Trojan Horse Malware...best way to remove

[summer8]

Hello,
I was wondering if anyone new the best way to remove Trojan Horse malware...I ran AVG and it picked up 3 Trojan Horse Generic and 5 Trojan Horse Downloaders. AVG can only detect, but not heal, this malware. I really appreciate your time and expertise.

Sincerely,
Summer

[PhilliePhan]

Hi Summer,

Please have a look at the link below and follow the steps to obtain a HijackThis Scanlog, a Kaspersky Online Scanlog and an AVG Anti-Spyware Scanlog and please submit them for us.

-- Be sure to rename HijackThis.exe as outlined in the link.

ATTENTION: Read Me Before Posting For Help!!

Hang in there for Judy to have a look at the logs.

Best Luck
PP

[summer8]

Hi Summer,

Please have a look at the link below and follow the steps to obtain a HijackThis Scanlog, a Kaspersky Online Scanlog and an AVG Anti-Spyware Scanlog and please submit them for us.

-- Be sure to rename HijackThis.exe as outlined in the link.

ATTENTION: Read Me Before Posting For Help!!

Hang in there for Judy to have a look at the logs.

Best Luck
PP

Thanks so much, I've completed step one in the "Read Me Before Posting Help Link." I already have AVG 7.5, but I'm not sure if I unchecked 'Resident Shield,' 'automatic updates,' etc. Should I uninstall AVG and then reinstall it unchecking the specified items?

[PhilliePhan]

. Should I uninstall AVG and then reinstall it unchecking the specified items?

No - If you already have AVG Anti-Spyware onboard, just internet update it to the latest malware definitions and run the scan. Do be sure to select Quarantine under "how to act" upon what it finds.

PP

[summer8]

No - If you already have AVG Anti-Spyware onboard, just internet update it to the latest malware definitions and run the scan. Do be sure to select Quarantine under "how to act" upon what it finds.

PP

Well, I'm not sure if what I have is AVG Anti-Spyware...It says AVG Anti-Virus Free Edition...And in my Programs it's just listed as AVG 7.5. I did the automatic update earlier today and scanned the computer...That's when I found the Trojan Horse malware. If I, in fact, do have the correct version of AVG, should I scan it again, select Quarantine, and copy what's found in the virus vault? Or is the scan from earlier today sufficient and can I go back and somehow quarantine its findings? OR, do I actually need a more specific Anti-Spyware version of AVG that I don't know about? Thanks so much...

[jholland1964]

No, summer that program you have and scanned with is the AVG Free Anti-virus program.
Good program for sure. But we also need you to download the AVG Anti-spy program, also version 7.5.
You will find that in the link that PP gave you. Follow his instructions there on the download, install and update. This should be run in safe mode and set to fix or quarantine anything found. It may very well remove your trojans but we won't know until you run it, have it clean and then save the log and post it back here.

[jholland1964]

Follow PP's advice summer and post your logs. We'll take a look!
Judy

[jholland1964]

If you are using Internet Explorer do this;
Open Internet Explorer.

Click Tools > Internet Options > Security > Custom Level

Enable - Automatic Prompting for ActiveX Controls
Enable - Binary and Script behaviours
Enable - Download Signed ActiveX Controls
Check 'Prompt' for - Download Unsigned ActiveX Controls
Check 'Prompt' for - Initialise and script ActiveX controls not marked as safe
Enable - Run ActiveX controls and plugins
Enable - Script ActiveX controls marked safe for scripting.

Scroll down.

Enable - Use pop-up blocker.
Enable - Active Scripting.

Click OK.

Restart.

[summer8]

HI EVERYONE...
Ok, the Kaspersky report was too large to send as an attachment, so I just copied and pasted it directly into this reply. The AVG scan report is attached. I accidentally deleted Symantec Anti-Virus. Is that a problem, and if so, can I re-obtain it? Also, these are two notes I jotted down after scanning:

*No malicious software detected when checking the whole system with Microsoft Windows Malicious Software Removal Tool.

*Kaspersky Online Scanner (when scanning whole computer): “The scan is complete. No malware has been detected. The sections that have been scanned are CLEAN.”

PLEASE JUST TELL ME WHAT YOU THINK. AM I ALMOST IN THE CLEAR? DO I NEED TO TURN OFF SYSTEM RESTORE OR ANYTHING ELSE? THANK YOU SO VERY MUCH!!!

SUMMER

Friday, May 04, 2007 1:25:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/05/2007
Kaspersky Anti-Virus database records: 294403

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 58481
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:50:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\SyncInfoApp.exe.df6d11f9.i ni.inuse Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007050420070 505\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\flaF2.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\2992 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\me_eGQaX1zFrDmqxAz Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\me_NM9OFKWtVS2EM9O Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\me_qP23lyYbbnZrRIK Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\me_W7wM4w6CkQafGIk Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\me_WSuZQfhNyCONHFJ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_170.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF365B.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DD6US3IV\apr_WOO_SCH_SAMU510_728 x90[1].swf Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9WX2RDZ\M_Baseball_300x250[1].flv Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Sp ecific.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Sp ecific_UK.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Sp ecific_Vista.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Sp ecific_Vista_UK.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_ Security.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_ Security_UK.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped

C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped

C:\Program Files\BigFix\__Data\__Global\Logs\20070503.log Object is locked skipped

C:\Program Files\GE Security Supra\DaemonLog.txt Object is locked skipped

C:\Program Files\GE Security Supra\SyncLog.txt Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000020.FCS Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Owner.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\spool\PRINTERS\00002.SHD Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[jholland1964]

How did you accidently delete Norton? Did you actually delete the entire program folder or just the icon?
We need to see a new HiJackThis log.