I think I have a trojan

benjyb · Mar 17, 2009

I have windows XP pro 2002, sp 3. I have been using AVG8, Zone Alarm Pro, Spybot S&D, and spyware blaster for some time and up till now have had no problems with any of them. A few weeks ago I began receiving ZA alerts that connections to various ports were being blocked to and from various addresses. Also I began getting the Zone Alarm message "Blocked- Windows NT Logon application" A few of these appear every few minutes, also when the computer first starts talking to the router at system start up, when a new application is started, and when I shut down. Shutdown process was taking a longer time than normal, so I decided to try to shut down the router or unplug the ethernet cable prior to shutdown to see what would happen. When I do that, sometimes I get the a message to the effect that the system was unable to write to a harddisk (I wrote the exact message down but cant find it right now, sorry) and that data would be lost. I didn't know what data it was referring to because I always save and shutdown my applications before shutting down the computer. That made me wonder if data or keystrokes or something was being forwarded to a remote hacker or something.
I downloaded avast and tried to run it but it locked up the computer. It also disabled AVG so I used the Remove Programs app to remove it, but then I couldn't reinstall it. I tried to remove Avast the same way and in safe mode but I get the message "there was an error during product uninstallation" and I cant get rid of it. It won't run, when windows starts up it says "application fails to initialize properly oxc0000005" I tried to use Spybot to disable it in the start menu but it doesn't work. I tried to use system restore but each time I get an error message and a request to pick a different restore point, which doesn't work. Oh, now I can't seem to get the f8 key to get me back to safe mode.
I ran the 3 steps, (housecleaning proc., windows xp cleanup, etc) and I think I have followed the instructions properly. The log files from the 4 scans will be attached to this post and another right after. Thanks in advance. Benjy

benjyb · Mar 17, 2009

This is the final attachment that goes with the my previous post. Thanks!!!
benjy

chaslang · Mar 20, 2009

Welcome to Major Geeks!

Now we need to use ComboFix again.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::
Fcopy::
C:\WINDOWS\ServicePackFiles\i386\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe | C:\WINDOWS\system32\dllcache\svchost.exe

Folder::
C:\89e48b17d1b391d3e88a
c:\documents and settings\All Users\Application Data\avg8

File::
c:\program files\6a61jg0a.0
c:\program files\version.ini
c:\program files\gwflash.exe
c:\program files\markfun.a64
c:\program files\markfun.w32
c:\program files\updateutility.exe
c:\program files\update.ini
c:\program files\gwf32.exe
c:\program files\BIOS_Run.exe
c:\program files\W95_HUA.vxd
c:\windows\system32\winsys2.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"=-
"WinSys2"=-
"Verizon_McciTrayApp"=-
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

MGtools did not run properly last time. Please refer to this link Using MGtools and apply the fix given for Error Message Type 1.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

benjyb · Mar 20, 2009

Thank you!!!!
I have attached the two files mentioned.

I still get the message when windows boots up or if I try to open Avast "ashdsp.exe - app failed to initialize properly - oxc0000005

I cant remove avast with add or remove programs, I get the message "there was an error during product uninstallation"

I can't thank you enough for this.

Benjy

chaslang · Mar 23, 2009

First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

benjyb said: ↑

I still get the message when windows boots up or if I try to open Avast "ashdsp.exe - app failed to initialize properly - oxc0000005

I cant remove avast with add or remove programs, I get the message "there was an error during product uninstallation"
Click to expand...

Try using the below to uninstall Avast:

Your Uninstaller! 2008

DO NOT attempt to reinstall any software yet. Just do the above and nothing more. You need to stop downloading and installing any software except what we ask. As we stated in the instructions in the READ & RUN ME, once you begin the cleaning process, you must only do what we ask. Uninstall RegGenie which you just installed and avoid registry cleaners in the future. The can more problems than they fix and you will make it impossible for us to help you if you keep doing things on your own.

Did you do the below as requested last time?

MGtools did not run properly last time. Please refer to this link Using MGtools and apply the fix given for Error Message Type 1.
Click to expand...

MGtools is still not running properly.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Log in or Sign up

I think I have a trojan

benjyb Private E-2

Attached Files:

ComboFix.txt

SUPERAntiSpyware Scan Log - 03-17-2009 - 18-17-39.log

mbam-log-2009-03-17 (18-33-08).txt

benjyb Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

benjyb Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member