trojan, virus? what is it?

oldsmokey

Hi,I'm no techie on the pc, but hope you can help... Am running windows 7 with AVG anti-virus...for past few days the AVG 'resident shield alert' keeps throwing up dire warnings about a windows system32services'exe...trojan horse dropper. generic..and goes on to say items resolved...then throws the warning up again 15 mins later...another warning , dont know if its related, from AVG, occasionally pops up to advise that the system is using too much memory, or to that effect...could it be this bloody trojan doing something nasty in the background?
Tried using AVG and malwarebytes to cure it to no effect...the computer won't let me do a system restore either!!
Would really appreciate some help...ta
__________________

chin_grin

Did you do a scan in safe mode?

Malewarebytes usually sorts it out, although personally I'd get rid of AVG and install MSE instead.

ASJ112

got a log from avg or mbam ?

Nothingbetter2d

i prefer avast over mse.... mse seems to miss so many.

also spybot and mbam are good

oldsmokey

Hi...I've seen logs posted by other troubled souls, no idea how to do it..if it helps, you might let me know how to get the log and i'll put it up.. just been trying to run MSE ( it was switched off, dunno why), and the damn thing keeps throwing up a 'can't run' error....grrrrr

ASJ112

The log can be viewed by clicking the Logs tab in MBAM. Copy and paste that here.

oldsmokey

Here we go...is it fixed now d'you think?...no nasties so far today...thanks all..
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Dan :: DANS-PC [administrator]

Protection: Enabled

29/06/2012 16:43:16
mbam-log-2012-06-29 (16-43-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 390422
Time elapsed: 1 hour(s), 29 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{732eec09-4e70-0f7a-a81a-289489e5979b}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

yoyo

oldsmokey wrote: »

Here we go...is it fixed now d'you think?...no nasties so far today...thanks all..
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Dan :: DANS-PC [administrator]

Protection: Enabled

29/06/2012 16:43:16
mbam-log-2012-06-29 (16-43-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 390422
Time elapsed: 1 hour(s), 29 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{732eec09-4e70-0f7a-a81a-289489e5979b}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

It removed a rootkit which is quite nasty. I would run another scan with mbam/Super anti spyware and see if anything else shows up

Nick

ASJ112

na definitely not fixed, download and run combofix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


post the log it gives you.

oldsmokey

ajs, you're right, booted up this am, avg 'threat detected' popup... is the combo-fix program ok to run for a tech-numpty such as meself?..I don't want the pc to end up any worse...thanks..

practice

Run the scan again and when it deletes the file,
Turn off system restore, ignore the warning and then turn it back on again.

yoyo

oldsmokey wrote: »

ajs, you're right, booted up this am, avg 'threat detected' popup... is the combo-fix program ok to run for a tech-numpty such as meself?..I don't want the pc to end up any worse...thanks..

Run combofix and then post the log it makes up here (C:\combofix.txt), it will probably sort your issues out. Try running it in safe mode if possible (download it onto a cd/usb key then boot machine into safemode, copy the combofix.exe to the desktop and run it from there)

Nick

ASJ112

combofix is perfectly safe to use, and should be easy enough to use for tech-numptys


Don't waste your time running AVG, its not going to be able to remove a rootkit. I wouldn't use your PC for online banking or credit card usage till you remove this by the way.

CaSCaDe711

@ OP: Hope you got your machine sorted.

Excuse the language, but malware writers, what a bunch of cunt5 :mad:

oldsmokey

Cascade youre right..I've spent the most of a day bolli+ing with this thing..turns out malwarebytes didnt sort it..MSE can't be switched on, presumably on account of it..same with MS updates, cant turn it on...am doing a MS safety scanner scan on it now to try and sort the damn thing...a 0x80070424 error keeps coming up, and the recommended fixes don't...

yoyo

oldsmokey wrote: »

Cascade youre right..I've spent the most of a day bolli+ing with this thing..turns out malwarebytes didnt sort it..MSE can't be switched on, presumably on account of it..same with MS updates, cant turn it on...am doing a MS safety scanner scan on it now to try and sort the damn thing...a 0x80070424 error keeps coming up, and the recommended fixes don't...

You probably still have a rootkit that is interfering with any anti virus scanners. I've come accross this plenty of times before, usually using a boot rescue disc like Kaspersky will get the machine in a good enough state so that mse, mbam, super as etc will work ok. Look at the Kaspersky live disc instructions here

Nick

oldsmokey

Hi...this thing is a mess!!finally downloaded a MS fix..took bones of an hour, when that damn thing finished, the PC would throw up a box with a warning that its shutting down in 1 minute, did just that, so was really snookered as to what to do next - fault occurring in safe mode too!!, after an hours messing started in safe mode and picked the factory restore option..the way it was described, thought some of my stuff would be saved, but it seems all gone...ffs...but the shutting down problems solved!!..time for some anti-virus methinks..best free / pay-for option out there?

yoyo

oldsmokey wrote: »

Hi...this thing is a mess!!finally downloaded a MS fix..took bones of an hour, when that damn thing finished, the PC would throw up a box with a warning that its shutting down in 1 minute, did just that, so was really snookered as to what to do next - fault occurring in safe mode too!!, after an hours messing started in safe mode and picked the factory restore option..the way it was described, thought some of my stuff would be saved, but it seems all gone...ffs...but the shutting down problems solved!!..time for some anti-virus methinks..best free / pay-for option out there?

Try the live disc I linked to above, Microsoft Security Essentials or Avast are grand anti virus software and are free.

Nick

RUCKING FETARD

I'd just do a fresh install whenever I get a virus.

15mins on my own machine to have it back the way it was before.

Hours on someones elses machine, still quicker than scanners though.

mach1982

RUCKING FETARD wrote: »

I'd just do a fresh install whenever I get a virus.

15mins on my own machine to have it back the way it was before.

Hours on someones elses machine, still quicker than scanners though.

That a bit of a waste of time also it can damage the hard drive .

wexie

mach1982 wrote: »

That a bit of a waste of time also it can damage the hard drive .

Reinstalling the OS can damage the harddrive? Please explain?
I manage a very large amount of servers and everytime they reboot the OS get's reinstalled use a PXE image.

If this is damaging my drives I'd quite like to know about it.

deconduo

Yeah if you ever get a rootkit then I'd recommend just reinstalling if that is an option. They are a complete pain to get rid of.

mach1982 wrote: »

That a bit of a waste of time also it can damage the hard drive .

Depending on your setup, reinstalling can be a hell of a lot quicker than trying to eradicate every last trace of a rootkit. Also it will not damage your hard drive, I have no idea where you got that idea from.

Snowbat

yoyo wrote: »

Microsoft Security Essentials or Avast are grand anti virus software and are free.

As I've mentioned before, Microsoft Security Essentials has a poor detection rate, the worst of 20 tested by AV-Comparatives here:


The free version of AVIRA is hard to beat.

yoyo

Snowbat wrote: »

As I've mentioned before, Microsoft Security Essentials has a poor detection rate, the worst of 20 tested by AV-Comparatives here:


The free version of AVIRA is hard to beat.

The Avira daily pop up ad is annoying (ironic for an anti malware program to spam ads like so), as are the false positives, used to use it but it did my head in. MSE isn't so good on the heuristics, but I find it to be ok and reccomend it to people who it works fine. No av will stop all viruses slipping through, but if you don't mind pop ups or annoyances then Avira is good, although I do recall Avira screwing up machines not so long ago removing critical system files, same with AVG

Nick

oldsmokey

back again!!all ok after the factory restore, but the pre-installed limited version of office is gone now...poked thru the set-up disc that came with the pc, but no joy, the windows office file is protected on it...can i reinstall - if i click on the windows icon in the 'programs' , then i'm asked for a keycode or such..don't have that as it only comes with purchased office package...any way out?..I only want a very basic word package so would be happy with any half-decent free one out there..apache any good?
Thanks ..

yoyo

oldsmokey wrote: »

back again!!all ok after the factory restore, but the pre-installed limited version of office is gone now...poked thru the set-up disc that came with the pc, but no joy, the windows office file is protected on it...can i reinstall - if i click on the windows icon in the 'programs' , then i'm asked for a keycode or such..don't have that as it only comes with purchased office package...any way out?..I only want a very basic word package so would be happy with any half-decent free one out there..apache any good?
Thanks ..

If you baught office with the machine you would need to locate the serial card to reinstall, if not or the card is lost give LibreOffice a go, its free

Nick

Defiler Of The Coffin

mach1982 wrote: »

That a bit of a waste of time also it can damage the hard drive .

Nonsense

mach1982

1. Download http://free.avg.com/ww-en/homepage
2.http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

oldsmokey

ta

Markgc

Hello
I have a Trojan horse Hider.RXX c:\windows\system3...

AVG can't remove it as object inaccessible

Is this a major threat and how do I remove it?

Also AVG removed a root kit earlier after I turned on the computer.
It deleted two files and one registery key...

usbhc.sys
1JFUWEIE.EXE

and key =hkey_local_machine\szstem\currentcontrolset\services\usbhc


(Was a IDP.Hacktool.6A318182 severity level '4 x red boxes')

Any suggestions would be great thanks.

yoyo

Markgc wrote: »

Hello
I have a Trojan horse Hider.RXX c:\windows\system3...

AVG can't remove it as object inaccessible

Is this a major threat and how do I remove it?

Also AVG removed a root kit earlier after I turned on the computer.
It deleted two files and one registery key...

usbhc.sys
1JFUWEIE.EXE

and key =hkey_local_machine\szstem\currentcontrolset\services\usbhc


(Was a IDP.Hacktool.6A318182 severity level '4 x red boxes')

Any suggestions would be great thanks.

MBAM should help. If your files have dissapeared/hidden use unhide to reveal them

Nick

old_aussie

Fake adobe update

Take the easy way out, Just format and reload OS