Jump to content


Photo

Trojan Horse Downloader.VB.3. AF.


  • Please log in to reply
6 replies to this topic

#1 Rainbow

Rainbow

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 June 2004 - 10:20 AM

I'm getting a pop up window that tells me I have Trojan Horse Downloader.VB.3. AF. and to run AVG for Windows. I have run AVG, Adware and Spybot and I still receive this message. The location is: C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP239\A0021935.DLL.

Can someone take a look at my Hijack This log and advise me? Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 11:09:43 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {86F622BA-EF88-458C-9E74-E2574B6875A5} (MS Investor Portfolio) - http://fdl.msn.com/p...02/investor.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7846.3306018518
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...v9.5/ticker.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab

--------------------------------------------------------------------------------

#2 mnosteele

mnosteele

    Dr Tweak

  • Full Member
  • Pip
  • 22 posts

Posted 01 July 2004 - 07:51 AM

First turn off system restore then turn it back on. The Trojan Horse Downloader.VB.3. AF is stuck in a restore point and the only way to remove it is to turn off system restore which deletes all of your old restore points.

As for your log, remove the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

It appears you do a lot of financial work via the internet so make sure you have a good firewall and along with using AVG, also make sure you setup AVG as I have shown HERE, I would recommend Sygate for a firewall.

;D

#3 Rainbow

Rainbow

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 July 2004 - 07:58 AM

Thank you so much! Once I've run adware, spybot and AVG, is it always necessary to turn off the restore point and how do I tell? I've had to do this before to get rid of them but I do it hesitantly and never without being advised to. Also, thanks for the advise of AVG set up.

#4 mnosteele

mnosteele

    Dr Tweak

  • Full Member
  • Pip
  • 22 posts

Posted 01 July 2004 - 12:20 PM

Glad to help :D. I always recommend turning off system restore if you suspect you are infected with a virus.

My personal opinion on system restore is that it is useless, the reason being; the time when you really need it is when you cannot boot into Windows, but you cannot access it unless you can get into Windows. If you can get into Windows then the problem can be fixed, that's just my opinion. ;)

:cool:

#5 Rainbow

Rainbow

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 06 July 2004 - 12:33 PM

Good point about system restore being useless. My PC crashed and I just got it back up and running. Hence, the long delay in my response. Thanks for the advice in the future I will turn system restore off if a virus is detected. :thumbsup:

#6 sirscott

sirscott

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 July 2004 - 01:40 AM

I have the same trojan And I get the same mesg
I even have AVG.

But Im useing windows 2000 pro. And How do I stop the restore point
on it..?

#7 sirscott

sirscott

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 July 2004 - 01:45 AM

I forgot to add This is where it says it shows up in my avg log..

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\KLJHX75O\ROING1~1.OCX repaired
C:\WINNT\ROING18.OCX repaired




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button