Hey all, trojan problem.
Last response: in Windows XP
Hey. i am running Zonealarm Extreme Security Suite version 8.0.298.035 and it recently updated its definitions and picked up this LIST of trojans.
I had scanned my computer the night before without anything being detected and now all of this.
I have also scanned with malware bytes anti malware and it detected nothing.
I quarantined all of these 'trojans' and my computer would not shut down afterwards and on boot it loaded to a 'windows 2000' style login box rather then my normal XP welcome screen....
My question is! are these real viruses or did zonealarm just delete some critical files? ^_^
(Operating system: Win XP SP3 All updates done. klite codec pack latest update... windows media player 10 (thought might be relevant since the 'trojans' are there. ) )
trojan 1 - win32.worm.socks.BY
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
Trojan 2 - win32.worm.socks.BW
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
Trojan 3 - win32.download.fraud.load.gkh
File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
Directory: C:\Program Files\K-Lite Codec Pack\Filters
Trojan 4 - win32.a-ymoj.mail15.su
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Trojan 5 - win32.1sass
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Enum
Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum
I had scanned my computer the night before without anything being detected and now all of this.
I have also scanned with malware bytes anti malware and it detected nothing.
I quarantined all of these 'trojans' and my computer would not shut down afterwards and on boot it loaded to a 'windows 2000' style login box rather then my normal XP welcome screen....
My question is! are these real viruses or did zonealarm just delete some critical files? ^_^
(Operating system: Win XP SP3 All updates done. klite codec pack latest update... windows media player 10 (thought might be relevant since the 'trojans' are there. ) )
trojan 1 - win32.worm.socks.BY
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
Trojan 2 - win32.worm.socks.BW
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
Trojan 3 - win32.download.fraud.load.gkh
File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
Directory: C:\Program Files\K-Lite Codec Pack\Filters
Trojan 4 - win32.a-ymoj.mail15.su
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Trojan 5 - win32.1sass
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Enum
Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum
More about : hey trojan problem
Best solution
Related ressources
- HELP! Terminal Service Trojan ?? - Forum
- Trojan attacked my pc. maybe backdoor - Forum
- Trojan downloader found in F:\ system volume information - Forum
- Trojan .Win32.Patched quarantined...need to remove registry value - Forum
- Antispy ware & trojan protection software selection - Forum
Well. that 'old' version is the only protection on my pc bar malware bytes/windows defender so ill just deal with false positives as they come.
But.
I recently dual booted XP and Win 7, it was XP and Vista i formatted vista and wacked 7 on in its place.
now this worked perfectly with the help of Easy BCD and IReboot.
Only problem is. ever since win XP has slowed to a crawl on booting and doesnt function properly after extended time (being on for 24 hrs + )
any ideas?
I ran Disk Defrag, Disk Clean up, registry cleans etc etc etc and only got a small amount of speed back.
But.
I recently dual booted XP and Win 7, it was XP and Vista i formatted vista and wacked 7 on in its place.
now this worked perfectly with the help of Easy BCD and IReboot.
Only problem is. ever since win XP has slowed to a crawl on booting and doesnt function properly after extended time (being on for 24 hrs + )
any ideas?
I ran Disk Defrag, Disk Clean up, registry cleans etc etc etc and only got a small amount of speed back.
http://www.free-av.com/
Use this instead of zone alarm, but keep your malewarebytes!This is a great free antivirus and spyware protection suite.link is above!
Use this instead of zone alarm, but keep your malewarebytes!This is a great free antivirus and spyware protection suite.link is above!
don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..
To fix the problem the original poster had, do the following..
run regedit, go to:
HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'
reboot
To fix the problem the original poster had, do the following..
run regedit, go to:
HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'
reboot
PetterrPan said:
don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this.. To fix the problem the original poster had, do the following..
run regedit, go to:
HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'
reboot
Hey thanks. that fixed the logon issue.
Although i still am getting all of those 'false positives' does anyone know if any of them are real? just still a little concerned..... as my computer is still having issues where some programs are freezing and it takes an eternity to shut down because they arent responding
PetterrPan said:
don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this.. To fix the problem the original poster had, do the following..
run regedit, go to:
HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'
reboot
having had this problem as well i have done as you suggest and the log-on now works as before. whoever you are i owe you a pint
now all i have to do is sort out the slow boot sequence and im set!!
I encountered the same issues after "updating" ZoneAlarm's Anti-Spyware. This is what I did to restore the correct log-in screens.
1.-Start Windows in Safe Mode.
2.-Do a system restore.
3.-That's all
A Safe Mode is necessary because a system restore will not work when this "false positive" pops up and the files are "Quarantine" by ZoneAlarm.
Disclaimer: This is not my idea. I read about this several months ago somewhere in cyberspase.
1.-Start Windows in Safe Mode.
2.-Do a system restore.
3.-That's all
A Safe Mode is necessary because a system restore will not work when this "false positive" pops up and the files are "Quarantine" by ZoneAlarm.
Disclaimer: This is not my idea. I read about this several months ago somewhere in cyberspase.
Related ressources:
- Forumtrojan
- ForumIdentifying a trojan .
- ForumHey Toejam I got a file that I can't delete
- ForumHey Peterk reply to your post
- ForumHEY MICROSOFT! Fix "Restore"!
- ForumHey Dude
- ForumThermaltake Cases Website Trojan !
- ForumPC wont boot after trojan removal
- ForumBackdoor trojan removal tool
- ForumTrojan horse problem
- ForumPCMCIA slots need more power??? HELP!
- ForumWinxp instal problem
- ForumRegistry problem
- ForumPc problem
- ForumHey...i m using windows xp sp3..... if i am forgot the login password
- More resources
Read discussions in other Windows XP categories
!
