Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot remove Trojan horse downloader generic kpw


  • Please log in to reply

#1
stang

stang

    Member

  • Member
  • PipPip
  • 43 posts
Please help!!! I have avg free on my dell inspiron 8000 laptop and it keeps finding this (Trojan horse downloader generic kpw) in my directx file listed as svchost it will then delete the file but it keeps coming back every time I restart my cpu or surf the web. I tried to find this Trojan on the web but can't. I also tried just about every virus scan and spy ware scan out there but it keeps coming back even in safe mode. Has anybody heard of this Trojan? If so can you help me or send some instructions on how to remove it. Thank you P.S. I'm at work 2:25pm central time US and can't run hijackthis untill I get home

Logfile of HijackThis v1.99.1
Scan saved at 12:49:05 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stang.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stang.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131075660631
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi stang,

Can you give us the full path and name of the file that AVG detects?

If I remember correctly " generic" detection means the file looks like it might be a virus because of some code found inside.

This usually means it is a completely new and unknown virus or a false alarm.

We will need a sample to know which one it is.

If you find the file uploading it here: http://virusscan.jotti.org/
might be a good start to identify it.

Let us know the results.

Regards,
  • 0

#3
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
C:\WINDOWS\system32\Directx\svchost

jotti info. The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

The svchost file cannot be found on none of my other cpu's at home or work. It does cause my computer to slow down or lock up but when i delete it everything is OK. I'm also getting a message (delayed write failed) with some long path name.......thanks stang
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you try and upload the file at TheSpykiller forums?
Maybe that will work.
To do so follow the instructions here:
http://www.thespykil...x.php?topic=5.0

Regards,
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
The file at the SpyKiller is 0 bytes again. :tazz:

Can you check the properties of the actual file?

I'll PM you my email address so you can send it as an attachment if necessary.

Regards,
  • 0

#6
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I can view the properties and its setup like a program which it is, but there are allot of options. I was also able to save it to my zip drive in safe mode but can't do much with it there. I was also going to try a resources editor to view its contents and maybe edit it some way. I'll try to send it to the link you sent me from my zip drive..............Thank you for your persistence stang
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I replied to your mail because it had no attachment. :tazz:

But you stated you were able to make a copy.
If that is true can you delete the original?
Should it turn out to be something you needed after all, we will have the copy as a backup.

Regards,
  • 0

#8
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Hello, Metalica
I have not heard from you in a while and was just checking back. I still have this problem and really want to rectify it, if you have any alternative resources please inform me.......... thank you, stang
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Have you tried my suggestion?

Can you delete the original file?

Regards,
  • 0

#10
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Yes, as I stated above AVG will delete it and I can also delete it but it keeps returning..............stang
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good. Then after removing the file in explorer, go to the folder properties by rightclicking C:\WINDOWS\system32\Directx on the General tab check the "Read Only" and click OK.

Let me know if that is ebnough to stop it from coming back.

Regards,
  • 0

#12
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Hello, Metalica
I did what you had asked and after restarting AVG detected it again and I deleted it. I went back to check the properties and they were set back like they were before. Apparently the virus set the properties back. I also e-mailed you the file ziped in winrar, it said it was sent Ok...............stang

Edited by stang, 02 January 2006 - 01:55 PM.

  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Haven't received anything yet. I'll check back later.

In the meantime, try this for me.
Click Start > Run > cmd > OK

The command prompt will open.
Then use these commands, each line followed by ENTER

cd\
copy /Y C:\Windows\system32\notepad.exe C:\WINDOWS\system32\Directx\svchost.exe


You should get a message that 1 file was copied succesfully.

Note: there should now be a C:\WINDOWS\system32\Directx\svchost.exe with the icon of Notepad in your C:\WINDOWS\system32\Directx folder.

Let me know if and when it is replaced by the (suspected) virus.

Regards,
  • 0

#14
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Hello, Metalica I just sent you the file it went through OK 2:20PM central time.
  • 0

#15
stang

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK I did what you asked and it did create a svchost note pad file with nothing in it. The date modified is 8/4/2004 1:56am also after I restarted my cpu two untitled note pad windows came up with nothing in them.............stang
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP