Trojan issue...

[JimJ 5,000+ posts]

No, not *that* kind of issue...

I picked up a trojan from somewhere, and it's been annoying to get rid of it. Doing a scan with AVG lists it as "Downloader Generic2.TGT" and there's a "d.exe" that's on my C: drive. Another program is in my temporary internet files. Deleting both these doesn't work, they just reappear on startup.

I can't do a system restore to an earlier point, because it apparently deleted my previous restore points.

Any other tips from people who have had this happen to them? Reformatting is an option, but I'm really not looking forward to doing that again...especially when I can still get into Windows.

Click to read more...

 

[bonesninja 5,000+ posts]

mehh......had those before. took it over to my dude's house who has an IT degree and he takes care of that shyt for me.

 

[pwnt by pat 10+ year member]

jim, hit me up on IM - "old blue scott"

 

[lilmaniac2 5,000+ posts]

Hijack This //content.invisioncic.com/y282845/emoticons/smile.gif.1ebc41e1811405b213edfc4622c41e27.gif

best thing ever .. http://www.download.com

 

[JimJ 5,000+ posts]

lol, my IM is very unreliable, that's part of the problem //content.invisioncic.com/y282845/emoticons/smile.gif.1ebc41e1811405b213edfc4622c41e27.gif

 

[regal8r 5,000+ posts]

avast...dl it....//content.invisioncic.com/y282845/emoticons/smile.gif.1ebc41e1811405b213edfc4622c41e27.gif

 

[DBfan187 5,000+ posts]

www.bitdefender.com

scan your pc online.

 

[pwnt by pat 10+ year member]

1) reboot in safe mode with networking

2) Set view system files and folders and all hidden files and extensions

3) delete c:\temp (whole folder)

all files in the following folders:

c:\windows\prefetch

c:\windows\temp

c:\documents and settings\(all user accounts - go through them all)\local settings\temp

c:\documents and settings\(all user accounts - go through them all)\local settings\temporary internet files\content.ie5\ (all folders - delete them all)

c:\recycler

4) turn off system restore)

5) download, update, and run the programs:

ad-aware se

spybot search and destroy

ewido (http://www.ewido.com)

6) run this: http://www.trendmicro.com/spyware-scan/free_spyware_scan.asp

7) download run and save a log file with this program. Also post the log file here so I can review it:

http://download.hijackthis.eu/hijackthis_199.zip

8) once we go over the log file, head here: http://housecall65.trendmicro.com

tell it to use java and do a complete scan. when done, scroll to the bottom of the page and click "fix problems" or "remove" or whatever it says.

You should be right as rain, or close to it.

This is the "generic" process I follow at work when dealing with viruses. If this doesn't fix it, then I go in depth. Usually after this point, I can pinpoint the problem and just flat out target it.

 

[.::DuD3::. 10+ year member]

http://www.techsupportforum.com/index.php post in the security central log, and they might can help you.

 

[Hundreth 10+ year member]

For now until you find a permanent removal solution, you can mess the virus up by booting into safe mode, opening up that d.exe in any text editor, filling it with nonsense or "%@!# YOU!" and then setting it to read only so that the file is basically useless. You might get an error when your computer starts up, but the virus will basically be screwed. Its a great way of dealing with files that you can't delete.

 

[MikeofTulsa Moderator]

i used to make an exe file with visual basic that all it did was open up, after 30 seconds it would close itself. i would rename the .exe file to whatever file i was having a problem with and replace it. that way the file still exists, but nothing happens. i did that on all the files there were causing the problem till i narrowed the problem

 

[JimJ 5,000+ posts]

Tried doing what Hundreth said...couldn't open the file even in safe mode...and the problem got worse //content.invisioncic.com/y282845/emoticons/frown.gif.a3531fa0534503350665a1e957861287.gif Now I have a whole bunch of .exe's running around.

I'm running another scan...I have Avast already loaded, maybe it'll do something that AVG didn't so far...

 

[Ford302Redneck 10+ year member]

them thangs are a ***** to get rid of

 

[JimJ 5,000+ posts]

Logfile of HijackThis v1.99.1

Scan saved at 11:23:30 PM, on 10/16/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\twinmpes.exe

c:\windows\system32\oldsregl.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\SmltIEppbmdvemlhbg\command.exe

C:\WINDOWS\system\dllhost.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Grisoft\AVG Free\avgwb.dat

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Jim Jingozian\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jfwid.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\NT\nrcs.exe,taemnbx.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ms032855790155] C:\WINDOWS\ms032855790155.exe

O4 - HKLM\..\Run: [ikte8f5f] RUNDLL32.EXE w00af0a8.dll,n 005e8f5a0000000300af0a8

O4 - HKLM\..\Run: [{EB-B2-2E-EE-ZN}] c:\windows\system32\oldsregl.exe GEN001

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twinmpes.exe GEN001

O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe

O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinmpes.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: kdsfj.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - AppInit_DLLs: dxclib303562752.dll

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\shrio800.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmltIEppbmdvemlhbg\command.exe

O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dwmputz.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

[DBfan187 5,000+ posts]

what **** site did you goto so I don't go their?