Trojan

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Picked up a nasty when opening a web site the other day and can't seem to
shake it. Am using updated CA anti-virus but it allowed the infection even
though it recognizes it but can't rid my system of it. I routinely clean out
history files and caches. I keep deleting files but it keeps recreating
them. It keeps re-establishing itself in the "start" menu in run/msconfig. I
have to "end process" of an unusual numbered process in task manager every
time I re-boot. The files that it keeps replicating are in "C/Windows" and
was "norton exe" but has now become "winform exe". Have tried Kapersky,
Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
getting. Any ideas?         Tom G.

2007/03/29 11:30:24.656 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.578 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
Deleted
2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan. Deleted
2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
Win32/Frethog!generic trojan.
2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan. Deleted
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
Win32/Frethog.IS trojan.
2007/03/29 11:31:23.343 File infection: C:\Documents and
Settings\tomnvik.TOMNVIK-NBMH3UY\Local



Re: Trojan

Download this, run it, save a copy of the log file and post it here in this
group so I can analyze it.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com , David
H. Lipman, Max M Wachtell III  aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



Quoted text here. Click to load it



Re: Trojan

On Thu, 29 Mar 2007 12:01:23 -0700, pcbutts1 wrote:

Quoted text here. Click to load it

Download it and post the logs to where the instructions tell you to post
the logs, and that would not be to ANY Usenet group.

How come you're not providing hijackthis from your own website any more?

 
--  
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an  
abusive nature created by PCBUTTS1 and still hosted on his public  
website ***
http://www.pcbutts1.com/downloads/leythos.htm

Re: Trojan


| Picked up a nasty when opening a web site the other day and can't seem to
| shake it. Am using updated CA anti-virus but it allowed the infection even
| though it recognizes it but can't rid my system of it. I routinely clean out
| history files and caches. I keep deleting files but it keeps recreating
| them. It keeps re-establishing itself in the "start" menu in run/msconfig. I
| have to "end process" of an unusual numbered process in task manager every
| time I re-boot. The files that it keeps replicating are in "C/Windows" and
| was "norton exe" but has now become "winform exe". Have tried Kapersky,
| Panda and CA on-line scanners but no luck. Below are the CA prompts I keep
| getting. Any ideas?         Tom G.
|
| 2007/03/29 11:30:24.656 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\MPAXATKL\moyu0328[1].exe is Win32/Frethog!generic trojan.
| Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:24.734 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.750 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:24.765 File infection: C:\WINDOWS\System32\kdjs1.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.578 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local Settings\Temporary Internet
| Files\Content.IE5\OLCNQP8D\wow0328[1].exe is Win32/Frethog!generic trojan.
| Deleted
| 2007/03/29 11:30:25.625 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan. Deleted
| 2007/03/29 11:30:25.640 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:25.656 File infection: C:\WINDOWS\System32\kdjs2.exe is
| Win32/Frethog!generic trojan.
| 2007/03/29 11:30:26.812 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan. Deleted
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:30:26.828 File infection: C:\WINDOWS\System32\winform.dll is
| Win32/Frethog.IS trojan.
| 2007/03/29 11:31:23.343 File infection: C:\Documents and
| Settings\tomnvik.TOMNVIK-NBMH3UY\Local
|

It is stronly suggested to NOT use Trend Micro's version of HiJack This! (HJT)
until it is
no longer a Beta product.

Download and execute the orginal HJT...
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggestd primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggestd secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggestd tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security /
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Trojan

The thief speaks! your sock puppet Leythos has done a terrible job speaking
up for you. How's that website coming Dave? doesn't feel too good does it? I
would really love to take credit for that but I can't, I don't steal. How
come you don't have the balls to speak up in the NG like you do in all those
abuse complaints you file against me. Hey guess what, my site is still up.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com , David
H. Lipman, Max M Wachtell III  aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



Quoted text here. Click to load it



Re: Trojan

On Thu, 29 Mar 2007 14:18:50 -0700, pcbutts1 wrote:
Quoted text here. Click to load it

I don't, now or ever, speak for anyone except myself

Quoted text here. Click to load it

Hey, guess what, the content that the complaints were file against is NOT
on your site any more - there are no working links to it and you don't
have the balls to put it back online because you know what your hosting
provider will do next.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm

Re: Trojan

 Turn off system restore until you get rid of the trojan. When you can scan
your system and all is clean, then turn it back on.




Quoted text here. Click to load it
out
I
trojan.






Re: Trojan


Quoted text here. Click to load it
to
even
run/msconfig.
Quoted text here. Click to load it
every
and
keep
My system restore has been turned off for months before picking up this
infection. AV can't clean infection. Just tonight my homepage has turned
Chinese. Updates for AdAware have been disabled since infection.
Re-installation doesn't help. No response to my hijack this posting.
Considering re-formatt.



Re: Trojan


Quoted text here. Click to load it
scan
clean
recreating
Kapersky,


Go to the registry (regedit) and  search for the references to the  files
norton.exe and winform.exe. Delete those references to them. The references
in msconfig will be deleted automatically at the same time. That should stop
the trojan process.




Re: Trojan

posted on Fri, 30 Mar 2007 04:07:26 GMT, tom wrote: Begin  

Quoted text here. Click to load it

Just save any dynamic data (email etc) and reload the last image you
dumped before the onset of problems, you do ghost your system regularly?


--

0x5BA09291F
convert to base 36 for the sig

Re: Trojan

Quoted text here. Click to load it

Try booting into safe mode and scan again. This might prevent the
trojan from recreating itself thus can be eliminated. I also recommend
that you try Trend Micro Sysclean, scanning in safe mode. Another
alternative would be Microworld MWAV, based on Kaspersky engine. Both
are standalone virus cleaner and very effective against wide range of
malware.


Site Timeline