got a trojan that wont go away its a Trojan horse PSW.Generic5.VXD, ive tried every virus scan and every spyware cleaner ive got etc and hasn't done anything. Heres my hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 9:31:04 AM, on 11/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\WF2K.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\regsv32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\ClamWin\bin\ClamTray.exe C:\Program Files\ClamWin\bin\ClamWin.exe C:\Program Files\Alwil Software\Avast4\ashSimpl.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\ClamWin\bin\clamscan.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bigpond.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {80D80793-2AD9-46CE-8D80-A6423B2504C1} - C:\WINDOWS\system32\dpnadd.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe C:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [regsv32.exe] C:\WINDOWS\system32\regsv32.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://www.sf.in.th/activex/StarterSFTDE.cab O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{237F1364-A734-4A99-B776-B50542F94DDE}: Domain = nsw.bigpond.net.au O17 - HKLM\System\CS1\Services\Tcpip\..\{237F1364-A734-4A99-B776-B50542F94DDE}: Domain = nsw.bigpond.net.au O17 - HKLM\System\CS2\Services\Tcpip\..\{237F1364-A734-4A99-B776-B50542F94DDE}: Domain = nsw.bigpond.net.au O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Sorry all i can suggest is a reformat & reinstall. Pick 1 antivirus scanner not what appears to be 3..lol.. there is no need for more than 1 so delete the other two It's ok to have a realtime sypware scanner & a static type spyware scanner like lavasoft adaware 2007. For firewalls you need only 1 (it's ok to have a hardware version & a software version running at the same time,hardware firewalls are usually incorporated into external modem/routers) When updating windows use windows update in the programs list as well, as autoupdate won't install the extra's you need,you'll see what i mean when you click on the "custom" button after web page has loaded EDIT: If someone else can help with your prob so as to avoid a reformat go to the sun java site & check for an update to the java software as it should be v1.6.0.20 (version 6.0 update 2) your's appears to be 1.6.0.03,if you have older version of java still installed & showing in the add/remove it's ok to delete them & recover some space
hi, a generic trojan horse shouldnt be any problem for ad aware and avg antispyware-- what app is finding it? what does it do with it? agree-- you only need one resident antivirus you have several.(clamwin,avast,avg?) i would keep one and remove the others via add/remove programs panel. more software does not equal more protection especially with antivirus. echoreply
avg is finding it then it heals it and restarts computer then after it gets wiped it come up again and again
try running avg in SAFE MODE. to reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list: safe mode. might want to copy/paste the rest of this into notepad and save it so you can find it and read it in safe mode. ---------------------------- once in safe mode run AVG. after the scan to save the report do this: Next select the "Reports" icon at the top. * Select the "Save report as" button in the lower left hand of the screen and save it to a text file somewhere on your computer. Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove: Temporary Files Temporary Internet Files Recycle Bin ----------------- reboot normally. post the saved AVG report you saved in next reply echoreply
ok. now that you have a clean start here are two excellent articles on securing windows starting from the ground up, like it should be done: http://www.firewallleaktester.com/documents.htm regards
There's no need to reinstall windows, just turn off the system restore...if you will do that then AVG can heal the file. The system restore makes a backup of the file every time you try to heal it and when you reboot it retores the original infected file resulting in an endless loop of trying to fix the problem.
system restore dosnt restore any files at bootup. forget system restore until your computer is clean, then you delete all the older (possibly infected) restore points and make a new one on a clean system. echoreply
That sounds good but if you've ever tried to get rid of this trojan you will see that it will disappear after you turn the system restore off and then heal the file with AVG. Windows always checks the system files on bootup and it does attempt to restore the file automatically from the system volume information folder if it appears corrupt. But if the backup file on the system volume is infected also, it tries to fix the infected file with another infected copy and so it starts the infection loop all over which explains the poor guys problem trying to get rid of it. Sorry, but even AVG refers to the same problem at their site here, FAQ#654 http://free.grisoft.com/doc/faq/us/frt/0?num=619
