Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse generic.GM [RESOLVED]


  • This topic is locked This topic is locked

#1
jamiestevens

jamiestevens

    New Member

  • Member
  • Pip
  • 6 posts
I am very new to this, so please exuse me for any mistakes I may make. I am running AVG Free Anti-Virus software and it has come across a Trojan Horse called "generic.GM". I have run CWShredder, Spy-Bot S&D and Ad-Aware. It is removed in safemode but returns when I reboot. Nothing seems to get rid of it. I have searched the net for an answer but nobody seems to know what to do. Please help. I am running Windows 2000 Professional. Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 6:17:54 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP4 (5.51.3020.2100)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spool\drivers\w32x86\hpzstatn.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\PSP Video9\pspvideo9.exe
C:\WINNT\system32\hpha1mon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPHipm07.exe
C:\Documents and Settings\jamie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PSPVideo9] C:\Program Files\PSP Video9\pspvideo9.exe -t
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\system32\hpha1mon.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Printer Status Server (hpzstatn) - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\hpzstatn.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe
O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Thanx in advance for any help.

jamie
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:

I don't see anything in your HJT log.

Please download the trial version of Ewido Security Suite from
here. Install it and
update the program with the latest definitions. Setup the program
following the instructions here and then close it without running a scan.

Reboot into Safe Mode

Then please run Ewido security suite, and perform a full system scan.
Remove anything found,

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop.


then reboot normally, and post scan log from Ewido.
  • 0

#3
jamiestevens

jamiestevens

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for responding Bricat. Unfortunately I am at work right now and I will not be able to work on my computer until I get home tonight (5:15 pm EST). I will do what you asked as soon as I get home.

again thanx,

jamie
  • 0

#4
jamiestevens

jamiestevens

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
It seems to be gone. Here is the log:




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:14:10 PM, 8/18/2005
+ Report-Checksum: 7AF71B7D

+ Scan result:

HKLM\SOFTWARE\AKSoft -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\AKSoft\X-Tractor -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz4.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz7.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.13:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.14:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.28:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.36:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.45:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.46:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.47:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.48:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.49:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.51:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.52:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.66:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.67:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.68:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.69:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.74:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.76:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.90:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.97:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.105:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.106:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.107:C:\Documents and Settings\lori\Application Data\Mozilla\Firefox\Profiles\re67tw7j.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\lori\Cookies\lori@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\AdStatus Service\AdStatServ.exe -> Spyware.AdTools : Cleaned with backup
C:\Program Files\Win_whcr\webhancer_winrar.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup
C:\WINNT\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINNT\svehost32.exe -> Backdoor.SdBot.acf : Cleaned with backup
C:\WINNT\system32\.exe -> Backdoor.IRCBot.es : Cleaned with backup
C:\WINNT\system32\mousebm.exe -> Backdoor.IRCBot.es : Cleaned with backup
C:\WINNT\system32\rdriv.sy$ -> Trojan.Rootkit.k : Cleaned with backup
C:\WINNT\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup


::Report End




thanx
  • 0

#5
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
That should be clean now :tazz:


DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.

Then

Go to TOOLS\INTERNET OPTIONS. and delete all TEMP INTERNET FILES

Download CCLEANER


then run the scan under the windows tab.



then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.
  • 0

#6
jamiestevens

jamiestevens

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
That did it! Thanks again for all of the help. I will never forget you.

jamie :tazz:
  • 0

#7
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
you're welcome. :tazz:
  • 0

#8
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP