My son's computer is coming up with a warning that his computer is infected. This is what I've found: trojan horse SHeur.BHNQ I am currently running a SuperAntiSpyware scan on it and so far it has come up with Malware.Awola/Rel. Can someone please advise me on how to proceed to get rid of this trojan? I have attached a current hijackthis log. Thank You!! Logfile of HijackThis v1.99.1 Scan saved at 10:00:40 AM, on 5/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Documents and Settings\Nordeman\Application Data\nthno.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Nordeman\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Nordeman\Application Data\nthno.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
check for updates to Superantispyware, do a scan then post the SAS log. you can get the report like this: * After a scan and possible reboot, double-click the SUPERAntispyware icon on your desktop. * Click Preferences . Click the Statistics/Logs tab . * Under Scanner Logs , double-click SUPERAntiSpyware Scan Log . * It will open in your default text editor (Notepad). * Please highlight everything , then right-click and choose copy. * Click close and close again to exit the program. Now please paste the information in your next reply. echoreply
I just had to remove that on my mom's computer today, and everything seems to be working well so far... I found if you boot in Safe Mode and then run these 4 programs it will get rid of EVERYTHING bad on you computer... (note: it is a long process take quite a few hours but is worth the expirence) 1: Smit Fraud Fix: http://www.afterdawn.com/software/desktop_software/desktop_security/smitfraudfix.cfm 2: AVG Free Edition: http://free.grisoft.com 3: Ad-Aware Free: http://www.lavasoft.com 4: Spybot S&D: http://www.safer-networking.org All programs listed above are completely free and should remove all the crap infecting your computer... Hope it works, good luck... Ps. The easiest way to run Smit Fraud Fix is to run the .exe file directly from you desktop...
Here is the SuperAntiSpyware log: The computer is still running really slow. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/02/2008 at 09:05 PM Application Version : 3.9.1008 Core Rules Database Version : 3372 Trace Rules Database Version: 1367 Scan type : Complete Scan Total Scan Time : 00:18:49 Memory items scanned : 348 Memory threats detected : 0 Registry items scanned : 5418 Registry threats detected : 0 File items scanned : 26612 File threats detected : 7 Adware.Tracking Cookie C:\Documents and Settings\Nordeman\Cookies\nordeman@media.adrevolver[1].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@atwola[1].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@ad.yieldmanager[2].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@ice.112.2o7[1].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@mediaplex[1].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@html[1].txt C:\Documents and Settings\Nordeman\Cookies\nordeman@advertising[2].txt
SuperAntiSpyware is a bad program to use, I HIGHLY recommend that you use the series of programs I suggested. Delete SAS from your harddrive and never use it again. Many have claimed that SAS has actually helped Spyware to get on their computer...
Um... engage16... I wouldn't advise you to speak like that as you base not your criticisms of SAS on facts, and the idea that SAS promotes spyware on your system is frankly, well, dumb. SAS isn't only one of the most worth it and great programs on the market, which my own and other's experiences have confirmed without doubt, it also has great detection. However, I might be inclined to agree that SAS alone is not enough. Perhaps downloading a free scanner like Antivir or Spybot would help further, roe727. Remember to first disable SYSTEm Restore, boot in safe mode, then scan with the scanners. Best Regards
Thanks cdavfrew. I disagreed with engage also. SAS is an excellent program. I didn't think about the system restore though and will rerun those scans after diabling it. And I will enable it after the scans are complete.
All I meant to say is that there's no reason to have to pay for a program that you can do for free... I had to remove that trojan from one of my own machines so I stated how I had removed it. My insults on SAS were based on what I had read from other people and reviews that it has 'evil' intentions with certain sites on the internet. I personally have never used it, and I apologize if I insulted your opinions of the program...
You didn't insult me. It's fine. And I don't pay for SAS. Maybe they have one that you pay for, but they have a free program apparently as well. Be careful what you believe in the way of other people's opinions. SAS is a great program.
Its a case of personal opinions, I've always used Spybot and Ad-Aware so that's what I'm going to say is 'the best and greatest' just like you use SAS and say that its 'the best and greatest'... Back on topic, did you get the Trojan removed yet?
I use Spybot and Adaware also. And YES they are great great programs!! And yes I did get the trojan removed. Thanks..have a wonderful day!!
Runnning XP SP2, I already used AVG and Spybot and recently had an invasion by Trojan Horse sheur, so I downloaded the Smit Fruad Fix you suggested to add to the mix, but when I ran it I got a message from either Spybot or AVG that this is a fake adware removal software so I clicked the button to put it in the vault. What gives here? I have also tried to install the "security Update for Microsoft XML Core Services 4.0 Service Pack 2" about a dozen times with it saying it completed successfully each time, but then the little yellow shield with the exclamation mark reappears in the tray and wants me to install it again. Is this a residual effect of the Trojan Horse? When the AVG window first popped up warning of the Trojan Horse attack several weeks, ago something (presumably the TH) had just turned off my MS firewall and removed the wallpaper from my desktop.
The warning about Smit Fraud Fix is false positive... Just ignore the warning on it and run the program...
