Trojan Downloader and AVG trouble

are you sure AVG did not put them in the Virus Vault ? might look and see? rescan ur pc
with AVG
might try adware personal http://www.lavasoft.de/

errrrrrr nope... i checked... i have Downloader.Dyfica.3.E and Downloader.Small.12.BJ in there but the others arent... I also have AdAware SE Personal :cry: I dont think I can put them in the virus vault can I? I try looking up the details on the downloaders but there isnt any on avg. Havent gotten used to this new anti virus yet :)

They’re a few options for you. Pull your HDD and put it in anther computer and then scan it with at least two or more virus scanners. The other option is to boot from a live CD and then run two or more scanners. I suggest two or more scanners, well for example had a 60Gb HDD I knew was infected with a multitude of virus, Norton Antivirus found and removed 300+, AVG found and removed 20 and then PC Cillin found and removed an additional 8. If you are trying to extract the virus from the file it has become part of open the only way I can think of is to open the file and export the data, do a scan or three, and import.

Useful links
Bart PE

Good Luck

Wheeee Im back lol My Norton was out of date so I saw AVG on another post and decided to give it a shot. Welllll... found a couple things Norton didnt, but there are 4 Trojan Downloaders that are on my computer and AVG is no help in deleting them! I have Downloader.Stubby.C on my computer twice and Downloader.Agent.AS is on twice also. The status on these is "infected, embedded object" is there a way to go into it manually and get rid of these buggers or are they gonna sit in my computer till i get a up to date ($$) antivirus? Also, the item that is infected is a HUGE address and i couldnt find it on my computer... :?: could someone help me out? Many thanks :D

Can you get the latest version of hijackthis (1.99) and post another log so we can see where these pests are residing?

dlh is gonna save me again!!! :) here ya go... thank you!!!

Logfile of HijackThis v1.99.0
Scan saved at 1:11:05 AM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\soft602\pdfSaver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ana\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/belleplaine
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Remember to close all browser windows before scanning with HJT :)

Have HJT fix this entry:
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

That's the only thing I see. When AVG and/or Norton find the problems you mentioned, does it tell you where they are located? It's possible they could have been included in a Restore Point, in which case they wouldn't show up in your HJT log, but you would still want to remove them so you don't 'Restore' them at some point.

:rolleyes: i always forget that... ummm yeah it tells me where it is (only have avg now) but it is a HUGE location file and I can never find it... if u want the location let me know... i am not sure how to even begin fixing this type of stuff... darn us rookies :cheesy:

oh also should i delete O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab ?
it looks like pretty much the same thing as what you told me to delete

:rolleyes: i always forget that... ummm yeah it tells me where it is (only have avg now) but it is a HUGE location file and I can never find it... if u want the location let me know... i am not sure how to even begin fixing this type of stuff... darn us rookies :cheesy:

We're all rookies of some sort :)

The location would be helpful, but if it starts like this:
C:\System Volume Information\_restore folder
Then check this thread:
http://www.daniweb.com/techtalkforums/thread13362.html

If it doesn't, then try to give us the location.

oh also should i delete O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab ?
it looks like pretty much the same thing as what you told me to delete

Good catch! :) My bad :( You are correct, go ahead and have HJT fix that as well.

okie here ya are...
2 Stubbys :
1.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\conscorr.cab:\conscorr.exe
2.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\conscorr.exe

2 Agents:
1.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\THI6CF9.tmp\localNrd.cab:\polall1l.exe
2.) C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp\THI6CF9.tmp\polall1l.exe

I tried to get into where it is located but I can only get to J38305.2372531366.WCU and then it is a unknown program file and I cant get in any farther.... there are a lot of these types of files in the backup folder though... i am not sure what they are.
Hope this helps :)

This is just a guess, so you may want to wait for someone else to verify this before you delete anything.

It looks like all your problems are within the same file (J38305.2372531366.WCU). The ".wcu" extention was just used as an extention name that isn't common to hide the file from most anti-virus programs. Normally AV programs aren't set to scan all files, only executable ones.

If it were me, I think I would delete the entire Business Logic folder, unless you know what it's for. Other than that, I would at least delete the J38305.2372531366.WCU part.

I'll see if I can get someone else to have a look at this for you.

More likely to be this one;
C:\Documents and Settings\Ana\Local Settings\Temp<----clear the contents

I don't know why the path is written out that way though (C:\Documents and Settings\Ana\Application Data\Business Logic\UWC\Backup\J38305.2372531366.WCU:\C:\Documents and Settings\Ana\Local Settings\Temp)

Well, I deleted everything from that Temp folder and did another scan but they are still there... what do you think Crunchie? should I delete the junk out of that Business Logic folder too or not? like I said all the farther I can go is to that J38305.2372531366.WCU file ... and it is an unknown file. I agree with u dlh, thats the bugger that has all 4 downloaders in it and AVG calls them Infected, Embedded Objects. Also, after I deleted that Temp folder I restarted my computer and an error message came up ... it was only up for a couple seconds and all i could catch was a file name with .tmp at the end.... :?: let me know what u guys think :)

Well, I deleted everything from that Temp folder...

