Trojan Downloader and AVG trouble
 

Wheeee Im back lol My Norton was out of date so I saw AVG on another post and decided to give it a shot. Welllll... found a couple things Norton didnt, but there are 4 Trojan Downloaders that are on my computer and AVG is no help in deleting them! I have Downloader.Stubby.C on my computer twice and Downloader.Agent.AS is on twice also. The status on these is "infected, embedded object" is there a way to go into it manually and get rid of these buggers or are they gonna sit in my computer till i get a up to date ($$) antivirus? Also, the item that is infected is a HUGE address and i couldnt find it on my computer... :?: could someone help me out? Many thanks :D

Re: Trojan Downloader and AVG trouble
 

are you sure AVG did not put them in the Virus Vault ? might look and see? rescan ur pc
with AVG
might try adware personal http://www.lavasoft.de/

Re: Trojan Downloader and AVG trouble
 

errrrrrr nope... i checked... i have Downloader.Dyfica.3.E and Downloader.Small.12.BJ in there but the others arent... I also have AdAware SE Personal :cry: I dont think I can put them in the virus vault can I? I try looking up the details on the downloaders but there isnt any on avg. Havent gotten used to this new anti virus yet :)

Re: Trojan Downloader and AVG trouble
 

They’re a few options for you. Pull your HDD and put it in anther computer and then scan it with at least two or more virus scanners. The other option is to boot from a live CD and then run two or more scanners. I suggest two or more scanners, well for example had a 60Gb HDD I knew was infected with a multitude of virus, Norton Antivirus found and removed 300+, AVG found and removed 20 and then PC Cillin found and removed an additional 8. If you are trying to extract the virus from the file it has become part of open the only way I can think of is to open the file and export the data, do a scan or three, and import.

Useful links
Bart PE


Good Luck

Re: Trojan Downloader and AVG trouble
 

Can you get the latest version of hijackthis (1.99) and post another log so we can see where these pests are residing?

Re: Trojan Downloader and AVG trouble
 

dlh is gonna save me again!!! :) here ya go... thank you!!!

Logfile of HijackThis v1.99.0
Scan saved at 1:11:05 AM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\soft602\pdfSaver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ana\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/belleplaine
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Re: Trojan Downloader and AVG trouble
 

Remember to close all browser windows before scanning with HJT :)

Have HJT fix this entry:
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

That's the only thing I see. When AVG and/or Norton find the problems you mentioned, does it tell you where they are located? It's possible they could have been included in a Restore Point, in which case they wouldn't show up in your HJT log, but you would still want to remove them so you don't 'Restore' them at some point.

Re: Trojan Downloader and AVG trouble
 

:rolleyes: i always forget that... ummm yeah it tells me where it is (only have avg now) but it is a HUGE location file and I can never find it... if u want the location let me know... i am not sure how to even begin fixing this type of stuff... darn us rookies :cheesy:

Re: Trojan Downloader and AVG trouble
 

oh also should i delete O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab ?
it looks like pretty much the same thing as what you told me to delete

Re: Trojan Downloader and AVG trouble
 

We're all rookies of some sort :)

The location would be helpful, but if it starts like this:
C:\System Volume Information\_restore folder
Then check this thread:
http://www.daniweb.com/techtalkforums/thread13362.html

If it doesn't, then try to give us the location.

Re: Trojan Downloader and AVG trouble
 

Good catch! :) My bad :( You are correct, go ahead and have HJT fix that as well.

Re: Trojan Downloader and AVG trouble
 

okie here ya are...
2 Stubbys :
1.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\conscorr.cab:\conscorr.exe
2.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\conscorr.exe

2 Agents:
1.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\THI6CF9.tmp\localNrd.cab:\polall1l.exe
2.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\THI6CF9.tmp\polall1l.exe

I tried to get into where it is located but I can only get to J38305.2372531366.WCU and then it is a unknown program file and I cant get in any farther.... there are a lot of these types of files in the backup folder though... i am not sure what they are.
Hope this helps :)

Re: Trojan Downloader and AVG trouble
 

This is just a guess, so you may want to wait for someone else to verify this before you delete anything.

It looks like all your problems are within the same file (J38305.2372531366.WCU). The ".wcu" extention was just used as an extention name that isn't common to hide the file from most anti-virus programs. Normally AV programs aren't set to scan all files, only executable ones.

If it were me, I think I would delete the entire Business Logic folder, unless you know what it's for. Other than that, I would at least delete the J38305.2372531366.WCU part.

I'll see if I can get someone else to have a look at this for you.

