Hi,
Avast always finds in my Temp folder win32:Horst-DZ Trojan.
It is an exe file. Like ( 90exinjs.v.exe/[UPX] ).
After deleting and a while Avast find again a trojan which named different.
Like: ( ....v.exe / [UPX] )
I searched with spyware softwares. Nothing found.
I turned-off system-restore.
Restarted the pc.
Searched with avast.
And then nothing found.
But some time ago i got avast warning again.
And then i decided to write here.
My OS is Windows XP SP2 Home Edition.
I am using;
- Avast 4.7 Home Edition
- SUPERAntiSpyware
- Spyware Blaster
- a-squared Guard
I did everything
- Turned Off System Restore
- Used Clean-Up
- a-squared Anti-Malware search, find and delete
- Avast! Boot Time Scan
But still getting the win32:Horst-DZ [Trj] trojan warning from Avast!.
Last infected (found virus) file: Temp\68exinjs.v.exe\[UPX]
I quarantined it.
Then i look up to the temp folder. And i found the others.
First it begins with conf extension like:
injs.v.exe.conf or
ssd32.w.exe.confand then it creates exe files at the same (temp) folder like:
68exinjs.v.exe ..vs..vs.
I have
smss.exe in
C:\Windows\System location.
I don't know what i can do.
I really need your help.
My HiJackThis.log is:
QuoteLogfile of HijackThis v1.99.1
Scan saved at 20:30:44, on 21.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\system32\svchost.exe
E:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PeerGuardian2\pg2.exe
E:\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [GOKI üzerinde otomatik EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "GOKI üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\GOKI\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
P.S: Excuse for bad english also.
Hi vbs :)
I see you received some assistance over at the Avast forum and were recommended to post your log here. http://forum.avast.com/index.php?topic=25575.0
Welcome to Landzdown forum.
An expert will be reviewing your log as soon as one is available.
And by the way, your English is quite understandable.
Hi, vbs. Welcome to LandzDown Forum.
From my research, that appears to be a nasty worm on your computer. Let's see what we can do to get rid of it.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip) © Option^Explicit.
Unzip it to the desktop
Double-click
Killbox.exe to run it.
Select "
Delete on Reboot".
Place the following line (complete path) in
bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system\smss.exePut a mark next to "Delete on Reboot"
Click the red-and-white "
Delete File" button. Click "
Yes" at the Delete on Reboot prompt. Click "
No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /wPlease download ATF Cleaner by Atribune from http://www.atribune.org/public-beta/ATF-Cleaner.exe (http://www.atribune.org/public-beta/ATF-Cleaner.exe) . Save it to your Desktop.
Run ATF Cleaner
- Double-click ATF-Cleaner.exe to run the program.
- Click Select All found at the bottom of the list.
- Click the Empty Selected button.
- Click Exit on the Main menu to close the program.
- Shutdown/restart the computer.
Edit Note: It would also be a good idea to update Avast and run a full system scan after restarting your computer. Then post a fresh HijackThis log and let us know how how your PC is doing now.
Hi Corrine,
When i did;
QuotePlease download the Killbox © Option^Explicit.
Unzip it to the desktop
Double-click Killbox.exe to run it.
Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system\smss.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
these instructions, an error accured:
"PendingFileNameOperations Registry Data has been Removed by External Process!"Before your help when i am trying to fix the this trojan problem i deleted c:\windows\system\smss.exe with manually. Maybe i got "PendingFileNameOperations Registry Data has been Removed by External Process!" message because of this.
I cleaned the pc with ATF Cleaner.
I forgot to paste my HiJackThis Log File:
QuoteLogfile of HijackThis v1.99.1
Scan saved at 05:48:49, on 22.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
E:\Program Files\a-squared Anti-Malware\a2guard.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [GOKI üzerinde otomatik EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P49 "GOKI üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\GOKI\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi, vbs. I meant to ask you last night -- do you recognize the 017 entry for 192.168.0.1?
Hi Corrine,
It's my routers IP.