Jump to content

AndyManchesta

Experienced Members
  • Posts

    1,796
  • Joined

  • Last visited

Posts posted by AndyManchesta

  1. So, just so I've got this clear, is this ransomware stuff blocked by AV software (as much as any malware is)? And the info it steals is from autocomplete, cookies etc?

     

    Hi JD,

     

    Yes the current ransomware variant is very well detected by AV companies now, there's quite afew malware bundles around that include this trojan though except its the infostealer by itself and not the ransomware variant but they are changing the files often to try avoid being detected by AV's, they tend to spread using exploits on malicious websites but this ransomware variant appears to have mainly spread by being spammed which is explained more on the Prevx blog RRidgely linked to earlier

     

    Here's the current detections for the ransomware variant from VT

     

    File ntos.exe received on 07.21.2007 04:10:52 (CET)

     

    Antivirus Version Last Update Result

    AhnLab-V3 2007.7.21.0 2007.07.20 no virus found

    AntiVir 7.4.0.44 2007.07.20 TR/Spy.Gpcode.AI

    Authentium 4.93.8 2007.07.20 no virus found

    Avast 4.7.997.0 2007.07.20 Win32:GpCode-C

    AVG 7.5.0.476 2007.07.20 Pakes.BT

    BitDefender 7.2 2007.07.21 Backdoor.Kollah.C

    CAT-QuickHeal 9.00 2007.07.20 Trojan.GPcoder.h

    ClamAV devel-20070416 2007.07.21 Trojan.Kollah

    DrWeb 4.33 2007.07.20 Trojan.Encoder.11

    eSafe 7.0.15.0 2007.07.19 Virus.Win32.Gpcode.a

    eTrust-Vet 30.8.3797 2007.07.20 Win32/Kollah.AB

    Ewido 4.0 2007.07.20 no virus found

    FileAdvisor 1 2007.07.21 no virus found

    Fortinet 2.91.0.0 2007.07.20 W32/Gpcode.AI

    F-Prot 4.3.2.48 2007.07.20 W32/new-malware!Maximus

    F-Secure 6.70.13030.0 2007.07.20 Virus.Win32.Gpcode.ai

    Ikarus T3.1.1.8 2007.07.20 Trojan-Downloader.Win32.Delf.aww

    Kaspersky 4.0.2.24 2007.07.21 Virus.Win32.Gpcode.ai

    McAfee 5079 2007.07.20 GPcoder.h

    Microsoft 1.2704 2007.07.20 Backdoor:Win32/Kollah.D

    NOD32v2 2410 2007.07.20 Win32/Spy.Agent.PZ

    Norman 5.80.02 2007.07.20 no virus found

    Panda 9.0.0.4 2007.07.20 Trj/Sinowal.FY

    Sophos 4.19.0 2007.07.17 no virus found

    Sunbelt 2.2.907.0 2007.07.21 Backdoor.Win32.Kollah.D

    Symantec 10 2007.07.21 Trojan.Gpcoder.E

    TheHacker 6.1.7.149 2007.07.18 no virus found

    VBA32 3.12.2.1 2007.07.19 Trojan.Win32.Spy.Agent.PZ

    VirusBuster 4.3.26:9 2007.07.20 Trojan.GPCode.E

    Webwasher-Gateway 6.0.1 2007.07.21 Trojan.Spy.Gpcode.AI

    Additional information

    File size: 58368 bytes

    MD5: 20f7c21df0f5d724c5d28e62155fe22d

    SHA1: 09ceedb1edf556331d7cf5039cb83b469bf0dffb

     

    I did just run the Prevx Ransomware decoder afew minutes ago and it did an excellent job in decoding all the encrypted files and removing the info stealer,

     

    Regarding what it steals this trojan doesnt steal info from the protected storage area although that method is used by alot of other password stealers like ldpinch, this one though will steal the information from any forms online before it even gets encrypted if its a secure site, the paper from SecureScience I linked to earlier explains it alot better than I ever could from chapter 8 'Internal Structures For API Hooks'

     

    Andy

  2. Yeah there's some great tools on there, you may find that AV's detect some as risk tools though but that would only apply if they were added without consent by trojans as it would allow them to get personal information or make changes to the system, the tools themselves are clean and can be very useful.

     

    Examples after scanning the files at VirusTotal

     

    Protected Storage Pass Viewer

     

    File pspv.exe received on 07.20.2007 21:36:35 (CET)

     

    Antivirus Version Last Update Result

     

    Authentium 4.93.8 2007.07.19 W32/PWStealer.CAT

    BitDefender 7.2 2007.07.20 Trojan.Icqsmiley.E

    CAT-QuickHeal 9.00 2007.07.20 PSWTool.PassView.b (Not a Virus)

    eSafe 7.0.15.0 2007.07.19 Win32.IcqSmiley.e

    Ewido 4.0 2007.07.20 Not-A-Virus.PSWTool.Win32.PassView.b

    FileAdvisor 1 2007.07.20 Low threat detected

    Fortinet 2.91.0.0 2007.07.20 HackerTool/PassView

    F-Prot 4.3.2.48 2007.07.20 W32/PWStealer.CAT

    Ikarus T3.1.1.8 2007.07.20 not-a-virus:PSWTool.Win32.PassView.b

    Kaspersky 4.0.2.24 2007.07.20 not-a-virus:PSWTool.Win32.PassView.b

    McAfee 5079 2007.07.20 potentially unwanted program PWCrack-PassView

    Microsoft 1.2704 2007.07.20 HackTool:Win32/Mailpassview

    NOD32v2 2410 2007.07.20 Win32/PassView.163

    Panda 9.0.0.4 2007.07.20 Hacktool/Passview.T

    Sophos 4.19.0 2007.07.17 NirPassView

    Symantec 10 2007.07.20 Hacktool.PassReminder

    TheHacker 6.1.7.149 2007.07.18 Trojan/PassView.b

    VBA32 3.12.2.1 2007.07.19 Application.PSWTool.PassView

    VirusBuster 4.3.26:9 2007.07.20 Trojan.PWS.IcqSmiley.A

    Webwasher-Gateway 6.0.1 2007.07.20 Riskware.PSW.PassView.B

     

    Additional information

    File size: 52736 bytes

    MD5: 35861f4ea9a8ecb6c357bdb91b7df804

    SHA1: 836cb49c8d08d5e305ab8976f653b97f1edba245

    Bit9 info: http://fileadvisor.bit9.com/services/extin...357bdb91b7df804

     

    NirCmd

     

    File nircmd.exe received on 07.20.2007 21:36:24 (CET)

     

    Antivirus Version Last Update Result

     

    eSafe 7.0.15.0 2007.07.19 suspicious Trojan/Worm

    Panda 9.0.0.4 2007.07.20 Application/NirCmd.A

    Sophos 4.19.0 2007.07.17 NirCmd

    Webwasher-Gateway 6.0.1 2007.07.20 Win32.ModifiedUPX.gen!90 (suspicious)

     

    Additional information

    File size: 27136 bytes

    MD5: 2c2c06dedc3a3b089d6e8813b2d49b04

    SHA1: 0bab5e4027fb0a2aeea12246b0164bc46712d61f

    packers: UPX

    packers: UPX

    packers: UPX

  3. Hi Leluc

     

    You do have the LinkOptimizer trojan showing which likely means you also have a variant of the Gromozon Rootkit, this is its entry in the log

     

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe

    Debugger REG_SZ "c:\windows\system32\fugmqrfe.bak"

     

    There is a newer variant of this trojan that also adds a debugger for iexplore.exe but the one you have appears to be the older version which has just added a debugger value for explorer.exe, this trojan is very difficult to manually remove as it changes permissions on its file and registry entry to deny anyone access and can restore its reg entry instantly if its removed, if the file is removed and the reg entry remains then its not possible to start explorer.exe (no desktop icons or taskbar). it also targets alot of the tools we use which is why your not able to open HijackThis at the moment.

     

     

    Download LinkOptfix from Here and save it to your desktop

     

    Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later

     

    To run the fix, double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it creates a backups folder, moves the trojan file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions then removes the trojan reg entry and restarts explorer.exe, you should then be able to run HJT and post a log, if you can then ignore the rest of this post and reply so we can then check for remaining problems in a HJT log and have some files scanned as there is afew suspicious files showing in that report you uploaded.

     

     

    If explorer.exe doesnt restart after running the tool then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,

     

    Click the [+] next to HKEY_LOCAL_MACHINE

    Click the [+] next to SOFTWARE

    Click the [+] next to Microsoft

    Click the [+] next to Windows NT

    Click the [+] next to Current Version

    Click the [+] next to Image File Execution Options

     

    Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart

     

    You should not need the manual instructions as the fixtool should remove it fine but its best to provide an alternative method just incase its needed,

     

    Let me know if you have any problems or questions

     

    Cheers

     

    Andy

  4. Hi Dennis,

     

    I think there's always going to be a small risk involved with shopping or banking online but I doubt the majority of people will ever have a problem unless they do get infected with these types of trojans, sometimes the information may not always be stolen from your own system and a legit site you have done business with at one stage may get compromised but thankfully that isnt common and generally banks would always refund the account if it was used without the owners consent

     

    For account and login details it really depends on how you enter the site, IE's autocomplete feature if used saves login details to a protected storage area in the registry and it is quite common for information stealing trojans to read the data from there, in IE7 that has changed abit but you can get more info and tools to view the protected storage data on Nirsoft's site,

     

    http://www.nirsoft.net/utils/pspv.html

     

    http://www.nirsoft.net/articles/ie7_passwords.html

  5. The main problem with this trojan is the information it steals, it shows in HJT as

     

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

     

    Its been around for a long time but this 'ransomware' variant has only been showing up since the start of July, the trojan is very nasty as it will record login usernames and passwords for every site used even if its secure and upload it to a drop site and the sites tend to have many GB's worth of stolen information ranging from myspace and email logins to Paypal, Ebay and Banking login information.

     

    SecureScience wrote an excellent paper on the trojan at the end of last year

     

    http://www.securescience.net/securescience...ecasestudy.html

     

    As the paper explains it injects its code into Winlogon then svchost then into all other running processes with the exception of csrss.exe due to access and stability issues but the code injection guarantees its always running on the system and monitoring what is being submitted into online forms.

     

    Hopefully the prevx tool helps with decoding the files, Ive not tried it yet but I will later today if I have the time but anyone who is infected with this should know their login information for every site visited since they became infected and anything else submitted into online forms has been stolen so they will need to contact financial institutions for advise plus change all passwords as soon as possible after removing the trojan or from a different pc that is known to be clean.

  6. Hi Leluc, Welcome to the forum

     

    This does sound like it maybe trojan related, can you download the attached zip file (LinkOptCheck), extract the folder then double click RunThis.bat, it will then export some registry keys and check a couple of folders for non-default exe files then write the information to a text file named Report.txt which will save inside the LinkOptCheck folder and also open with Notepad once its finished, Please post the full contents of that report back on here and we can then take it from there

     

    Let us know if you have any problems running the file

     

    Cheers

     

    Andy

    LinkOptCheck.zip

    LinkOptCheck.zip

  7. Check your Screen Saver and Monitor power options

     

    Right click the desktop > click Properties > click Screen Saver (Check the screen saver settings and if its set to password protect when it resumes) > click Power at the bottom > then check the settings for the power scheme (Turn Off Monitor / Turn Off Hard Disks / System Standby / System Hibernates ), Click Apply and OK if you make any changes

  8. My maths isnt that good :lol:

     

    Its very kind of Microsoft to give me the award though, alot of my spare time on the pc these days is spent on research (testing trojans and submitting them to AV's) and developing a tool called SDFix but I didnt expect to have enough public postings to be considered for the award as my forum posts are abit few and far between these days so it was a great suprise to be accepted and I'm proud to now show the mvp icon in my signature :)

  9. Hi CeeCee

     

    Yes, Microsoft contacted me a couple of months ago saying I had been nominated to receive the award and asking if I would be interested which I obviously said yes to as I have alot of respect for the MVP program and its members, I then received another email at the start of this month saying Congrats' on becoming an MVP in Windows Security :blink:

  10. Its really not possible to say what installed it but it may of been a program or game you installed at some stage then removed and it may of left the oreans32 service behind,

     

    It's possible a spyware remover added it to their database so it was removed on your system but the file and service is harmless as its a genuine program, like alot of things though its starting to be abused by trojan writers as it also helps them to avoid being detected by Antivirus companies so some vendor may of added it by mistake.

     

    Here's an example of a backdoor IRCbot (rBot) I got yesterday thats packed with Themida

     

    STATUS: FINISHEDComplete scanning result of "lol.exe", received in VirusTotal at 05.10.2007, 21:56:38 (CET).

     

    Antivirus Version Update Result

    AhnLab-V3 2007.5.10.0 05.10.2007 no virus found

    AntiVir 7.4.0.15 05.10.2007 TR/Agent.1376901

    Authentium 4.93.8 05.10.2007 no virus found

    Avast 4.7.997.0 05.10.2007 no virus found

    AVG 7.5.0.467 05.10.2007 no virus found

    BitDefender 7.2 05.10.2007 DeepScan:Generic.Malware.G!SKI!!FLMPWX!!BVPkprng.8F04B991

    CAT-QuickHeal 9.00 05.10.2007 no virus found

    ClamAV devel-20070416 05.10.2007 no virus found

    DrWeb 4.33 05.10.2007 no virus found

    eSafe 7.0.15.0 05.10.2007 no virus found

    eTrust-Vet 30.7.3624 05.10.2007 no virus found

    Ewido 4.0 05.10.2007 no virus found

    FileAdvisor 1 05.10.2007 No threat detected

    Fortinet 2.85.0.0 05.10.2007 no virus found

    F-Prot 4.3.2.48 05.10.2007 no virus found

    F-Secure 6.70.13030.0 05.10.2007 no virus found

    Ikarus T3.1.1.7 05.10.2007 Backdoor.VB.EV

    Kaspersky 4.0.2.24 05.10.2007 no virus found

    McAfee 5028 05.10.2007 no virus found

    Microsoft 1.2503 05.10.2007 no virus found

    NOD32v2 2256 05.10.2007 no virus found

    Norman 5.80.02 05.10.2007 no virus found

    Panda 9.0.0.4 05.10.2007 no virus found

    Prevx1 V2 05.10.2007 no virus found

    Sophos 4.17.0 05.08.2007 no virus found

    Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious

    Symantec 10 05.10.2007 no virus found

    TheHacker 6.1.6.112 05.10.2007 no virus found

    VBA32 3.12.0 05.10.2007 no virus found

    VirusBuster 4.3.7:9 05.10.2007 no virus found

    Webwasher-Gateway 6.0.1 05.10.2007 Trojan.Agent.1376901

     

    Aditional Information

    File size: 1376901 bytes

    MD5: 3bf608ac273c8df9d2dd66bd0040240f

    SHA1: 6fd719fd44de5d2a55be7bdd0bebe508423f1ebe

    Bit9 info: http://fileadvisor.bit9.com/services/extin...2dd66bd0040240f

    Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

     

    If you dont have the file though just delete its service to remove it from your system as its likely just a leftover entry from a program you have used in the past if the file doesnt exist.

     

    Andy

  11. oreans32 is part of Themida protection

     

    http://www.oreans.com/themida.php

     

    Its used in quite alot of programs such as games to prevent piracy, it is also being used by some trojans like backdoor IRCBots as they can make it alot harder for the files to be analysed by preventing people reverse engineering or dissembling the files and also by preventing them being run in a virtual environment

     

    If you do not still have the oreans32.sys file on your system then it's fine to remove its service but make sure the file doesnt exist first as the program that added it will not start if the service is missing,

     

    Goto Start > Run > Search

    Click All Files and Folders

    Then scroll down to More Advanced options and place a check next to Search system folders, Search hidden files and folders and Seach subfolders

    Then scroll back up to the All or part of the file name: area and enter this to be searched for then click Search

     

    oreans32.sys

     

    If its found then leave the service in place but if its not then goto start > run > and type

     

    sc delete oreans32

     

    Press OK and you will just notice the cmd screen open then close and the service will be removed on the next reboot

     

    Andy

  12. I remember this program when it was being promoted early last year

     

    http://forums.spywareinfo.com/index.php?showtopic=77280

     

    I tested it at the time and it wasnt great, it was fine to reverse the changes made by Adware type programs that already had add/remove screen entries and uninstallers but it had alot of problems with more nasty infections like rootkits and trojans that hook to system files, it kept showing it had fully removed files then crashing at random points when it was reversing the changes and the same files were there again when it reopened. It also appeared to interfere with other programs as I had problems at times opening security programs and tools I had installed but they opened fine after Spyberus crashed which it did about 4 or 5 times in the space of 1 hour on an infected machine so I gave up and havent tried it since.

     

    Hopefully its improved alot since then :unsure:

  13. Thanks Ian

     

    Its hard to say where this trojan is coming from, the gromozon infections in the past have only attacked users with Italian IP's but this variant is different as we have seen it infecting users with U.K IP addresses, there's another member on here who posted today with the same trojan so its difficult to say at the moment what type of site is adding it, Im glad we were able to get it removed from your system but let us know if you have problems again anytime

     

    Happy Surfing :)

     

    Andy

  14. Hi Ian,

     

    Sorry for the delay in replying, I wasn't able to get on the pc for most of yesterday so Ive just been catching up with my emails, Unfortunately Avenger wasnt able to create a backup of the file, Im not sure why but the backup.zip is empty except for a text file showing that it removed the file, Its nice to see it was removed though :)

     

    The logs look fine, Kaspersky is finding an infected System Restore point but thats to be expected after getting the trojans and we can clear them out now the system is clean, I'll also post afew basic steps to help avoid further infections

     

    Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

     

    Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

     

    Next goto Start Menu > Run > type

     

    cleanmgr

     

    Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup

     

    Consider Installing Spywareblaster if it's not already installed, SpywareBlaster doesn`t scan and clean spyware, but can help prevent it from being installed by blocking the popular spyware ActiveX controls which prevents the installation of any of them via webpages, It also adds hundreds of malicious sites to the restricted zone so they cannot cause damage to your system if you visit them by mistake anytime such as by typing a URL slightly wrong and ending up at a malicious site rather than the intended site. A tutorial on using SpywareBlaster can be found here.

    • Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
    • Don't click on links inside Popups, Messenger programs or spam email messages.
    • Download free software only from sites you know and trust.

    Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

     

    Please also read Tony Klein's excellent article: How I got Infected in the First Place

     

    Let me know if there's any remaining problems

     

    Cheers

     

    Andy

  15. Hi Ian, Thanks for the logs,

     

    Its nice to see seagate-helper hasnt got any additional registry entries except for the userinit hook that we fixed earlier, I didn't think the .exe would be found after reading your earlier post but thought we may as well include it while we were deleting the .old file, can you please upload the avenger backups for me so I can have a closer look at the seagate file

     

    Please visit SpyKillers forum here

     

    http://www.thespykiller.co.uk/index.php?board=1.0

     

    Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File For AndyManchesta' , please then post a link to this thread and upload the C:\avenger\backup.zip folder,

     

    The logs are looking good but with you having had a rootkit infection its best to run a couple of final scans to make sure there is no remaining issues then we can clear up the system restore points once we know the machine is clean.

     

    Download Blacklight beta HERE and save it to your desktop.

    Run the program, accept statement > click next then scan

    When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

     

    Finally run Kaspersky WebScanner

    • Please go HERE and click Kaspersky Online Scanner
    • Read and Accept the Agreement
    • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • If you see a Windows dialog asking if you want to install this software, click the Install button.
    • The program will launch and then begin downloading the latest definition files,
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
    • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

     

    Please the post back the Kaspersky log and the Blacklight log, let me know if there's any problems

     

    Regards

     

    Andy

  16. Cheers Ian,

     

    No problem regarding the help, this is quite a new infection so getting any information on it or samples of additional files is really helpful so we can get them sent to Antivirus companies and also find easier ways of dealing with it each time it shows up,

     

    1. Please download The Avenger by Swandog46 to your Desktop

    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

     

    Files to Delete:c:\windows\seagate-helper.exec:\windows\seagate-helper.old

     

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    • It will Restart your computer.
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply

     

     

    Next download RegSearch by Bobbi Flekman from Here

     

    Download and extract the contents of the zip file.

    Double-click the icon for RegSearch.exe to launch the program.

     

    Enter seagate-helper (in the first open box) to search for and click "OK".

     

    After its finished notepad will open and show any found instances of seagate-helper in the registry, the results are also saved in the same location as RegSearch.exe. Please post that back on here

     

    There's a couple of optional fixes showing in HijackThis but its fine if you want to leave them,

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

    The above entry is from Yahoo but you can see from the address that the system is being redirected through red.clientapps before going to the Yahoo site, red.clientapps is Red Sheriff and a form of spyware, Although its probably nothing nasty it can be fixed to return it to Microsoft's default SearchURL, Here's some info on Red Sheriff.

     

    O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

    dumprep.exe is Microsoft's fault logging software. Once errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft, it should remove itself from the run key but Ive noticed its present in both logs so the entry can be fixed if it remains after another reboot.

     

     

    You should really avoid having more than one Antivirus program installed as they use alot of system resources and having two providing protection can cause alot of problems on the system such as false virus alerts, crashes, slowdowns and even make the system more likely to get a trojan infection if they are conflicting with each other. If Panda and AVG are both providing real time monitoring then you should consider uninstalling or disabling the real time protection on one and only using it as a 'on-demand' scanner which you start and stop manually so there is only one Antivirus program starting with Windows and providing protection to prevent any problems,

     

    Can you check your Add/Remove screen (Start Menu > Control Panel > Add or Remove programs) for any older versions of Java (J2SE Runtime Environment) , its common for them to leave older versions behind when it updates which can take up alot of space and some of them are vulnerable to certain infections, ignore 1.6.0_01 but remove any other versions that maybe present,

     

    Please then post back the Avenger log and the Regsearch log and we can see if this remaining trojan was removed,

     

    Cheers

     

    Andy

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.