Re: Trojan Downloader and AVG trouble
 

More likely to be this one;
C:\Documents and Settings\Ana\Local Settings\Temp<----clear the contents

I don't know why the path is written out that way though (C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp)

Re: Trojan Downloader and AVG trouble
 

Well, I deleted everything from that Temp folder and did another scan but they are still there... what do you think Crunchie? should I delete the junk out of that Business Logic folder too or not? like I said all the farther I can go is to that J38305.2372531366.WCU file ... and it is an unknown file. I agree with u dlh, thats the bugger that has all 4 downloaders in it and AVG calls them Infected, Embedded Objects. Also, after I deleted that Temp folder I restarted my computer and an error message came up ... it was only up for a couple seconds and all i could catch was a file name with .tmp at the end.... :?: let me know what u guys think :)

Re: Trojan Downloader and AVG trouble
 

There may be duplicate copies elsewhere. Also, did you do the deletion while booted into safe mode? If not:

1. Turn off System Restore. As previously posted, instructions are here:
http://www.daniweb.com/techtalkforums/thread13362.html


2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Your system might have a mirror of the above folders in the following location; if so, delete the contents of those folders as well:

C:\WINDOWS\system32\config\systemprofile\

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


3. Try the free online virus scan from Panda; I read at least one report from a user who said Panda was able to clean the exact infection you have:

http://www.pandasoftware.com/actives..._principal.htm

Re: Trojan Downloader and AVG trouble
 

Hi all, i have the same problem. I also keep getting http://*.offeroptimizer.com windows continually popping up. HJT log file follows:

Logfile of HijackThis v1.99.0
Scan saved at 5:37:25 PM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis199.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [J0r3RXGEW] esslib.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edge...oadManager.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.snowbird.com/plugins/Svideo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixam...FWUploader.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://dfwstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimage20816.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Re: Trojan Downloader and AVG trouble
 

Hi xtfree,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread In this forum and post your HijackThis log there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforum..._faq#faq_rules


Thanks for understanding.

Re: Trojan Downloader and AVG trouble
 

Ravengal, do you know what 'Business Logic' is? Is it something you installed?

Re: Trojan Downloader and AVG trouble
 

ahhhhhhh nope dlh, never installed it... a folder in Application Data is all i know... i did what DMR suggested and i ran the virus scan ... NOW i have Downloader.GK on my computer and it only disinfected one of the Agents... so I am back where i started with 4 :mad: arg... any suggestions anyone?

Re: Trojan Downloader and AVG trouble
 

oh no wait... the one that couldnt be disinfected is one of the agents... but when I do an AVG scan i have 3 downloaders... ??? wth ...

Re: Trojan Downloader and AVG trouble
 

Well, if you didn't install it, and you don't use it, I would think you should just get rid of it. See if it's in the Add/Remove Programs first; if not, then just delete the folder. You might need to boot into Safe Mode to do that. (Again, you may want to wait for confirmation on this)

Re: Trojan Downloader and AVG trouble
 

hehe yea... i think i will wait for confirmation on that ... I forgot to add btw... when I was deleting stuff in safe mode, there were 4 folders in my Temp. Internet Files\Content.IE5 that wouldnt delete... they looked like junk from an ebay site, but i wasnt going to sit there and delete EVERYTHING else from the folders lol... what do ya think I should do with these?

Re: Trojan Downloader and AVG trouble
 

I'm almost positive that the entire "Business Logic" folder should get the axe. The only places I've seen references to such a folder have been in threads on other support forums where people are dealing with an infection almost identical to yours. "Business logic" is a programming term; I've found nothing to indicate that is the name/brand of a piece of legit software that any normal user would have on their system, and I've never seen such a folder on any system I've ever worked on.

As far as the undeletable folders in the Content.IE5 folder, I'm afraid that the way to go is to start deleting the individual files until you can pinpoint the exact files which are refusing to be deleted. That way we'll at least be able to know the names of the offending files, and that might give us a clue as to how to delete them. By selecting blocks/groups of files for deletion, you should be able to narrow it down fairly quickly.

