TechSpot

generic2 trojan.  Help!

By GuzziHero
Dec 23, 2006
  1. Right...I think Im onto this, but Im not sure.

    I was on MSN and got a message from a friend...something about a greetings card. Like a fool I clicked it. You guessed it...trojan.

    This one was called generic2.mdn (I think thats the suffix anyway) and opened up 3 files on my desktop - setup, Tele and another one I cant remember. Thankfully, AVG caught it.

    Thinking quickly, I changed my MSN name to DO NOT OPEN ATTACHMENTS FROM ME so only 1 person caught it off me.

    Googled for help, found fab advice from here. Heres what I did and I *think* Ive stopped it. Would like some verification, please.

    Rebooted. Safe mode. System Restore off. Show all hidden and system files. Task Manager, looked for swchost.exe. Wasnt present. regsvr32 /u C:\windows\system32\pptp16.dll...this just gave me a command error.

    Hijack this, looked for 04 HKLM...swchost.exe and 010 Winlogon...pptp16.dll. Neither present. Closed HijackThis.

    Checked for C:\windows\system32\pptp16.dll and c:\windows\swchost.exe. Neither found.

    AVG found 6 or 7 trojan files. Deleted them.

    Back onto desktop. Right click - properties on the setup file. It took me into my Documents and Settings for my login. Found all 3 files. Deleted them. Rebooted.

    Deleted MSN. Reloaded MSN. Now AVG checking.

    ---
    The virus hasnt attacked me again, yet. I THINK its done and dusted. Can anyone give me any advice on what I can do to be sure?

    Thanks in advance, and thanks to all users and moderators for this fab forum :)
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello GuzziHero and welcome to TechSpot.

    Read the Viruses, Spyware, Malware preliminary removal instructions and follow the instructions exactly.

    Then post HijackThis and AVG Antispyware logs as ATTACHMENTS into this thread.

    Cheers

    This thread is for the use of GuzziHero only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
     
  3. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Thank you, Sir. I appreciate your time :)

    Okay, I did that. My results:

    After my successful AVG Anti-Virus above, I scanned before rebooting and it was clear. Adaware showed objects, all data miners. Spybot S&D found no objects.

    SmitFraud did a little work, but nothing found. VirtumundoBeGone: Nothing found! The other 2 tools gave me a white screen saying "Advert removed by <someone>"

    Reboot into safe mode.

    AdAware: MRU List (11), Tracking Cookie (1). S&D: Hotsearch Bar (2), MicrosoftWindowsSecurityCentre:AntiVirus (1). SmitFraud (1). Starware (1)

    AVG AV Threats: 0

    I cleaned the AVG virus vault out, emptied the quarantine logs on AdAware. Ran Windows Defender: 0 threats found.

    HJT log attached.

    :)
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with at least one worm and other nasties.

    Before deciding whether your computer needs cleaning or reformatting, I need to ask you some questions.

    Do you use your computer for any of the following. Online banking/Business purposes/storing sensitive or very personal information?

    If the answer to any of those questions is yes, then you should immediately disconnect your computer from the net and do a complete format and reinstall.

    This is because you computer is infected with backdoor trojans. These will have sent your info to a third party who may use that info for their own purposes. If you use online banking, then your should contact your bank and arrange to have your password changed immediately. You should also, change any other passwords you use as these may have also been compromised.

    Even if we cleaned the infections, it wouldn`t help to recover the info that may have been gleaned from your system.

    If you only use your computer for music/games etc, then cleaning it of infections, is possibly a better option to a reformat.

    Please let me know what you want to do in your next post.

    See these two links before you decide what you want to do.

    http://www.dslreports.com/faq/10063
    http://www.dslreports.com/faq/10451


    Regards Howard :wave: :wave:

    This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. GuzziHero

    GuzziHero TS Rookie Topic Starter

    I do have an online banking account.

    Reformat time.

    Thanks for your help, Ill report back when Im done :)
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for getting back to us.

    I think you`ve made the correct decision. If only I could get my hands on the malware writing scumbags.

    Good luck.

    Regards Howard :)

    This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Right...contacted my bank and forced a PIN reset (I was afraid that changing it online would pass the info back to the Trojan.

    Should I do a wipe and reformat, or a quick reformat by just inserting my Windows XP disc?
    Am I safe to copy data from my D drive to an external or will I copy the virus as well?
     
  8. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Nm...backed up data (only from D: drive) onto external. All the trojan data found was on C: and came from MSN which is on C: If it still propogates...not much I can do.

    I wont be using online banking again, thats fer sure!
     
  9. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Reinstalled everything on C:

    Heres my current HJT :)

    ---
    Got another Generic2. AVG caught, deleted it.

    Kept getting Generic3. Fire c:\windows\program files. Named ipwins.dll. Had an uninstall program so I used it. Hasnt popped up again. Running AVG again. Will edit this post when I have a result.

    ---
    Still getting 6x Backdoor Agent DGC. Files: anrtt.exe dacn.exe dnumr.exe ducr.exe hwlqv.exe ixwrfhf.exe
    Plus Generic2.muz

    Sheesh.

    ---
    Another edit.
    Escaped those ones. Now have generic2.MUZ in c:\recycler...
     
  10. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please copy and paste these instructions into notepad and save the file to your desktop.

    First of all, turn off system restore (XP/ME only) (see how here)
    Now, restart your computer in safe mode (see how here)

    Run HijackThis with no other programs open except notepad. Have it fix the following entries (if there) by placing a check in the box:
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3013A~1\Bar888.dll
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144 (file missing)


    Now search for the following files and delete each instance of them:
    m?config.exe
    Bar888.dll
    algs.exe
    ipwins.exe
    spoolsvc.exe
    svchosts.exe


    Now reboot your computer into normal mode.
    There were some files that I wasn't sure about, so run HijackThis after you're all done and post a fresh log file.
    Cheers
    This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Okay :) HJT file attached.

    Given the files I just deleted, Im a little concerned at 02 - BHO:Bar888
     
  12. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    You are running Windows XP, right? If so, continue. If not, do not follow these instructions, but instead make a new post saying what version you're running. If you're running certain other versions of Windows, command.exe is the command line program. If you're running Windows XP, however, I'm reasonably sure command.exe is malicious.

    Have HijackThis fix these entries:
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3013A~2\Bar888.dll (file missing)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgV2hpdGU\command.exe


    Go into Task Manager and end the process for command.exe.

    Go into C:\Windows\Q2hyaXMgV2hpdGU and delete command.exe.

    Go into Add/Remove Programs in Control Panel and uninstall anything having to do with Bar888.

    Run HJT again and post a new log. That command.exe thing seems new, but I think the Bar888 entry is just cuz now it can't find the bar888.dll which you deleted before.

    Cheers
     
  13. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Okay, got rid of the HJT entries. Log attached. Yep, im on WinXP.

    Couldnt end process command.exe. Access denied. There is a 'command' entry in Add/Remove programs, should I delete that?

    C:\Windows\Q2hyaXMgV2hpdGU doesnt exist.

    Bar888 removed.

    Edit:
    Looks like Command.exe re-planted its line in HJT (023).

    ---
    Thank you again for your continued assistance. You and Mr Hopkinso are my Christmas Angels ;)
     
  14. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    I'm not sure about all your HJT entries. There is stuff about update.exe, command.exe, and netmon.exe, all of which I'm not sure about. Maybe Howard can help you out on that, since he has about 50 times more posts than I have :)
    You're welcome for the assistance. And Merry Christmas to you too ;)
     
  15. GuzziHero

    GuzziHero TS Rookie Topic Starter

    I figured that a legitimate command.exe wouldnt appear as an entry in add/remove programs so I went to delete it. It popped up a new browser window letting me know that it is a pop-up feeder. It has its own installation tool...Im not trusting that thing! Currently running Ad-aware to see what its up to.

    Found some info on Command.exe: http://www.liutilities.com/products/wintaskspro/processlibrary/command/

    "Description:
    command.exe is a process which belongs to the DOS command line tool used in Windows 95, 98 and ME. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

    command.exe is also a process belonging to the Adtomi advertising program by Adtomi.com. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.

    Note: command.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system."

    I also have a program in there called Outerinfo. Im investigating this feller, too.

    Yup, thats online advertising. How did they get onto a fresh reinstalled PC?
     
  16. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Well, malicious software can be installed on any system with the security settings too low, using ActiveX controls. What are your security settings on your browser (or I don't know how Firefox's are, but XPs are like low, medium, and high)?
    Cheers
     
  17. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Im on medium high right now, and I use IE7.

    AdAware just came up with and deleted a downloader 32 trojan, plus a tracking cookie. Ran it again, tracking cookie and some MRU lists (whatever those are! AdAware says they are a negligible threat.
     
  18. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Tracking cookies are fairly common, and while they should be deleted, they are not an extremely urgent threat. I don't think you need to worry about an MRU list; I get objects in them too when I scan with Ad-Aware. But anyway, I think you system is, for the most part, clean.
    Cheers
     
  19. GuzziHero

    GuzziHero TS Rookie Topic Starter

    I hope so, too :)

    I wish you and your family a safe and happy Christmas :) Same goes to all the TechSpot staff and assistants.

    Thanks again for helping me out, especially on Christmas Eve. I really appreciate it :)
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ve just looked at your last HJT log. Your system is still heavily infected.

    These entries are very nasty.

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgV2hpdGU\command.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    Disconnect from the net and do a full(not quick)reformat. DO NOT reconnect to the net, until you have installed your firewall software. Install Windows, followed by your firewall software, then the drivers you need etc.

    Until your system is 100% clean, you shouldn`t enter any sensitive data.

    Regards Howard :(

    This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Rightio.

    Formatted, started from Windows CD, formatted as NTFS.

    All thats on my add/remove programs right now is HijackThis and ZoneAlarm. HJT log attached.

    *sigh* Windows Update a-gogo time :p
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle mate.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of GuzziHero only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. GuzziHero

    GuzziHero TS Rookie Topic Starter

    Fandabedozee!

    You're a star, my friend. Thank you so much!

    Now I have to guide a friend who got it from me through a re-install as well *sigh* I feel such a schmuck.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...