Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I've apparently got a Trojan Horse 2

Status
Not open for further replies.

fwfarr

Technical User
Nov 7, 2003
3
CA
Probably as a result of accessing an unsafe web site I seem to have a virus which I can't easily remove. I have AVG Free installed and it frequently shows a dialog indicating that I have a "threat". When I am browsing I often suddenly get another web page that was unexpected. My OS is Windows XP and I browse with Firefox. I have run Spybot and Ad-Aware, both of which found problems which I removed. Obviously though the problem has not been eliminated them. I have run Hijackthis and the log follows. Is it possible that this is the problem?

O2 - BHO: (no name) - {CC9DCB8F-9C31-4317-87DC-9819B70EA5A0} - C:\WINDOWS\system32\efcARihE.dll (file missing)

I'm reluctant to remove it until I'm sure.

I appreciate your help and look forward to your response.

fwfarr

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:08 AM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: &Research - {0B014B81-4E12-46F9-806F-55867AF8FD3C} - C:\WINDOWS\system32\winsystems.dll (file missing)
O2 - BHO: {022939b5-20b3-2b5b-ab94-218010660253} - {35206601-0812-49ba-b5b2-3b025b939220} - C:\WINDOWS\system32\xfygjb.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {CC9DCB8F-9C31-4317-87DC-9819B70EA5A0} - C:\WINDOWS\system32\efcARihE.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ,avgrsstx.dll xfygjb.dll
O20 - Winlogon Notify: fccbBSiI - fccbBSiI.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6990 bytes
 
Yes: Delete all of these..

O2 - BHO: &Research - {0B014B81-4E12-46F9-806F-55867AF8FD3C} - C:\WINDOWS\system32\winsystems.dll (file missing)
Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: {022939b5-20b3-2b5b-ab94-218010660253} - {35206601-0812-49ba-b5b2-3b025b939220} - C:\WINDOWS\system32\xfygjb.dll (file missing)
Unknown application.
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {CC9DCB8F-9C31-4317-87DC-9819B70EA5A0} - C:\WINDOWS\system32\efcARihE.dll (file missing)
Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O20 - Winlogon Notify: fccbBSiI - fccbBSiI.dll (file missing)
Unnecessary (deactivated) entry that can be fixed.

This isnt flagged with any useful information but it looks odd to me

O20 - AppInit_DLLs: ,avgrsstx.dll xfygjb.dll

Possibly a trojan masquerading as an AVG file, its not in my own HJT scan so I am very suspicious. But just in case it is part of AVG, don't have HJT remove it just yet..

Other than that one all the other entries are old stuff and not causing your problem but have HJT fix them anyway.

Get hold of copies of Malwarebytes, Superantispyware and DrWebCureit.
Install and update these.
Then start your computer in safe mode (Press F8 during boot and select Safemode)
and run each of these programs in turn. (this will take a while)

This should remove any trojans still on the machine, then get hold of a copy of CCleaner and run this, remove unwanted file and do a registry scan and let it clean that too.




Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
^^^^^ Malwarebytes Anti-Malware should do the trick by itself. I would do a Quick Scan first and then have it remove everything. Then do a FULL Scan after rebooting (if required.

I rely on this all the time to cure what ails most PCs. If that can't remove it, followed by a virus scan (using whatever A/V is installed on the computer) then I would be very worried.

You might (once you know that Windows is stable after the first scan) disable system restore, THEN do the full scan. Then, once things are cleaned up, re-enable system restore. The bad stuff CAN hide in Sys Rest.
 
What do you mean - the bad stuff can hide in System restore? Im tryig to figure this part out. thx
 
goombawaho is correct, a favorite place for 'backup' copies of malware files to be installed is directly into your system restore folders, that way if you think 'OK all I have to do is a system restore' you are also restoring the virus/malware.





Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
System Restore allows you to roll your system back to an earlier date in case something has caused a problem (software install, windows update).

Here's how to turn it off and on. I would turn it OFF (as long as windows seems stable) and then do your final scans.

Then reboot if MBAM asks you to.

Then if things are working well, I'd turn System Restore back on. Some (not all) malware can keep a copy of itself in the system restore folder and try to come back on you.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top