Got a trojan horse

T

textbook

Member
Tried to get a copy of CDclone of mininova.org when I tried to install it my mcafee antivirus software found a trojan horse. Now my speakers are playing this stupid annoying music all the time. How do i get rid of it? I am currently doing a scan with bith Ad-Aware and Mcaffee. Will they take it out? Is it ok to scan with both at the same time?

And generally when scanning for viruses is it ok to download files on itorrent and surf the net etc?

One more thing, before I unpacked the zip file i scanned it, but no infections were found. Is Mcafee a bad antivirus software?

I also keep getting this web page coming back even though i dont go into it.
 
Last edited:
It certainly sounds like you're infected, and an antivirus scan, no matter which program you're using, won't always pick up infections which don't qualify as viruses. Illegally downloading programs is a prime cause for infections, and I suggest you delete the downloaded file immediately.

Now, let's remove the infection.

Please post a HijackThis log:
To do so, download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
 
You may not get help here.
You downloaded something illegal.


Lol, never mind. Though let this be a lesson, to not illegally download.
 
There's one entry there that appears to be dangerous, I'd like to get a little more info about it.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINDOWS\Shell32.exe.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://www.virustotal.com/
 
A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found VB.ATO
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found Possibly a new variant of W32/VB-EMU:VB-Backdoor-HRS-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Butch.A
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
 
That's correct.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:
  • O4 - HKLM\..\Run: [Shell32] C:\WINDOWS\Shell32.exe.exe

Please close all open windows except for HijackThis and choose Fix checked

Please delete the following file:
C:\WINDOWS\Shell32.exe.exe

Please reboot and post a new HijackThis log.
 
That's correct. The trojan file had installed itself on your system, but it's now been removed. Your logfile appears to be clean, but there are a couple of deactivated entries that can be removed.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:
  • R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
  • R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Optionally, you may also check the following entry:
  • O4 - Startup: PowerReg Scheduler.exe
    This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it
Please close all open windows except for HijackThis and choose Fix checked

Additionally, there are a some very important updates that I would strongly recommend you install.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it:
    javaicon.gif

    Select it and click Remove.
  • Then Download and install the newest version from here:

Also, you are using an older version of Adobe Reader, which contains some security flaws. You can download the latest version by going to http://www.adobe.com/ and clicking on Get Adobe Reader.

Most importantly, you desperately need to update your Windows XP to Service Pack 2 since it is probably the most important security update they have ever created and running without it almost guarantees you will get infected again. You can obtain Service Pack 2 from http://update.microsoft.com/

Once you've updated to Service Pack 2, please also download all critical updates from http://update.microsoft.com/

Please post a report on how the upgrade to Service Pack 2 went, since any problems with the upgrade may indicate that there is still malware on your system.
 
thanks for you help. i think my xp might be a copy. It was one the machine when i bought it. if that is the case, i dont think i can update the java, right

I dont think I can get service pack2.

Out of curiousity, if this is the case. Where can you order a cheap second hand version of XP and service pack? Amazon? I cant buy it in English in my current location.
 
Last edited:
I have just deleted my log copied and paste. My friend that it was dangerous to leave that on the net. is that true? passwords etc?
 
You must log in or register to reply here.
Back
Top