TechSpot

Intrusion attempt - Do I have a trojan?

By thewebseye
Oct 16, 2008
  1. Please can I have your help...

    I recently downloaded some files from a friend's website to try and help them remove the problem which was causing Google to ban it. In order to do this I had to download them to my PC with FTP.
    However since then Kerio is saying I have an intrusion attempt.

    Basically all their html files were infected with a javascript which should not be there occurring once in the header and a script at the end of the closing html tag. I removed them all and their site is working fine. HOWEVER.... my PC is not.

    When I downloaded the files AVG quarantined a number of them and I identified the viruses as Psyme (which it healed) and JS/Downloader.Agent (which it said it did not heal) - however when I run AVG it says no threats are identified.

    Since that time my Kerio firewall keeps on "identifying and blocking an intrusion attempt of type Code injection" (details pasted below)

    Can anyone kindly advise me...
    1) Is this a trojan?
    2) Is there any fix?
    ________________________
    Intruder: \??C:\\WINDOWS\systme32\winlogon.exe

    Technical details about the intrusion attempt:

    Injector application: \??\C:\WINDOWS\system32\winlogon.exe
    Description: winlogon
    File version:
    Product name:
    Product version:
    Created: N/A
    Modified: N/A
    Accessed: N/A

    Target application: C:\WINDOWS\system32\svchost.exe
    Description: Generic Host Process for Win32 Services
    File version: 5.1.2600.5512 (xpsp.080413-2111)
    Product name: Microsoft® Windows® Operating System
    Product version: 5.1.2600.5512
    Created: 2004/8/4, 10:00:00
    Modified: 2008/4/14, 00:12:36
    Accessed: 2008/10/16, 08:29:29

    Address of injection: 0x026169B6
    ________________________

    Can anyone kindly advise me best course of action?

    Best regards
    Richard
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. thewebseye

    thewebseye TS Rookie Topic Starter

    Thanks

    Hi Kimsland - thanks for pointing me in the right direction... I think it is solved... the intrusions seem to have stopped.

    AVG found no threats.
    Malwarebytes found 9 backdoors and removed them.
    SuperAntiSpyware said it was clean.

    I have attached the logs - are you able to tell if it is fixed?
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please run HJT, and tick and fix this one:
    You also have a Bonjour Service (Start->Run->services.msc) starting up. Please read here about that http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/
    Actually you have too many Startups overall
    Whilst it's easier to have Programs autostart with Windows. This will also slow down a computer, and use much of the computer's resource (CPU and Ram) The following therefore is at your opinion. (If it helps you a little, I'd remove them all ! But you may want to carefully go through the list.

    Instead of using HJT for these ones, you could use Startup Control Panel http://www.mlin.net/StartupCPL.shtml Which you can reverse the changes if you later find, that you do need one of these many startups.

    Of the user startups that could be removed are:
    Also your Java is now out of date. And should be updated
    Please go here, and update it. http://java.com/en/download/installed.jsp?detect=jre&try=1
    (Note: This process can be quite slow. It would be best to turn off any screen savers or any other task that may try to come on when Java is updating)

    Other than that, clean :)
     
  5. thewebseye

    thewebseye TS Rookie Topic Starter

    I have learned more about better PC maintenance in this single post than in the last 10 years.
    You are definitely a guru! Thank you kimsland.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Thank-you :)

    But not any more it would seem :cool:
     
  7. thewebseye

    thewebseye TS Rookie Topic Starter

    Thank you TS special forces - just been reading up how the forum works. :)
    If you ever want any free seo advice (my area) let me know I;d be happy to help.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    seo-> Search engine optimization

    Is that right?

    I'd like to know how Google indexes websites, by Tag? by date ? by relevance ?; by hits ? I believe it's by "hits" because when you search these high hit topics are always at the top of the list.

    Also if I write letters like kimslandwashere
    I don't get any Google hits. Even though it's in this thread
    But other threads with "Howto remove Trojans", can be Googled directly to that thread. But there's no difference :confused: (except the actual words) Like someone is saying, oh I won't put that on Google searches!

    But not sure if that's what you do
    Anyway you can PM me if you like, this info is not relevant to "Do I have a trojan?" strangely.

    Anyway, thanks for the update :grinthumb
    No need to reply.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you don't mind my looking over your shoulder, I'd like to point out that your security is out of date. You have AVG7 which is not supported any longer:
    This should be updated to v8 ASAP.

    Also, AdAware is outdated:
    Current version is 2008, possibly 2009:
    http://www.lavasoft.com/
     
  10. thewebseye

    thewebseye TS Rookie Topic Starter

    Thanks a lot Bobbye - I'll update my software.
    Hi Kimsland - answers on your visitors contact page :)
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...