1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Infected with trojan-025(trj)

Discussion in 'Virus & Other Malware Removal' started by bobster, Jan 5, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    When I boot my daughter's laptop avast pops up with notice that the system is infected with the trojan-025(trj) virus. This is really annoying as I do not know what it is. I have attached a hijack log if that helps.
    Thanks,
    Bobster
     

    Attached Files:

  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    O4 - HKLM\..\Run: [J8u6] C:\documents and settings\sarah\local settings\temp\J8u6.exe


    It looks like an old Peper trojan leftover Registry entry>

    but could be anything!

    Go here and use the Browse feature to have that file analyzed, take only a few seconds:

    http://virusscan.jotti.dhs.org/

    http://www.kaspersky.com/remoteviruschk.html

    This may get rid of it, but usually real malware will evade deletion this way:


     
  3. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    You were right. It appears to be real malware Where do I go from here?
    Bobster
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Did you go to either site and what if anything did it give you back about that file? The same name as your own program did?
     
  5. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    This is the message:
    "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, When you try to upload it, do you get the yellow Information bar at the top of the screen, the XP Firewall SP2 installs that, you may have to click it to allow the upload.

    You have to browse to the file location on your hard drive..

    C:\documents and settings\sarah\local settings\temp\J8u6.exe <<be careful, just get to the location of the file but don't double click it to run it!
     
  7. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    Hi,
    when i browse for the file I could only find a J8u6.dll. that scan was clean. What's your guess as to where I can find the J8u6.exe?
    bobster
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The file may be marked hidden> did you change the settings in Windows Explorer to show hidden files etc that are in the quote box...in my other reply?

    Use Start>Search feature and it may show up...Or, we may only be seeing leftover Reg entry... I think you would be getting error messages about the missing file at startup, tho.

    here is a page with pics to help you use that.

    http://www.cyberwalker.net/columns/aug03/find-file.html


    You can try to find the entry in Registry, but if you have never worked in the Windows Registry Editor, I would advise not to, without learning something about it first!

    Would be easiest to delete it this way:

    Start> Run > type cmd (and hit Enter)

    At the command prompt, type:
    cd documents and settings (hit Enter)...

    cd sarah (and hit Enter)

    cd temp (and Enter)

    del J8u6.exe and, hit Enter
     
  9. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    Hi again,
    I tried the delete tip but it still cannot find the file.
    I tried a search of all file (hidden and otherwise) looking for the J8u6.exe but couldn't find it.
    Next?
    Bobster
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I think you can simply fix the line in Hijackthis if it appears in your next scan:

    O4 - HKLM\..\Run: [J8u6] C:\documents and settings\sarah\local settings\temp\J8u6.exe

    IF the line changes filenames...then there is still something active.

    Reboot afterward, and in Windows Explorer, navigate to the

    C:\documents and settings\sarah\local settings\temp
    folder, click once on temp on the left pane so the contents show on the right, it may be nearly empty after you did the deletion from up above....at the top of the window> EDIT>Select All and then hit the Delete key.

    Check a new HJT log there> if no more temp items like that, good to go. Your last step would be to turn off System Restore: see this:

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    You will be turning it off temporarily, restarting, and then turning Restore back on and creating a new Restore Point:

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
     
  11. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    Hi,
    I did what you told me to do. Good news is that the virus appears not to boot with the system. I have attached a new hijack log. After boot up the harddrive seems to take forever to settle down. Maybe the log will show what processes are causing this.
    Thanks,
    Bob
     

    Attached Files:

  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,
    The disk activity is a sign of more infection>

    Boot to Safe Mode, to do so, tap the F8 key several times quickly, as you first see text on screen when you start up, or restart> when you get the menu, select Safe Mode with arrow key, and hit Enter key once...give it plenty of time to get to Safe Mode.

    Fix these items with Hijackthis,>> put checks next to each and click "Fix checked":


    O4 - HKLM\..\Run: [IRCOMX] C:\WINDOWS\system32\IRCOMX.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)



    Hit Start> then Run> and type in cmd and hit Enter.

    In the command line, type

    del C:\WINDOWS\system32\IRCOMX.exe

    and, hit Enter. That should get rid of that.

    Restart, and in normal mode> run scans with Ad-Aware SE and SpyBot letting them remove what they find.

    Hmm, checking back, I dont know if you have AdAware SE, you should download it and do this:

    Run an online scan:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    The idea with online scans is to set "Scan all my computer" or similar settings in any preference boxes..."All/entire hard drives" is another common one, use those.

    Panda will allow you to save a Report when it finishes, it does take a while but a very good scanner!

    Post a new log when you are done.
     
  13. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    Hi,
    Done with the safe boot, hijack removal but couldn't get the file recognized in the run cmd function. I am now running ad-aware se. Reboot was still slow. I ran hijack and didn't find the items I had removed. I'll send a log after I am done. Ad-aware has found 15 new critical objects! I quarantined all. Ran spybot. Found DSO Exploit and fixed it. Spybot got hung up for some reason. I rebooted and ran it again. It found the same exploit and I fixed it. Rebooted still a lot of hard drive activity. New log attachd.
    thanks,
    bobster
     

    Attached Files:

  14. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, Something happened when you saved that last log> could you just post the entire log as a Reply, and not attach it...

    Run a new scan with HJT, and save log as hijackthis.txt when it opens with Notepad, go to the thread and open a Reply as you normally would, then at the top of the log, use the EDIT>Select ALL then EDIT> Copy then, click once in the reply space, and at the top of your browser window, click EDIT> Paste and the reply should be pasted, then submit it.
     
  15. bobster

    bobster Thread Starter

    Joined:
    Mar 1, 2003
    Messages:
    59
    Hi,
    Here is the log.
    Thanks,
    Bobster
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/315673

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice