Trojan detected, can't be removed. HELP!

Status
Not open for further replies.
Spyware detects it, but cannot remove it.
Then it asks permission to run on start-up. I allow it, and it still can't remove it.

Here is what Spybot S&D says:

Win32.Banload.aghb: [SBI $4C93D42E] File extension (Registry key, nothing done)
HKEY_CLASSES_ROOT\.gbp


Thanks for your help,
Joe
 
Boot into Safe mode.

Here are the instructions how to boot into safe mode in Windows XP


  • If the computer is running shut down Windows and then turn off the power
  • Wait 30 seconds and then turn the computer on.
  • Start tapping the F8 key.(if this doesn't work try the F5 key) The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon some computers display a keyboard error message. To resolve this restart the computer and try again.
  • Ensure that the Safe mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • You can see Safe mode in every corner of your screen
  • When you are finished with all troubleshooting close all programs and restart the computer as you normally would.


When you are in Safe Mode. Run Spybot and let it fix the entry and then reboot to normal mode.



RegQuery by Noviciate

Please download RegQuery by Noviciate to your desktop

  • Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
    • HKEY_CLASSES_ROOT\.gbp
  • Double click RegQuery.exe to run the program
  • Paste the text you have copied using CRTL and V, into the textbox
  • Click the Query button
  • A Notepad file will open. Please paste the contents in your next reply
  • You may now close the RegQuery program





Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • RegQuery resutls
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
Greetings Bio-hazard!
Thanks for your continued assistance.

I ran Spybot S&D in Safemode, and it still wasn't able to remove the win32.banload.aghb Trojan. It gave me a message that said "some problems couldn't be fixed. The reason could be that the associated files are still in use (in memory)." Spybot asked if it could boot up when I restart my computer. I already did this once before, and Spybot failed to remove the trojan, so I clicked on the NO button.


At any rate, here is the info you requested:

RegQuery results

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.gbp]
@="Gigajam.GigajamXtractor3.8s.gbp"

[HKEY_CLASSES_ROOT\.gbp\Gigajam.GigajamXtractor3.8s.gbp]

[HKEY_CLASSES_ROOT\.gbp\Gigajam.GigajamXtractor3.8s.gbp\ShellNew]

END OF REGQUERY RESULTS

################################################

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:39 PM, on 08/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HP Authorized Custom\Start Menu\Programs\Startup\SUN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1757981266-113007714-1708537768-500\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet (User 'Administrator')
O4 - HKUS\S-1-5-21-1757981266-113007714-1708537768-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1757981266-113007714-1708537768-501\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet (User 'Guest')
O4 - Startup: SUN.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129432081479
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 6071 bytes

END OF HIJACKTHIS LOG

#############################################

Consumer Reports magazine recommended that I use Avira antivirus (freeware).
You can download a copy @ www.free-av.com
I installed it yesterday. So far, it's working out better than the freeware versions of Bitdefender or AVG.

Thanks to the virus scan & removal done by Avira, my computer seems to boot up faster. However, Avira wasn't able to detect win32.banload.aghb at all.

On occasion, the computer still activates the hard drive when I'm not using it or when I'm in the middle of typing (which happened as I was writing this message.)

Thanks again,
Joe
 
UserJoe said:
I ran Spybot S&D in Safemode, and it still wasn't able to remove the win32.banload.aghb Trojan. It gave me a message that said "some problems couldn't be fixed. The reason could be that the associated files are still in use (in memory)." Spybot asked if it could boot up when I restart my computer. I already did this once before, and Spybot failed to remove the trojan, so I clicked on the NO button.
Click to expand...


looking at the registry entries they belong to program called GigajamXtractor 3.8 which is in your uninstall list. Did install it? So this is a false positive.

You could post your entries to this forum False Positives

Start a new thread and include the original spybot report and the ReQuery report. Also add the a link to this thread.

UserJoe said:
Consumer Reports magazine recommended that I use Avira antivirus (freeware).
You can download a copy @ www.free-av.com
I installed it yesterday. So far, it's working out better than the freeware versions of Bitdefender or AVG.

Thanks to the virus scan & removal done by Avira, my computer seems to boot up faster. However, Avira wasn't able to detect win32.banload.aghb at all.
Click to expand...

Avira is a excellent antivirus program. Do you have the log from Avira scan? I would like to see it. Avira is not detecting it because it is not in their database or in this case it is false positive from Spybot. We need to wait for the response if this is the case.
 
SUCCESS! :2thumb:

You were right. GigajamXtractor 3.8 was the reason behind win32.banload.aghb, so spybot was reporting a FALSE POSITIVE. I don't know what GigajamXtractor does, or when it was installed, or why, but I had it removed. :flame:

I did another scan with the spybot S&D.
:cleaning:
I'm happy to report that ...MY MACHINE IS CLEAN!!
I also noticed that S&D ran faster than it did prior to GigajamX's removal.

Thanks so much for your help.

Start a new thread and include the original spybot report and the ReQuery report
Click to expand...

I'd be glad to do it as a token of my appreciation, and to "pay it forward".
Are you referring to the both reports that I posted here in this thread?
If not, is there I way I can get the original spybot report from the S&D program?

Do you have the log from Avira scan? I would like to see it.
Click to expand...

Here you go!

AVIRA SCAN #1



Avira AntiVir Personal
Report file date: 2009-08-05 13:03

Scanning for 1594475 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPPAV

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 2009-07-29 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 2009-07-21 21:36:16
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 18:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 19:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 18:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 20:30:38
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 2009-06-24 17:21:44
ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 2009-08-03 19:50:28
ANTIVIR3.VDF : 7.1.5.75 109568 Bytes 2009-08-05 19:50:32
Engineversion : 8.2.0.240
AEVDF.DLL : 8.1.1.1 106868 Bytes 2009-07-28 21:31:52
AESCRIPT.DLL : 8.1.2.22 450938 Bytes 2009-08-05 19:51:36
AESCN.DLL : 8.1.2.4 127348 Bytes 2009-07-23 17:59:40
AERDL.DLL : 8.1.2.4 430452 Bytes 2009-07-23 17:59:40
AEPACK.DLL : 8.1.3.18 401783 Bytes 2009-07-28 21:31:52
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 2009-07-23 17:59:40
AEHEUR.DLL : 8.1.0.147 1884536 Bytes 2009-08-05 19:51:28
AEHELP.DLL : 8.1.5.3 233846 Bytes 2009-07-23 17:59:40
AEGEN.DLL : 8.1.1.54 356723 Bytes 2009-08-05 19:50:40
AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 22:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 2009-07-23 17:59:40
AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 16:48:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 18:32:16
AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 22:34:30
AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 18:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 2009-03-24 23:05:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 18:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 23:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 16:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 18:32:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 2009-05-15 23:40:00
RCTEXT.DLL : 9.0.37.0 86785 Bytes 2009-04-17 18:19:50

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2009-08-05 13:03

Starting search for hidden objects.
'44760' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SUN.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'VSMON.EXE' - '0' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
27 processes with 27 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\' <PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\HP\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
C:\HP\bin\ProcessLogger.exe
[DETECTION] Contains recognition pattern of the SPR/Hacktool.ProcLog.A program
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
Begin scan in 'D:\' <JOE'S WD>
D:\Emulators\Old Neoragex\NeoRAGEx.exe
[DETECTION] Is the TR/Xema.DO Trojan

Beginning disinfection:
C:\HP\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
[NOTE] The file was moved to '4ae60103.qua'!
C:\HP\bin\ProcessLogger.exe
[DETECTION] Contains recognition pattern of the SPR/Hacktool.ProcLog.A program
[NOTE] The file was moved to '4ae9010d.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4ae30108.qua'!
D:\Emulators\Old Neoragex\NeoRAGEx.exe
[DETECTION] Is the TR/Xema.DO Trojan
[NOTE] The file was moved to '4ae90100.qua'!


End of the scan: 2009-08-05 14:58
Used time: 1:40:04 Hour(s)

The scan has been done completely.

7208 Scanned directories
232713 Files were scanned
3 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
232707 Files not concerned
1977 Archives were scanned
2 Warnings
6 Notes
44760 Objects were scanned with rootkit scan
0 Hidden objects were found




END OF AVIRA SCAN #1

###################################

AVIRA SCAN #2



Avira AntiVir Personal
Report file date: 2009-08-06 23:19

Scanning for 1616128 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HPPAV

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 2009-07-29 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 2009-07-21 21:36:16
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2009-02-27 18:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2009-02-20 19:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2009-02-27 18:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 20:30:38
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 2009-06-24 17:21:44
ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 2009-08-03 19:50:28
ANTIVIR3.VDF : 7.1.5.81 395776 Bytes 2009-08-06 19:22:48
Engineversion : 8.2.0.246
AEVDF.DLL : 8.1.1.1 106868 Bytes 2009-07-28 21:31:52
AESCRIPT.DLL : 8.1.2.23 455033 Bytes 2009-08-07 06:13:42
AESCN.DLL : 8.1.2.4 127348 Bytes 2009-07-23 17:59:40
AERDL.DLL : 8.1.2.4 430452 Bytes 2009-07-23 17:59:40
AEPACK.DLL : 8.1.3.18 401783 Bytes 2009-07-28 21:31:52
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 2009-07-23 17:59:40
AEHEUR.DLL : 8.1.0.153 1917303 Bytes 2009-08-07 06:13:40
AEHELP.DLL : 8.1.5.3 233846 Bytes 2009-07-23 17:59:40
AEGEN.DLL : 8.1.1.55 356723 Bytes 2009-08-07 06:13:32
AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-09 22:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 2009-07-23 17:59:40
AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-09 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 2008-12-12 16:48:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 2008-12-05 18:32:16
AVREP.DLL : 8.0.0.3 155905 Bytes 2009-01-20 22:34:30
AVREG.DLL : 9.0.0.0 36609 Bytes 2008-12-05 18:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 2009-03-24 23:05:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 2009-01-30 18:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 2009-01-28 23:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2009-02-02 16:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 2008-12-05 18:32:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 2009-05-15 23:40:00
RCTEXT.DLL : 9.0.37.0 86785 Bytes 2009-04-17 18:19:50

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2009-08-06 23:19

Starting search for hidden objects.
'45886' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WMIPRVSE.EXE' - '1' Module(s) have been scanned
Scan process 'SUN.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'ZLCLIENT.EXE' - '0' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'VSMON.EXE' - '0' Module(s) have been scanned
Scan process 'TUProgSt.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SCHED.EXE' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\' <PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{A0240AAA-585B-44EE-AF62-5369D310BDE5}\RP370\A0126810.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
C:\System Volume Information\_restore{A0240AAA-585B-44EE-AF62-5369D310BDE5}\RP370\A0126811.exe
[DETECTION] Contains recognition pattern of the SPR/Hacktool.ProcLog.A program
Begin scan in 'D:\' <JOE'S WD>

Beginning disinfection:
C:\System Volume Information\_restore{A0240AAA-585B-44EE-AF62-5369D310BDE5}\RP370\A0126810.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
[NOTE] The file was moved to '4aacdbad.qua'!
C:\System Volume Information\_restore{A0240AAA-585B-44EE-AF62-5369D310BDE5}\RP370\A0126811.exe
[DETECTION] Contains recognition pattern of the SPR/Hacktool.ProcLog.A program
[NOTE] The file was moved to '4bd2b576.qua'!


End of the scan: 2009-08-07 00:45
Used time: 1:17:51 Hour(s)

The scan has been done completely.

6576 Scanned directories
216750 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
216746 Files not concerned
1472 Archives were scanned
2 Warnings
4 Notes
45886 Objects were scanned with rootkit scan
0 Hidden objects were found

END OF AVIRA SCAN #2

####################################

I'm so relieved that this trojan virus drama is over, especially when it turned out to be a mere false alarm. Thanks again for making this all possible!

All the best,
Joe
 
Hello!

When you start that thread in false positive forum you can copy and paste this code box on to your post. I have collected information there that they should need:


Code: 
[URL="http://forums.spybot.info/showthread.php?p=327016#post327016"]Link[/URL]


[URL="http://www.gigajam.com/"]Gigajam.com[/URL]

[URL="http://download.cnet.com/Gigajam-Xtractor-Analyser/3000-2133_4-10810813.html"]Gigajam Xtractor/Analyser 3.8.2.1[/URL]


Here is what Spybot S&D says:

Win32.Banload.aghb: [SBI $4C93D42E] File extension (Registry key, nothing done)
HKEY_CLASSES_ROOT\.gbp



Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.gbp]
@="Gigajam.GigajamXtractor3.8s.gbp"

[HKEY_CLASSES_ROOT\.gbp\Gigajam.GigajamXtractor3.8s.gbp]

[HKEY_CLASSES_ROOT\.gbp\Gigajam.GigajamXtractor3.8s.gbp\ShellNew]

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

  • DDS - (You can just delete the exe file from your desktop)
  • ATF cleaner - (You can just delete the exe file from your desktop)
  • RegQuery - (You can just delete the exe file from your desktop)
  • Rootrepeal - (You can just delete the exe file from your desktop)



Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
CF_Cleanup.png

Please advise if this step is missed for any reason as it performs some important actions.

OTC

Download OTC by Old Timer and save it to your Desktop.


  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.



Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.


  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera or Google Chrome


Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
 
Bio-Hazard,

Thanks so much for your help.

You've given me a lot to absorb in your last reply, so I'll respond within a day or two. Then I'll follow up by posting a message in the false positive forum.

In the meantime, I'm looking for a place that can help me with installing windows updates. Some updates are giving me a hard time. I try to install them, and windows reports that it "failed." Each and every time I shut the computer down, it tries to install the same five updates.

Would you know where I can go to get help with windows updates?

Thanks again, and stay tuned for an update!
Joe
 


They specialize in handling problems like this so you are certain to get expert assistance and a speedy resolution is very likely. I hope you can resolve your other problem with the links that I provided.
 
Greetings Bio-Hazard!

I'm back.

As per your instructions, I deleted ComboFix and Clean Up with the "Start > Run > type combofix /u > OK" command.
Then I ran OTC, and I guess that's that. I still have Malwarebytes' Anti-Malware and HijackThis program on my computer.

I'll look into those recommended programs, and I agree with your recommendation for Firefox. I've been using that browser for years.

Finally, I posted a message in the "false positives" forum. Please click HERE to read it. If I did anything incorrectly, just let me know and I'll make the necessary changes.

Thanks so much for your ongoing help in this matter. It's greatly appreciated!

All the best,
Joe
 
Thank you for doing that. I will also keep my eye on it.


Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
Status
Not open for further replies.
Back
Top