anyone kindly advise me best course of action?

Best regards
Richard
 
Thanks

Hi Kimsland - thanks for pointing me in the right direction... I think it is solved... the intrusions seem to have stopped.

AVG found no threats.
Malwarebytes found 9 backdoors and removed them.
SuperAntiSpyware said it was clean.

I have attached the logs - are you able to tell if it is fixed?
 
Please run HJT, and tick and fix this one:
O4 - Global Startup: BlueSoleil.lnk = ?

You also have a Bonjour Service (Start->Run->services.msc) starting up. Please read here about that http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Actually you have too many Startups overall
Whilst it's easier to have Programs autostart with Windows. This will also slow down a computer, and use much of the computer's resource (CPU and Ram) The following therefore is at your opinion. (If it helps you a little, I'd remove them all ! But you may want to carefully go through the list.

Instead of using HJT for these ones, you could use Startup Control Panel http://www.mlin.net/StartupCPL.shtml Which you can reverse the changes if you later find, that you do need one of these many startups.

Of the user startups that could be removed are:
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [\\TOASTER\EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P33 "\\TOASTER\EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WOSB] "C:\Documents and Settings\Richard\Desktop\wosb.exe" /run /systray date="10/20/2008" time="01:55:59 AM" wait="9:0:0" /psbh /screenon /repair weekdays=2 /ast kv="1"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Also your Java is now out of date. And should be updated
Please go here, and update it. http://java.com/en/download/installed.jsp?detect=jre&try=1
(Note: This process can be quite slow. It would be best to turn off any screen savers or any other task that may try to come on when Java is updating)

Other than that, clean :)
 
I have learned more about better PC maintenance in this single post than in the last 10 years.
You are definitely a guru! Thank you kimsland.
 
Thank you TS special forces - just been reading up how the forum works. :)
If you ever want any free seo advice (my area) let me know I;d be happy to help.
 
seo-> Search engine optimization

Is that right?

I'd like to know how Google indexes websites, by Tag? by date ? by relevance ?; by hits ? I believe it's by "hits" because when you search these high hit topics are always at the top of the list.

Also if I write letters like kimslandwashere
I don't get any Google hits. Even though it's in this thread
But other threads with "Howto remove Trojans", can be Googled directly to that thread. But there's no difference :confused: (except the actual words) Like someone is saying, oh I won't put that on Google searches!

But not sure if that's what you do
Anyway you can PM me if you like, this info is not relevant to "Do I have a trojan?" strangely.

Anyway, thanks for the update :grinthumb
No need to reply.
 
If you don't mind my looking over your shoulder, I'd like to point out that your security is out of date. You have AVG7 which is not supported any longer:
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

This should be updated to v8 ASAP.

Also, AdAware is outdated:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
Current version is 2008, possibly 2009:
http://www.lavasoft.com/
 
Status
Not open for further replies.
Back