PPRuNe Forums - View Single Post - Yet another (irremovable) trojan
Thread: Yet another (irremovable) trojan
View Single Post
Old 26th Sep 2005, 08:49
  #1 (permalink)  
Groundgripper
 
Join Date: Aug 1999
Location: In the pension queue, Lancashire, UK
Age: 80
Posts: 208
Received 3 Likes on 2 Posts
Yet another (irremovable) trojan
I recently had a series of problems with my PC that I thought might be related to a replacement PSU as the problems started at about the same time as it was fitted. I took it to a local shop which diagnosed a BIOS fault, completely wiped all sectors of my hard drive to remove Windows ME and installed XP Professional (without SP2) and AVG anti-virus.

Despite the AV running, while re-installing my broadband software I seem to have acquired a virus on my machine that AVG cannot shift. Each time I run the AV program it assures me that it has found and deleted the virus, after which the virus alert comes straight back. The file cannot be deleted, healed or transported to the virus vault, the alert returning as soon as I hit the Delete File, Heal or Send to Virus Vault buttons. During the full scan, AVG also found two others viruses, also Trojans that arrived at the same time, which it did (apparently) delete.

AVG identifies the Virus as Trojan horse Generic GM
in C : \WINDOWS\System32\rdriv.sys

This is the HJT Logfile

Logfile of HijackThis v1.98.2
Scan saved at 08:46:22, on 26/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C : \WINDOWS\System32\smss.exe
C : \WINDOWS\system32\winlogon.exe
C : \WINDOWS\system32\services.exe
C : \WINDOWS\system32\lsass.exe
C : \WINDOWS\system32\svchost.exe
C : \WINDOWS\System32\svchost.exe
C : \WINDOWS\Explorer.EXE
C : \WINDOWS\system32\spoolsv.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C : \WINDOWS\system32\ZoneLabs\vsmon.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C : \PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C : \WINDOWS\SOUNDMAN.EXE
C : \WINDOWS\System32\gsicon.exe
C : \WINDOWS\System32\dslagent.exe
C : \PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C : \WINDOWS\System32\VSStatmn8.exe
C : \Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C : \Program Files\Messenger\msmsgs.exe
C : \Program Files\BT Broadband Help\bin\mpbtn.exe
C : \Documents and Settings\User\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C : \Documents and Settings\User\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C : \WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C : \PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C : \PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Motive SmartBridge] C : \PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - HKLM\..\Run: [Zone Labs Client] C : \Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - HKCU\..\Run: [MSMSGS] "C : \Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mcafee Antivirus Monitoring System8] VSStatmn8.exe
O4 - Global Startup: BT Broadband Help.lnk = C : \Program Files\BT Broadband Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C : \WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C : \WINDOWS\web\related.htm

Note C : \ is deliberately spaced because without the spaces it is read as a smiley and I get shouted at for using too many!

Any help would be much appreciated.

GG
Groundgripper is offline