|
|
|
Removal of trojan horse SHeur.BHNQ
|
|
|
roe727
Newbie
|
7. May 2008 @ 10:01 |
Link to this message
|
My son's computer is coming up with a warning that his computer is infected. This is what I've found: trojan horse SHeur.BHNQ
I am currently running a SuperAntiSpyware scan on it and so far it has come up with Malware.Awola/Rel. Can someone please advise me on how to proceed to get rid of this trojan? I have attached a current hijackthis log. Thank You!!
Logfile of HijackThis v1.99.1
Scan saved at 10:00:40 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Nordeman\Application Data\nthno.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nordeman\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Nordeman\Application Data\nthno.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
Rosemary
|
|
Advertisement
|
|
|
|
Member
|
8. May 2008 @ 18:34 |
Link to this message
|
|
check for updates to Superantispyware, do a scan then post the SAS log.
you can get the report like this:
* After a scan and possible reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.
Now please paste the information in your next reply.
echoreply
|
|
sergey213
Suspended permanently
|
16. May 2008 @ 08:52 |
Link to this message
|
|
edited by ddp
This message has been edited since posting. Last time this message was edited on 16. May 2008 @ 22:30
|
|
ddp
Moderator
|
16. May 2008 @ 22:38 |
Link to this message
|
|
sergey213, lightning struck!!!! posts edited
|
Member
|
18. May 2008 @ 00:09 |
Link to this message
|
Laptop- AMD Athlon X2 64 @1.9ghz, 4gb ddr2 @667mhz, 120 gb hdd, nVidia GeForce 8200m, 8x DVD-DL Burner, 15.4" widescreen, Windows 7 Ultimate
V9 PS2 with clear blue fliptop& swapmagic 3.6
iPhone 3G 8GB OS 3.0 Jailbroken w/ MMS and Tethering Enabled
30gb Black Video iPod
|
|
roe727
Newbie
|
18. May 2008 @ 15:12 |
Link to this message
|
Here is the SuperAntiSpyware log:
The computer is still running really slow.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/02/2008 at 09:05 PM
Application Version : 3.9.1008
Core Rules Database Version : 3372
Trace Rules Database Version: 1367
Scan type : Complete Scan
Total Scan Time : 00:18:49
Memory items scanned : 348
Memory threats detected : 0
Registry items scanned : 5418
Registry threats detected : 0
File items scanned : 26612
File threats detected : 7
Adware.Tracking Cookie
C:\Documents and Settings\Nordeman\Cookies\nordeman@media.adrevolver[1].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@atwola[1].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@ad.yieldmanager[2].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@ice.112.2o7[1].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@mediaplex[1].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@html[1].txt
C:\Documents and Settings\Nordeman\Cookies\nordeman@advertising[2].txt
Rosemary
|
Member
|
19. May 2008 @ 11:46 |
Link to this message
|
|
SuperAntiSpyware is a bad program to use, I HIGHLY recommend that you use the series of programs I suggested. Delete SAS from your harddrive and never use it again. Many have claimed that SAS has actually helped Spyware to get on their computer...
Laptop- AMD Athlon X2 64 @1.9ghz, 4gb ddr2 @667mhz, 120 gb hdd, nVidia GeForce 8200m, 8x DVD-DL Burner, 15.4" widescreen, Windows 7 Ultimate
V9 PS2 with clear blue fliptop& swapmagic 3.6
iPhone 3G 8GB OS 3.0 Jailbroken w/ MMS and Tethering Enabled
30gb Black Video iPod
|
Senior Member
|
20. May 2008 @ 07:59 |
Link to this message
|
Um... engage16... I wouldn't advise you to speak like that as you base not your criticisms of SAS on facts, and the idea that SAS promotes spyware on your system is frankly, well, dumb. SAS isn't only one of the most worth it and great programs on the market, which my own and other's experiences have confirmed without doubt, it also has great detection.
However, I might be inclined to agree that SAS alone is not enough. Perhaps downloading a free scanner like Antivir or Spybot would help further, roe727. Remember to first disable SYSTEm Restore, boot in safe mode, then scan with the scanners.
Best Regards :D
|
|
roe727
Newbie
|
20. May 2008 @ 09:01 |
Link to this message
|
|
Thanks cdavfrew. I disagreed with engage also. SAS is an excellent program. I didn't think about the system restore though and will rerun those scans after diabling it. And I will enable it after the scans are complete.
Rosemary
|
Member
|
20. May 2008 @ 12:23 |
Link to this message
|
|
All I meant to say is that there's no reason to have to pay for a program that you can do for free... I had to remove that trojan from one of my own machines so I stated how I had removed it.
My insults on SAS were based on what I had read from other people and reviews that it has 'evil' intentions with certain sites on the internet. I personally have never used it, and I apologize if I insulted your opinions of the program...
Laptop- AMD Athlon X2 64 @1.9ghz, 4gb ddr2 @667mhz, 120 gb hdd, nVidia GeForce 8200m, 8x DVD-DL Burner, 15.4" widescreen, Windows 7 Ultimate
V9 PS2 with clear blue fliptop& swapmagic 3.6
iPhone 3G 8GB OS 3.0 Jailbroken w/ MMS and Tethering Enabled
30gb Black Video iPod
|
|
roe727
Newbie
|
20. May 2008 @ 13:29 |
Link to this message
|
|
You didn't insult me. It's fine. And I don't pay for SAS. Maybe they have one that you pay for, but they have a free program apparently as well. Be careful what you believe in the way of other people's opinions. SAS is a great program.
Rosemary
|
Member
|
20. May 2008 @ 13:36 |
Link to this message
|
Its a case of personal opinions, I've always used Spybot and Ad-Aware so that's what I'm going to say is 'the best and greatest' just like you use SAS and say that its 'the best and greatest'...
Back on topic, did you get the Trojan removed yet?
Laptop- AMD Athlon X2 64 @1.9ghz, 4gb ddr2 @667mhz, 120 gb hdd, nVidia GeForce 8200m, 8x DVD-DL Burner, 15.4" widescreen, Windows 7 Ultimate
V9 PS2 with clear blue fliptop& swapmagic 3.6
iPhone 3G 8GB OS 3.0 Jailbroken w/ MMS and Tethering Enabled
30gb Black Video iPod
|
|
roe727
Newbie
|
20. May 2008 @ 13:38 |
Link to this message
|
I use Spybot and Adaware also. And YES they are great great programs!! And yes I did get the trojan removed. Thanks..have a wonderful day!! :)
Rosemary
|
|
ATS
Suspended permanently
|
27. May 2008 @ 04:02 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 27. May 2008 @ 22:04
|
|
pwarner42
Newbie
|
24. August 2008 @ 11:42 |
Link to this message
|
Runnning XP SP2, I already used AVG and Spybot and recently had an invasion by Trojan Horse sheur, so I downloaded the Smit Fruad Fix you suggested to add to the mix, but when I ran it I got a message from either Spybot or AVG that this is a fake adware removal software so I clicked the button to put it in the vault. What gives here?
I have also tried to install the "security Update for Microsoft XML Core Services 4.0 Service Pack 2" about a dozen times with it saying it completed successfully each time, but then the little yellow shield with the exclamation mark reappears in the tray and wants me to install it again. Is this a residual effect of the Trojan Horse? When the AVG window first popped up warning of the Trojan Horse attack several weeks, ago something (presumably the TH) had just turned off my MS firewall and removed the wallpaper from my desktop.
Originally posted by engage16:
I just had to remove that on my mom's computer today, and everything seems to be working well so far... I found if you boot in Safe Mode and then run these 4 programs it will get rid of EVERYTHING bad on you computer... (note: it is a long process take quite a few hours but is worth the expirence)
1: Smit Fraud Fix: http://www.afterdawn.com/software/deskto...mitfraudfix.cfm
2: AVG Free Edition: http://free.grisoft.com
3: Ad-Aware Free: http://www.lavasoft.com
4: Spybot S&D: http://www.safer-networking.org
All programs listed above are completely free and should remove all the crap infecting your computer... Hope it works, good luck...
Ps. The easiest way to run Smit Fraud Fix is to run the .exe file directly from you desktop...
Phil in Northwest Arkansas
|
|
Advertisement
|
|
|
Member
|
25. August 2008 @ 19:56 |
Link to this message
|
|
The warning about Smit Fraud Fix is false positive... Just ignore the warning on it and run the program...
Laptop- AMD Athlon X2 64 @1.9ghz, 4gb ddr2 @667mhz, 120 gb hdd, nVidia GeForce 8200m, 8x DVD-DL Burner, 15.4" widescreen, Windows 7 Ultimate
V9 PS2 with clear blue fliptop& swapmagic 3.6
iPhone 3G 8GB OS 3.0 Jailbroken w/ MMS and Tethering Enabled
30gb Black Video iPod
|
|