There may be duplicate copies elsewhere. Also, did you do the deletion while booted into safe mode? If not:

1. Turn off System Restore. As previously posted, instructions are here:
http://www.daniweb.com/techtalkforums/thread13362.html

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Your system might have a mirror of the above folders in the following location; if so, delete the contents of those folders as well:

C:\WINDOWS\system32\config\systemprofile\

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

3. Try the free online virus scan from Panda; I read at least one report from a user who said Panda was able to clean the exact infection you have:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Hi all, i have the same problem. I also keep getting http://*.offeroptimizer.com windows continually popping up. HJT log file follows:

Logfile of HijackThis v1.99.0
Scan saved at 5:37:25 PM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis199.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [J0r3RXGEW] esslib.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.snowbird.com/plugins/Svideo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {91876926-89DC-11D7-B590-00500467786D} (DnldCtrl Control) - http://dfwstore.cnsx.com/download/DnldCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib2.dancik.com/ib/download/actimage20816.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4309/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Hi xtfree,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread In this forum and post your HijackThis log there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Ravengal, do you know what 'Business Logic' is? Is it something you installed?

ahhhhhhh nope dlh, never installed it... a folder in Application Data is all i know... i did what DMR suggested and i ran the virus scan ... NOW i have Downloader.GK on my computer and it only disinfected one of the Agents... so I am back where i started with 4 :mad: arg... any suggestions anyone?

oh no wait... the one that couldnt be disinfected is one of the agents... but when I do an AVG scan i have 3 downloaders... ??? wth ...

Well, if you didn't install it, and you don't use it, I would think you should just get rid of it. See if it's in the Add/Remove Programs first; if not, then just delete the folder. You might need to boot into Safe Mode to do that. (Again, you may want to wait for confirmation on this)

hehe yea... i think i will wait for confirmation on that ... I forgot to add btw... when I was deleting stuff in safe mode, there were 4 folders in my Temp. Internet Files\Content.IE5 that wouldnt delete... they looked like junk from an ebay site, but i wasnt going to sit there and delete EVERYTHING else from the folders lol... what do ya think I should do with these?

I'm almost positive that the entire "Business Logic" folder should get the axe. The only places I've seen references to such a folder have been in threads on other support forums where people are dealing with an infection almost identical to yours. "Business logic" is a programming term; I've found nothing to indicate that is the name/brand of a piece of legit software that any normal user would have on their system, and I've never seen such a folder on any system I've ever worked on.

As far as the undeletable folders in the Content.IE5 folder, I'm afraid that the way to go is to start deleting the individual files until you can pinpoint the exact files which are refusing to be deleted. That way we'll at least be able to know the names of the offending files, and that might give us a clue as to how to delete them. By selecting blocks/groups of files for deletion, you should be able to narrow it down fairly quickly.

DMR... NOOOOOOOOO lol alright Ill let ya know what happens

:eek: that was a lot of files :eek: I also deleted the UWC folder (the only folder in Business Logic) and ran an AVG and Panda scan :D no more Downloaders. Thanks a lot you guys for saving my butt... again hehe... should I worry about those files that wouldnt delete? Here they are if I should do somethin with em:

1. 1980-strawberry_W0QQsokeyworddirectZ1QQfromZR8[1]
2. 1980-strawberry_W0QQfromZR8QQsosortorderZ1QQsosort propertyZ3[1]
3. Thumbs.DBF (I'm guessing this is an important one though)
4.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsorecordstoskipZ100QQsosortorderZ1QQsosor[1]
5.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsomorecategoriesZ1QQsosortorderZ1QQsosort[2].
<Noticing a pattern?>
6.strawberry_Home-Garden_W0QQcatrefZC12QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQsacategoryZ11700QQsomorecategoriesZ1QQsosortorderZ1QQsosort[1].

Thumbs.dbf files are legit (and automatically generated) Windows files; don't worry about any of those that you run across.

As for the other files I'm not sure; let me get back to you on those.

I couldn't find anything on the Strawberry stuff -- almost looks like some kind of catalog entries. I don't understand why they won't delete in Safe Mode :confused:

thats what i thought too dlh ... but it wont delete in safe or normal mode

What is the exact error you get when you try to delete one of those "strawberry" files? Sometimes these nasty little puppies set their permissions such that even the Administrator account is denied access to them; if that's the case you might have to twiddle with the permission settings under the Security tab of each files Properties window. Another possibility is the files are still somehow in use even in Safe Mode.