[Fixed] Trojan Horse - PC Help Forum - Free Computer Help, Windows, Hardware, Software and more!

Bazbat · #1 1 Week Ago

Hi
While scanning my PC (Windows XP Pro) with Ad-Aware AVG threw up a threat detected warning. In my Temp folder it found "Trojan Horse Back Door.Generic8.ZPK".
The problem is AVG can't heal it,delete it or move it to the virus vault.

I googled the virus but found nothing at all with this exact name, there are plenty of Generic Trojans out there though!
Whats the plan? Some C4? Or something a little less destructive?
Hope you guys can help!

Jelly Bean · #2 1 Week Ago

Hello and welcome to PC Help Forum.

Can you do the "Prework" and copy n paste results back here on your thread?

Its Prework link in pink below.

Bazbat · #3 1 Week Ago

Originally Posted by Jelly Bean

Hello and welcome to PC Help Forum.

Can you do the "Prework" and copy n paste results back here on your thread?

Its Prework link in pink below.

I'm trying to do this but having a few problems in Safe Mode. One thing is although I can start AVG I can't access the net to Update (although I updated this morning so maybe we can skip this?)
nor can I find any "Settings tab" to implement the settings you suggest before scanning. I do have AVG Free so does this mean I need the full version?

Bazbat · #4 1 Week Ago

Ok heres the file from HijackThis. As mentioned I couldn't generate a log from AVG Free but it hasn't found anything new. Also CCleaner has been run with no recurring files returning except a log file for Zone alarm showing this:
ZoneAlarm Logging Client v7.0.462.000
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
ACCESS,2008/05/07,16:50:12 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 53335).,N/A,N/A
ACCESS,2008/05/07,16:51:24 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 9334).,N/A,N/A
ACCESS,2008/05/07,16:53:18 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 41394).,N/A,N/A
ACCESS,2008/05/07,16:54:40 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 3031).,N/A,N/A
ACCESS,2008/05/07,16:56:06 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 61476).,N/A,N/A
ACCESS,2008/05/07,16:57:40 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 65447).,N/A,N/A
ACCESS,2008/05/07,16:59:32 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 62844).,N/A,N/A
ACCESS,2008/05/07,17:01:44 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 17959).,N/A,N/A
ACCESS,2008/05/07,17:04:02 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 13074).,N/A,N/A
ACCESS,2008/05/07,17:06:28 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 24901).,N/A,N/A
ACCESS,2008/05/07,17:09:04 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 23516).,N/A,N/A
ACCESS,2008/05/07,17:12:04 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 25344).,N/A,N/A
ACCESS,2008/05/07,17:15:22 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 11934).,N/A,N/A
ACCESS,2008/05/07,17:18:40 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 35235).,N/A,N/A
ACCESS,2008/05/07,17:22:22 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 58947).,N/A,N/A
ACCESS,2008/05/07,17:26:32 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 43521).,N/A,N/A
ACCESS,2008/05/07,17:31:06 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 14247).,N/A,N/A
ACCESS,2008/05/07,17:36:00 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 19337).,N/A,N/A
ACCESS,2008/05/07,17:40:54 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 4919).,N/A,N/A
ACCESS,2008/05/07,17:45:50 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 21556).,N/A,N/A
ACCESS,2008/05/07,17:50:50 +12:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (10.1.1.3:Port 29809).,N/A,N/A

HiJackThis results see attached log.

Samuel4u · #5 1 Week Ago

Even i keep geting problems like this.

valis · #6 1 Week Ago

there's a few things in your log that need attention, most notably updating your java. That will close a few holes right there, you can do so at java.com. In the meanwhile, let's run combofix and see what that spits out:

We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

Thanks,

v

Bazbat · #7 1 Week Ago

Hi
Here is the ComboFix log and the new HijackThis Log.

valis · #8 1 Week Ago

You may want to print these out. please close all other applications, start hjt again, click 'perform system scan only', place a tick next to the following and click 'fix checked'

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

You also need to replace your Sun java with newest version:

Go to Add/Remove programs and uninstall this:

Java 2 Runtime Environment

Now go here and install the latest version of Java.

reboot, and post a new hjt log please.

thanks,

v

Bazbat · #9 6 Days Ago

Ok done all that.

Here's the new HJT log after rebooting.

valis · #10 3 Days Ago

sorry for the delay, bazbat.....log looks clean....how's the machine running?

v

Bazbat · #11 2 Days Ago

Everything runs ok although I have noted some slowing down moving from one webpage to another but apart from that minot thing she's running sweet. Thanks very much for your help, I know where to come for my PC issues now!
Regards
Barry