Re: Trojan Downloader and AVG trouble
 

DMR... NOOOOOOOOO lol alright Ill let ya know what happens

Re: Trojan Downloader and AVG trouble
 

:eek: that was a lot of files :eek: I also deleted the UWC folder (the only folder in Business Logic) and ran an AVG and Panda scan :D no more Downloaders. Thanks a lot you guys for saving my butt... again hehe... should I worry about those files that wouldnt delete? Here they are if I should do somethin with em:

1. 1980-strawberry_W0QQsokeyworddirectZ1QQfromZR8[1]
2. 1980-strawberry_W0QQfromZR8QQsosortorderZ1QQsosort propertyZ3[1]
3. Thumbs.DBF (I'm guessing this is an important one though)
4.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsorecordstoskipZ100QQsosortorderZ1QQsosor[1]
5.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsomorecategoriesZ1QQsosortorderZ1QQsosort[2].
<Noticing a pattern?>
6.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsomorecategoriesZ1QQsosortorderZ1QQsosort[1].

Re: Trojan Downloader and AVG trouble
 

Thumbs.dbf files are legit (and automatically generated) Windows files; don't worry about any of those that you run across.

As for the other files I'm not sure; let me get back to you on those.

Re: Trojan Downloader and AVG trouble
 

I couldn't find anything on the Strawberry stuff -- almost looks like some kind of catalog entries. I don't understand why they won't delete in Safe Mode :confused:

Re: Trojan Downloader and AVG trouble
 

thats what i thought too dlh ... but it wont delete in safe or normal mode

Re: Trojan Downloader and AVG trouble
 

What is the exact error you get when you try to delete one of those "strawberry" files? Sometimes these nasty little puppies set their permissions such that even the Administrator account is denied access to them; if that's the case you might have to twiddle with the permission settings under the Security tab of each files Properties window. Another possibility is the files are still somehow in use even in Safe Mode.

Re: Trojan Downloader and AVG trouble
 

DMR, is "twiddle" a professional term? :p just kiddin. the error i get is "cannot delete file: cannot read from source file or disk." let me know what you think i should do. Thank you for helping me :D

Re: Trojan Downloader and AVG trouble
 

Of course twiddle is a professtional term; it's what you use to fix the thingy.

I've never had a need to use this program (MoveOnBoot), but I've seen crunchie recommend it and it usually seems to work:
http://www.softwarepatch.com/software/moveonboot.html

**Merry Christmas!**

Re: Trojan Downloader and AVG trouble
 

:eek: the files arent there in normal mode now. can i use this "thingy" in safe mode? cuz if not... im gonna throw the computer in the snow lol Merry Christmas you guys :)

Re: Trojan Downloader and AVG trouble
 

Like I said, I've never used it, but I'm sure it will work in Safe Mode. Before you download it though, go into Safe Mode and see if they're still there -- I have a feeling they won't be.

How did I get a 't' in professional? :confused:

Re: Trojan Downloader and AVG trouble
 

Of course it is. Twiddling is a well-documented form of Frobnication. :mrgreen:

Re: Trojan Downloader and AVG trouble
 

Well, you computer geniuses can twiddle you computers and frob your knobs all you want... I DONT WANNA KNOW ABOUT IT lol ok my strawberry files are BACK in normal mode and that program wont let me delete them... it only goes to my temporary internet file folder and wont get into the content.ie5... i tried adding it to the address but when i try to delete... the content.ie5 is not part of the folder... which in summ. its gonna make me delete my temp. internet folder :eek: idk if thats wise or not hehe. also, can i delete the crap in that temp. internet folder too? theres a lot...

Re: Trojan Downloader and AVG trouble
 

does antivirus software ever accidentally lock your own access to certain files?

Re: Trojan Downloader and AVG trouble
 

Is it possible that the files are being generated by a legit program you have installed? Malicious infections aren't the only programs which auto-create files, and if the "strawberries" are benign we probably shouldn't waste time on them. While I would think that you would be able to delete them if they we harmless, they do look like they're related to some sort of online shopping catalog or similar.


Yes, you can. The cruft that builds up in there isn't vital. ;)

Re: Trojan Downloader and AVG trouble
 

Well, hehe that would make sense... idk they dont seem to be doing harm since nasties arent comin up on my computer... i just dont like stubborn programs as much as you do... and DMR dont try to dazzle me with ur computer jargon... i am still trying to recover from that frob sentence i witnessed lol :p

Re: Trojan Downloader and AVG trouble
 

Ah yes- Frobnication is definitely not for the faint of heart; you're lucky to have made it out of that link alive... :mrgreen:

I agree about the "stubborn programs" bit; if it were my machine, I'd be digging around in it until I found out exactly what those files are, malicious or not. Unfortunately, since I'm not sitting in front of your computer I can't offer you any more help along those lines.


Oh, and as for this:
Accidentally? I've never seen it happen personally, but that certainly doesn't mean it couldn't. The only circumstance I can think of which might be slightly related would be with infected files which an AV program has quarantined, but that doesn't seem to apply here.