generic2 trojan. Help!

[GuzziHero]

Right...I think Im onto this, but Im not sure.

I was on MSN and got a message from a friend...something about a greetings card. Like a fool I clicked it. You guessed it...trojan.

This one was called generic2.mdn (I think thats the suffix anyway) and opened up 3 files on my desktop - setup, Tele and another one I cant remember. Thankfully, AVG caught it.

Thinking quickly, I changed my MSN name to DO NOT OPEN ATTACHMENTS FROM ME so only 1 person caught it off me.

Googled for help, found fab advice from here. Heres what I did and I *think* Ive stopped it. Would like some verification, please.

Rebooted. Safe mode. System Restore off. Show all hidden and system files. Task Manager, looked for swchost.exe. Wasnt present. regsvr32 /u C:\windows\system32\pptp16.dll...this just gave me a command error.

Hijack this, looked for 04 HKLM...swchost.exe and 010 Winlogon...pptp16.dll. Neither present. Closed HijackThis.

Checked for C:\windows\system32\pptp16.dll and c:\windows\swchost.exe. Neither found.

AVG found 6 or 7 trojan files. Deleted them.

Back onto desktop. Right click - properties on the setup file. It took me into my Documents and Settings for my login. Found all 3 files. Deleted them. Rebooted.

Deleted MSN. Reloaded MSN. Now AVG checking.

---
The virus hasnt attacked me again, yet. I THINK its done and dusted. Can anyone give me any advice on what I can do to be sure?

Thanks in advance, and thanks to all users and moderators for this fab forum

 

[kitty500cat]

Hello GuzziHero and welcome to TechSpot.

Read the Viruses, Spyware, Malware preliminary removal instructions and follow the instructions exactly.

Then post HijackThis and AVG Antispyware logs as ATTACHMENTS into this thread.

Cheers

This thread is for the use of GuzziHero only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.

 

[GuzziHero]

Thank you, Sir. I appreciate your time

Okay, I did that. My results:

After my successful AVG Anti-Virus above, I scanned before rebooting and it was clear. Adaware showed objects, all data miners. Spybot S&D found no objects.

SmitFraud did a little work, but nothing found. VirtumundoBeGone: Nothing found! The other 2 tools gave me a white screen saying "Advert removed by <someone>"

Reboot into safe mode.

AdAware: MRU List (11), Tracking Cookie (1). S&D: Hotsearch Bar (2), MicrosoftWindowsSecurityCentre:AntiVirus (1). SmitFraud (1). Starware (1)

AVG AV Threats: 0

I cleaned the AVG virus vault out, emptied the quarantine logs on AdAware. Ran Windows Defender: 0 threats found.

HJT log attached.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with at least one worm and other nasties.

Before deciding whether your computer needs cleaning or reformatting, I need to ask you some questions.

Do you use your computer for any of the following. Online banking/Business purposes/storing sensitive or very personal information?

If the answer to any of those questions is yes, then you should immediately disconnect your computer from the net and do a complete format and reinstall.

This is because you computer is infected with backdoor trojans. These will have sent your info to a third party who may use that info for their own purposes. If you use online banking, then your should contact your bank and arrange to have your password changed immediately. You should also, change any other passwords you use as these may have also been compromised.

Even if we cleaned the infections, it wouldn`t help to recover the info that may have been gleaned from your system.

If you only use your computer for music/games etc, then cleaning it of infections, is possibly a better option to a reformat.

Please let me know what you want to do in your next post.

See these two links before you decide what you want to do.

http://www.dslreports.com/faq/10063
http://www.dslreports.com/faq/10451


Regards Howard :wave: :wave:

This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GuzziHero]

I do have an online banking account.

Reformat time.

Thanks for your help, Ill report back when Im done

 

[howard_hopkinso]

Thanks for getting back to us.

I think you`ve made the correct decision. If only I could get my hands on the malware writing scumbags.

Good luck.

Regards Howard

This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GuzziHero]

Right...contacted my bank and forced a PIN reset (I was afraid that changing it online would pass the info back to the Trojan.

Should I do a wipe and reformat, or a quick reformat by just inserting my Windows XP disc?
Am I safe to copy data from my D drive to an external or will I copy the virus as well?

 

[GuzziHero]

Nm...backed up data (only from D: drive) onto external. All the trojan data found was on C: and came from MSN which is on C: If it still propogates...not much I can do.

I wont be using online banking again, thats fer sure!

 

[GuzziHero]

Reinstalled everything on C:

Heres my current HJT

---
Got another Generic2. AVG caught, deleted it.

Kept getting Generic3. Fire c:\windows\program files. Named ipwins.dll. Had an uninstall program so I used it. Hasnt popped up again. Running AVG again. Will edit this post when I have a result.

---
Still getting 6x Backdoor Agent DGC. Files: anrtt.exe dacn.exe dnumr.exe ducr.exe hwlqv.exe ixwrfhf.exe
Plus Generic2.muz

Sheesh.

---
Another edit.
Escaped those ones. Now have generic2.MUZ in c:\recycler...

 

[kitty500cat]

Please copy and paste these instructions into notepad and save the file to your desktop.

First of all, turn off system restore (XP/ME only) (see how here)
Now, restart your computer in safe mode (see how here)

Run HijackThis with no other programs open except notepad. Have it fix the following entries (if there) by placing a check in the box:
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3013A~1\Bar888.dll
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144 (file missing)

Now search for the following files and delete each instance of them:
m?config.exe
Bar888.dll
algs.exe
ipwins.exe
spoolsvc.exe
svchosts.exe

Now reboot your computer into normal mode.
There were some files that I wasn't sure about, so run HijackThis after you're all done and post a fresh log file.
Cheers
This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GuzziHero]

Okay HJT file attached.

Given the files I just deleted, Im a little concerned at 02 - BHO:Bar888

 

[kitty500cat]

You are running Windows XP, right? If so, continue. If not, do not follow these instructions, but instead make a new post saying what version you're running. If you're running certain other versions of Windows, command.exe is the command line program. If you're running Windows XP, however, I'm reasonably sure command.exe is malicious.

Have HijackThis fix these entries:
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3013A~2\Bar888.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgV2hpdGU\command.exe

Go into Task Manager and end the process for command.exe.

Go into C:\Windows\Q2hyaXMgV2hpdGU and delete command.exe.

Go into Add/Remove Programs in Control Panel and uninstall anything having to do with Bar888.

Run HJT again and post a new log. That command.exe thing seems new, but I think the Bar888 entry is just cuz now it can't find the bar888.dll which you deleted before.

Cheers

 

[GuzziHero]

Okay, got rid of the HJT entries. Log attached. Yep, im on WinXP.

Couldnt end process command.exe. Access denied. There is a 'command' entry in Add/Remove programs, should I delete that?

C:\Windows\Q2hyaXMgV2hpdGU doesnt exist.

Bar888 removed.

Edit:
Looks like Command.exe re-planted its line in HJT (023).

---
Thank you again for your continued assistance. You and Mr Hopkinso are my Christmas Angels

 

[kitty500cat]

I'm not sure about all your HJT entries. There is stuff about update.exe, command.exe, and netmon.exe, all of which I'm not sure about. Maybe Howard can help you out on that, since he has about 50 times more posts than I have
You're welcome for the assistance. And Merry Christmas to you too

 

[GuzziHero]

I figured that a legitimate command.exe wouldnt appear as an entry in add/remove programs so I went to delete it. It popped up a new browser window letting me know that it is a pop-up feeder. It has its own installation tool...Im not trusting that thing! Currently running Ad-aware to see what its up to.

Found some info on Command.exe: http://www.liutilities.com/products/wintaskspro/processlibrary/command/

"Description:
command.exe is a process which belongs to the DOS command line tool used in Windows 95, 98 and ME. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

command.exe is also a process belonging to the Adtomi advertising program by Adtomi.com. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.

Note: command.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system."

I also have a program in there called Outerinfo. Im investigating this feller, too.

Yup, thats online advertising. How did they get onto a fresh reinstalled PC?

 

[kitty500cat]

Well, malicious software can be installed on any system with the security settings too low, using ActiveX controls. What are your security settings on your browser (or I don't know how Firefox's are, but XPs are like low, medium, and high)?
Cheers

 

[GuzziHero]

Im on medium high right now, and I use IE7.

AdAware just came up with and deleted a downloader 32 trojan, plus a tracking cookie. Ran it again, tracking cookie and some MRU lists (whatever those are! AdAware says they are a negligible threat.

 

[kitty500cat]

Tracking cookies are fairly common, and while they should be deleted, they are not an extremely urgent threat. I don't think you need to worry about an MRU list; I get objects in them too when I scan with Ad-Aware. But anyway, I think you system is, for the most part, clean.
Cheers

 

[GuzziHero]

I hope so, too

I wish you and your family a safe and happy Christmas Same goes to all the TechSpot staff and assistants.

Thanks again for helping me out, especially on Christmas Eve. I really appreciate it

 

[howard_hopkinso]

I`ve just looked at your last HJT log. Your system is still heavily infected.

These entries are very nasty.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgV2hpdGU\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Disconnect from the net and do a full(not quick)reformat. DO NOT reconnect to the net, until you have installed your firewall software. Install Windows, followed by your firewall software, then the drivers you need etc.

Until your system is 100% clean, you shouldn`t enter any sensitive data.

Regards Howard

This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GuzziHero]

Rightio.

Formatted, started from Windows CD, formatted as NTFS.

All thats on my add/remove programs right now is HijackThis and ZoneAlarm. HJT log attached.

*sigh* Windows Update a-gogo time

 

[howard_hopkinso]

Your HJT log is clean as a whistle mate.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GuzziHero]

Fandabedozee!

You're a star, my friend. Thank you so much!

Now I have to guide a friend who got it from me through a re-install as well *sigh* I feel such a schmuck.