[stang]

Please help!!! I have avg free on my dell inspiron 8000 laptop and it keeps finding this (Trojan horse downloader generic kpw) in my directx file listed as svchost it will then delete the file but it keeps coming back every time I restart my cpu or surf the web. I tried to find this Trojan on the web but can't. I also tried just about every virus scan and spy ware scan out there but it keeps coming back even in safe mode. Has anybody heard of this Trojan? If so can you help me or send some instructions on how to remove it. Thank you P.S. I'm at work 2:25pm central time US and can't run hijackthis untill I get home

Logfile of HijackThis v1.99.1
Scan saved at 12:49:05 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stang.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stang.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131075660631
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

[Advertisements]

Hi stang,

Can you give us the full path and name of the file that AVG detects?

If I remember correctly " generic" detection means the file looks like it might be a virus because of some code found inside.

This usually means it is a completely new and unknown virus or a false alarm.

We will need a sample to know which one it is.

If you find the file uploading it here: http://virusscan.jotti.org/
might be a good start to identify it.

Let us know the results.

Regards,

[Metallica]

Hi stang,

Can you give us the full path and name of the file that AVG detects?

If I remember correctly " generic" detection means the file looks like it might be a virus because of some code found inside.

This usually means it is a completely new and unknown virus or a false alarm.

We will need a sample to know which one it is.

If you find the file uploading it here: http://virusscan.jotti.org/
might be a good start to identify it.

Let us know the results.

Regards,

[stang]

C:\WINDOWS\system32\Directx\svchost

jotti info. The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

The svchost file cannot be found on none of my other cpu's at home or work. It does cause my computer to slow down or lock up but when i delete it everything is OK. I'm also getting a message (delayed write failed) with some long path name.......thanks stang

[Metallica]

Can you try and upload the file at TheSpykiller forums?
Maybe that will work.
To do so follow the instructions here:
http://www.thespykil...x.php?topic=5.0

Regards,

[Metallica]

The file at the SpyKiller is 0 bytes again.

Can you check the properties of the actual file?

I'll PM you my email address so you can send it as an attachment if necessary.

Regards,

[stang]

I can view the properties and its setup like a program which it is, but there are allot of options. I was also able to save it to my zip drive in safe mode but can't do much with it there. I was also going to try a resources editor to view its contents and maybe edit it some way. I'll try to send it to the link you sent me from my zip drive..............Thank you for your persistence stang

[Metallica]

I replied to your mail because it had no attachment.

But you stated you were able to make a copy.
If that is true can you delete the original?
Should it turn out to be something you needed after all, we will have the copy as a backup.

Regards,

[stang]

Hello, Metalica
I have not heard from you in a while and was just checking back. I still have this problem and really want to rectify it, if you have any alternative resources please inform me.......... thank you, stang

[Metallica]

Have you tried my suggestion?

Can you delete the original file?

Regards,

[stang]

Yes, as I stated above AVG will delete it and I can also delete it but it keeps returning..............stang

[Metallica]

Good. Then after removing the file in explorer, go to the folder properties by rightclicking C:\WINDOWS\system32\Directx on the General tab check the "Read Only" and click OK.

Let me know if that is ebnough to stop it from coming back.

Regards,

[stang]

Hello, Metalica
I did what you had asked and after restarting AVG detected it again and I deleted it. I went back to check the properties and they were set back like they were before. Apparently the virus set the properties back. I also e-mailed you the file ziped in winrar, it said it was sent Ok...............stang

Edited by stang, 02 January 2006 - 01:55 PM.

[Metallica]

Haven't received anything yet. I'll check back later.

In the meantime, try this for me.
Click Start > Run > cmd > OK

The command prompt will open.
Then use these commands, each line followed by ENTER

cd\
copy /Y C:\Windows\system32\notepad.exe C:\WINDOWS\system32\Directx\svchost.exe


You should get a message that 1 file was copied succesfully.

Note: there should now be a C:\WINDOWS\system32\Directx\svchost.exe with the icon of Notepad in your C:\WINDOWS\system32\Directx folder.

Let me know if and when it is replaced by the (suspected) virus.

Regards,

[stang]

Hello, Metalica I just sent you the file it went through OK 2:20PM central time.

[stang]

OK I did what you asked and it did create a svchost note pad file with nothing in it. The date modified is 8/4/2004 1:56am also after I restarted my cpu two untitled note pad windows came up with nothing in them.............stang