I hate this Trojan Downloader

[kinjo1977]

Alright guys, I'm new here but I could tell right away from reading through a few articles that you guys would be able to help me.
Apparently this isn't a new problem, and you're probably sick of explaining it.
But to save you some trouble, I have read most of the posts regarding this downloader.generic.TUC that was detected by AVG. So no need to link me to a bunch of Stickys.

Also, I have HJT of which I am attaching a log for you to look at.

Basically, look through it and tell me which files to fix or just flat out destroy because this thing is making me ill.

Thanks,
Kinjo

 

[RealBlackStuff]

Looking at your log, I doubt if you have even READ those stickies, let alone FOLLOW the advise given there.
Go and do so now, and then (AFTER you've done your homework!) post a fresh log.

 

[kinjo1977]

Looking at your log, I doubt if you have even READ those stickies, let alone FOLLOW the advise given there.
Go and do so now, and then (AFTER you've done your homework!) post a fresh log.

I realize that there are a lot of (file missing) or (no name) files in there. But it all comes down to this. I am not the most computer literate person. If I F my comp over by "fixing/deleting" too much or the wrong thing with HJT, I may not be able to fix what I've done. And yes I remember the part where it said save HJT to progam files, but I had already downloaded it to my desktop before I read anything from this site. And to top it off, my windows explorer freezes the instant I click a file, so I can't move it to Program files. Well at least that's the way I did know how to move a file, there could be another way but like I said, not that good with computers.

 

[howard_hopkinso]

Hello and welcome to Techspot.

The first thing you should do is have HJT restore everything you have fixed. Run HJT and click on the config button. Click on the backups button and tick every box. Click on the restore button and close HJT.

Now, go HERE and follow the instructions exactly.

Post a fresh HJT log, after doing the above.

Regards Howard :wave: :wave:

 

[N3051M]

Alternative app to counter the problem of a certain file that crashes explorer on a certain folder/file that you want to delete/move is ExploreXP www.explorerxp.com. handy stuff..

 

[kinjo1977]

Hello and welcome to Techspot.

The first thing you should do is have HJT restore everything you have fixed. Run HJT and click on the config button. Click on the backups button and tick every box. Click on the restore button and close HJT.

Now, go HERE and follow the instructions exactly.

Post a fresh HJT log, after doing the above.

Regards Howard :wave: :wave:

Thanks for the Welcome man. Glad I found this site.
But straight to business because I only have a short amount of time before my computer kicks me off the internet. I have comcast, yet can't keep a connection unless my AOL instant messenger is running. And even then my browsers pick which sites I can and cannot see.

Anyways, I have not delete/fixed anything with HJT yet. Also I have tried many times to do what your post suggested and run Trend Micro HouseCall. However, every single time I have scanned with it, mid-way through the scan my browser just exits. Never gets to finish. And that is with either IE or Firefox. I have no idea what to do now. Conventional virus and spyware scans have made no improvement to my situation.

Just some history of the programs I have used. Webroot Spybot, Lavasoft AdAware (free version), and AVG Free version. Recently downloaded HJT but have yet to try to fix anything.

 

[Spike]

Have you tried Ewido, as recommended?

 

[howard_hopkinso]

I have not delete/fixed anything with HJT yet. Also I have tried many times to do what your post suggested and run Trend Micro HouseCall. However, every single time I have scanned with it, mid-way through the scan my browser just exits. Never gets to finish. And that is with either IE or Firefox.

Skip the Trend Housecall scan and follow the rest of the instructions.

Regards Howard

 

[kinjo1977]

Update

Ok so I followed the directions to the best of my ability.
PC seems fine but I am posting an HJTlog for you guys to look at and see if anything is suspicious.

Thanks for all you've done for me so far.

kinjo

 

[howard_hopkinso]

Your version of HJT is out of date. You`re using version v1.98.2 and version v1.99.1 is the latest.

You need to get the newest version, then follow the instructions again in this link HERE.

Then post a fresh HJT log, after you`re finished.

Regards Howard

 

[kinjo1977]

Your version of HJT is out of date. You`re using version v1.98.2 and version v1.99.1 is the latest.

You need to get the newest version, then follow the instructions again in this link HERE.

Then post a fresh HJT log, after you`re finished.

Regards Howard

Done deal.
It pulled up a couple more than the last version, however I had some trouble.
I followed the directions given to the best of my ability, but I had four 023 (file missing) files that just couldn't be fixed. I would fix them and they would come right back. I also had two 09 (no name) files that I questioned whether I should fix or not but it didn't say it in the directions so I hesitated to do it.

But anyways, Here's a new log for ya.

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Go to add remove programmes in your control panel. Uninstall anything to do with(if there).

DIRECWAY
support.com
AdwareAlert
ISTsvc

Close Control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it.

Locate the following services(if there) and double click on them. If they are running, select stop. Set the startup type to disabled.

DIRECWAY Webcast (DPC_SRV_WEBCAST)

Lookout Citadel Server (LkCitadelServer)

Lookout Classified Ads (LkClassAds)

Lookout Time Synchronization (LkTimeSync)

Click apply/ok.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

server.vbs
cmsspu.exe
tractrs.exe
AdwareAlert.Exe
teltes40.exe
pDPCDIAPI (7).exe
dpcproxy.exe
lkcitdl.exe
lkads.exe
lktsrv.exe

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.techspot.com/vb/topic47462.html

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]*ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmsspu.exe

O4 - HKLM\..\Run: [¢‰¸u0–4C

}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmsspu.exe

O4 - HKLM\..\Run: [p34P3qW] tractrs.exe

O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot

O4 - HKCU\..\Run: [Y0vFRka6S] teltes40.exe

O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\pDPCDIAPI (7).exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{B6ECBF43-57B7-4615-B4CB-80AE2DE8461A}: NameServer = 198.77.116.8 Only fix this, if it doesn`t belong to your ISP.

O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)

O23 - Service: Lookout Citadel Server (LkCitadelServer) - Unknown owner - C:\WINDOWS\System32\lkcitdl.exe (file missing)

O23 - Service: Lookout Classified Ads (LkClassAds) - Unknown owner - C:\WINDOWS\System32\lkads.exe (file missing)

O23 - Service: Lookout Time Synchronization (LkTimeSync) - Unknown owner - C:\WINDOWS\System32\lktsrv.exe (file missing)

Click on the fix checked button.

Locate and delete the following bold files(if there).

C:\WINDOWS\System32\lktsrv.exe
C:\WINDOWS\System32\lkads.exe
C:\WINDOWS\System32\lkcitdl.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\DIRECWAY\BIN\pDPCDIAPI (7).exe
teltes40.exe
C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
tractrs.exe
C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cmsspu.exe
c:\program files\support.com\client\lserver\server.vbs

Reboot into normal mode and turn system restore back on.

Regards Howard

 

[kinjo1977]

Thanks So Much!!

Just wanted say Thanks Howard!
You have successfully aided me in ridding myself from the tons of crap on my comp. In short, YOU DA MAN!

Would you still like to see another HJT log to make sure?

 

[howard_hopkinso]

If you want to post a fresh HJT log, go ahead. I`ll take a quick look at it and advise.

Regards Howard

 

[kinjo1977]

Something still lingers

Ok Howard,
I booted into Safe Mode, Turned off System restore (again), then ran HJT (again), to just get another log.
Well I glanced through it, and it would seem those 023 (file missing)s are still showing up even after doing all that you told me. Think I missed something?

Here's the Log.

 

[howard_hopkinso]

I`m sorry I missed one.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager and click on the processes tab. end process for(if there).

dpcproxy.exe

Close task manager.

Click start/run and type services.msc into the run box and press the return key.

When the window opens. maximise it. Locate the following service.

DIRECWAY Webcast (DPC_SRV_WEBCAST)

Double click on it, if it`s running select stop. Set the startup type to disabled. click apply/ok.

Run HJT and have it fix these entries.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B6ECBF43-57B7-4615-B4CB-80AE2DE8461A}: NameServer = 198.77.116.8 Only fix this if it doesn`t belong to your ISP.

O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete this bold directory.

C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe

Reboot into normal mode and turn system restore back on.

Regards Howard