Trojan horse BackDoor.Generic11.TDY

By captaincranky
Jun 4, 2009
  1. This evening AVG8.5 detected this object; Trojan horse BackDoor.Generic11.TDY in this file; D:\i386\APPS\App23942\win2000\igfxcfg.exe @ 4:28 PM

    Later AVG detected this object; Trojan horse BackDoor.Generic11.TDY here; C:\WINDOWS\system32\igfxcfg.exe @6:28 PM

    Both objects were sent to the Virus Vault. I suppose one question I have is, "is this just the installer package which didn't fully execute"?

    Additionally, the computer was scanned with; M$ Malicious Software Removal Tool (May) Nothing was found.

    SUPERantispyware; found 73 tracking cookies from the usual suspects, which were removed.

    And also "Ad Aware" free which found only tracking cookies, again from IE, and which also were removed.

    My computer is asymptomatic, no problems, and full speed ahead.

    Now, I know what you're thinking, this is an Emachines so how could one tell if it was OK in the first place, but it is.

    So, my only question is, is this likely the end of this infection issue, or are there more surprises in store?
  2. kritius

    kritius TS Guru Posts: 2,084

    Perhaps there are more, want to post a log to see?
  3. ajmlp

    ajmlp TS Rookie

    I just had this same trojan pop up on a computer too. The file referenced as infected was: C:\System Volume Information\_restore{5C95B1C6-28A7-479B-9941-74B87D0A1FB1}\RP995\A003271.exe. The problem I'm having is that AVG is not able to clean it up. It says it cannot clean it up because some files cannot be fixed. Any thoughts about getting this resolved?
  4. bcotti

    bcotti TS Rookie

    We had the same detection on a few machines yesterday. igfxcfg.exe appears to be an intel utitlity and it wouldn't suprise me if it is a false detection from AVG. it wouldn't be the first time AVG has thrown up flags about a legit program being a trojan.

    I'm not worrying about it too much right now.
  5. bcotti

    bcotti TS Rookie

    Well, since it is a restore point you could disable system restore and reboot then reenable it and that will delete all restore points on your machine. There are obvious ramifications of that though.

    But your issue may be different then the OP's issue. Are you sure it said A003271.exe? Or was it A0003271.exe (extra "0")?
  6. ajmlp

    ajmlp TS Rookie

    Thanks for the reply bcotti. I just rebooted the machine and things seem to be working now. Didn't disable system restore or anything. Guessing it's time to drop AVG and get something else.
  7. bcotti

    bcotti TS Rookie

    I don't know that it is necessary to drop AVG. Avast is another free AV that works well. I was quite disappointed with AVG 8 as it seemed to cause a performance hit on machines but 8.5 does seem better.
  8. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    OK, I'm sort of quoting everybody above....!

    As to whether this is an Intel utility, it doesn't seem likely. I've made no driver updates or installs. "igfxtray.exe is an Intel graphics driver tray icon. (I think)This turkey (Emachine T-5026), has Intel 915 integrated graphics

    AVG (v 8.5) also found entries in the system registry correlating to the same infection. Total of 4 detections.

    The AVG scanner doesn't seem to be detecting them until the other scanners pass over the files. I could be wrong about this, but I don't think any of the detections were made "cold", so to speak.

    AVG was able to transfer all files to the Virus Vault! (4 in total 2 files, 2 registry)

    ajmlp; I really think you need to disable system restore temporarily to rid yourself fully of those registry entries.

    All of you keep in mind that my machine is showing no symptoms! So any popups or whatnot you have may be associated with other problems.

    Kritius: I'm working on the logs for you. Thanks very much for offering to check them out!
  9. raybay

    raybay TS Evangelist Posts: 7,241   +9

    CaptainCranky, you are not really calling your beloved eMachines T-5026 a Turkey, are you? You have probably hurt its feelings, and it is sadly trying to show its displeasure.
  10. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    I call my long time friend, and venerable computing machine a "turkey", for in doing so I deprive others of the pleasure of so doing! :p

    I think she, (or he as the case may be), would understand that my motives are pure, and I am protecting her from further abuse at the hands of those who simply don't grasp the beauty of our relationship. :rolleyes:
  11. bcotti

    bcotti TS Rookie

    igfxcfg.exe is the legitimate name of an intel utility. google is your friend. so am i - it isn't a big deal. false alarm.

    i can't post links yet but search google with the terms igfxcfg.exe & avg. go to the sixth link down and then follow that thread to the bottom. some solid info there - plus a few links (that i can't post here because i don't have 5 posts yet) to online AV engines to scan your PC if you are really worried.
  12. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    OK, I think we have sort of a semantic miscommunication here.

    Yes, you are correct that "igfxcfg.exe" is a legitimate process. The tray process, igfxtray.exe, is the icon that summons this driver's console, more than likely.

    But, what happened is this; AVG found this object "Trojan horse BackDoor.Generic11.TDY" in the file, "igfxcfg.exe".

    "Trojan horse BackDoor.Generic11.TDY" is also appearing in a Windows system file, and 2 registry entries.
  13. raybay

    raybay TS Evangelist Posts: 7,241   +9

    You must be serving it oceans of lotion. You must have the record for long life, but we better not find out that it is really a Packard Bell in that case.
  14. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    Don't make me upload pictures of the motherboard caps!
  15. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    8 Step Logs........

    Here are the 3 logs after several scans to get rid of tracking cookies.

    I ran CCleaner.

    I disabled system restore on all drives.

    Please find also attached a jpeg screen cap of the original AVG alert, this is from the current status of the "virus vault".

    Are we good to go?
  16. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,456   +1,759

    8 Step Logs........

    Will somebody please take a quick look at my logs? I don't think this is going to turn into a project. AVG isolated the trojan, mbam & SUPERantispyware show nothing, but I can't read the HJT, at least not all of it. Thanks

  17. kritius

    kritius TS Guru Posts: 2,084

    HJT is clean,

    One orphan to remove,

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    I'd like to see if there actually is anything there or if AVG was having one of it's funny moments,

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    If you are having trouble with the scan, please see this animated guide.

    >>>Animated Guide<<<
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...