Version: 2008
Advanced Search
advertisement
advertisement
Click Here

Forum display:

Spyware, viruses, & security : Trojan!

by jmgb - 2/25/06 3:58 PM
advertisement
Post 1 of 7

Trojan!

by jmgb - 2/25/06 3:58 PM

I have a trojan in my computer that's preventing firewalls from running. My antivirus (AVG) constantly sends advice of "Trojan Horse Generic.QGQ" on system32\pptp16.dll, but neither healing or deleting the file is available, cause access is denied. I understand trojans should normally be removed easily using antispyware programs, but I have already tried with Spybot, Windows Defender, Ad-aware and a sort of others and nothing seems to work. Also, I'm not sure if it has to do with this trojan, but my Itunes stopped working and a sort of other programs.

Here´s my hijackthis report. PLEASE HELP!

Logfile of HijackThis v1.99.1
Scan saved at 5:46:25 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jose Manuel\My Documents\Downloads\Setups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ccm.itesm.mx:8080
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-AAF00C4AE38F} - C:\Program Files\Browster\Browster.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe" -wait 0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Browster Prefetch On/Off - res://C:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.44/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136740297859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136740289500
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (AutoFix Launcher Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

THANK YOU!!

Reply
Permalink
Report offensive post
Post 2 of 7

Trojan

by tomron - 2/25/06 4:03 PM In reply to: Trojan! by jmgb

FYI - PLEASE do NOT post any HJT logs in this forum !

http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=107213&messageID=1223125

Install Ewido,update,and run
http://www.ewido.net/en/

Tom

Reply
Permalink
Report offensive post
Post 3 of 7

java.exe........

by Marianna Schmudlach Moderator - 3/5/06 4:39 PM In reply to: Trojan by tomron

in the line.......C:\Program Files\Alias\Maya7.0\docs =

Added by a variant of the W32/SDBOT WORM!

http://castlecops.com/startuplist-8322.html

.......

ibm00001.exe"... in the line O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders = trojan

........

pptp16.dll in the line O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32 =

Haxdoor variant

Reply
Permalink
Report offensive post
Post 4 of 7

Same problem!!!!!!!!

by master111 - 3/5/06 2:47 PM In reply to: Trojan! by jmgb

I have an exact same problem just like yours. I read through the advices of installing and running the ewidobut still doesn't seem to get the trojan work. What can i do next? Did yours work?


"My antivirus (AVG) constantly sends advice of "Trojan Horse Generic.QGQ" on system32\pptp16.dll, but neither healing or deleting the file is available, cause access is denied."


Tbone

Reply
Permalink
Report offensive post
Post 5 of 7

Try scanning with

by roddy32 Moderator - 3/5/06 3:25 PM In reply to: Same problem!!!!!!!! by master111

both ewido and AVG in safe mode. Directions are here.
http://www.pchell.com/support/safemode.shtml

If that does not work, trying deleting the file manually while in safe mode.

Reply
Permalink
Report offensive post
Post 6 of 7

Haxdoor

by Bugbatter - 3/5/06 3:47 PM In reply to: Same problem!!!!!!!! by master111

That file indicates a Haxdoor infection.

You could try the trial version of SpySweeper.
http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT14&WRSID=f7ac6027d5a39c97794291a8547bee72

If that does not work, post a HijackThis log on one of the forums that handles them. There is a specific fix, but it would be best to have someone take a look at your log first.

Reply
Permalink
Report offensive post
Post 7 of 7

How I solved it.

by jmgb - 3/5/06 6:01 PM In reply to: Same problem!!!!!!!! by master111

Hi. Sorry for taking so long to respond on this forum but I was busy fixing the damage on my computer.

First of all, thanks for your help. I used your reccomendations which worked for other problems but not for specifically those viruses.

Here's the way to resolve definitely this problem:

1.- Download what I uploaded at http://www.barra.cc/avenger.zip

2.- Unzip

3.- Open the Avenger program and ask it to run the script I put under script.txt

4.- After reboot, the virus will be gone!

If you need anything else, just ask.

And again, thanks 4 your help.

Reply
Permalink
Report offensive post
rss

More Discussions

Forum legend:
Locked Locked thread
Moderator Moderator
CNET staff CNET staff
Samsung staff Samsung staff
Norton Authorized Support team Norton Authorized Support team
AVG staff AVG staff
Windows Outreach team Windows Outreach team
Dell staff Dell staff
Intel staff Intel staff
Powered by Jive Software
Forums
Site map
FAQs
Usage policies
Real time activity
Meet the moderators
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET