Tech Support Guy banner
Cancel

AVG finds multiple trojans, but the same ones keep coming back

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 8 of 8 Posts
M

· Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
I have Windows ME on a Sony Vaio. My AVG Anti-Virus has been popping up the last few days with 'Threat Detected' messages regarding the same trojans:

C:\\WINDOWS\SYSTEM\WWWW.exe
and
C:\\WINDOWS\SYSTEM\JBHOOK.dll
(both are described as "Trojan horse PSW.Generic2.TLV)

I run the anti-virus, and those two along with about 70 others supposedly go into the virus vault and are healed, but if I run it again, the same files will appear as a threat, and I continue to get the pop up messages. I have also now begun to receive small pop ups that say "runtime error 216", after which the computer usually freezes up.

An excerpt from the event history from the last run of AVG Anti-Virus is:

<history>

<rec time="2007/01/14 15:29:42" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\SYSTEM\JBHOOK.DLL</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:30:24" user="default" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINDOWS\SYSTEM\JBHOOK.DLL</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/14 15:30:57" user="default" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:912-904;iavi:635-623;</attr>
</rec>
<rec time="2007/01/14 15:31:02" user="default" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/01/14 15:31:04" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINDOWS\SYSTEM\SVCH0ST.EXE</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:39" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MA795VDJ\WWWW[1].EXE</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.ACBM</attr>
</rec>
<rec time="2007/01/14 15:31:41" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\SYSTEM\WWWW.EXE</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.ACBM</attr>
</rec>
<rec time="2007/01/14 15:31:43" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034345.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:44" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034366.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:45" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034368.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:48" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035368.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:48" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035372.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:51" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035423.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#2 ·
Hi, Welcome to TSG!!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
M

· Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Here's what it gave me:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:45 AM, on 1/15/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G USB WIRELESS NETWORK MONITOR\WUSB54GV4.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\FILSECLAB\XFILTER\XFILTER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\FILSECLAB\FILMSG.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\JB.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [system43.exe] C:\WINDOWS\SYSTEM\system43.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [xfilter] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
O4 - Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/203fb4402c87303f1316/netzip/RdxIE601.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#4 ·
Run HJT again and put a check in the following:

O4 - HKLM\..\Run: [system43.exe] C:\WINDOWS\SYSTEM\system43.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/203fb440...p/RdxIE601.cab

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode.
  • To boot up in Safe mode, continuously tap the F8 key while starting your computer.
  • You should see a black screen displaying the Windows Advanced Menu Options.
  • Using your keyboard's arrow keys, select Safe mode, then hit Enter.

Delete this file:
C:\WINDOWS\SYSTEM\system43.exe

Restart in normal mode and post your hijackthis log again and your anti-virus scan results.
 
M

· Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.99.1
Scan saved at 11:38:40 AM, on 1/15/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G USB WIRELESS NETWORK MONITOR\WUSB54GV4.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\FILSECLAB\XFILTER\XFILTER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\FILSECLAB\FILMSG.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [xfilter] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
O4 - Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

I ran AVG, and it still finds about 80 threats, so the event history log it creates (is that what you need?) is too large to post in its entirety. First part is:

<history>

<rec time="2007/01/14 15:29:42" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\SYSTEM\JBHOOK.DLL</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:30:24" user="default" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINDOWS\SYSTEM\JBHOOK.DLL</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/01/14 15:30:57" user="default" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:912-904;iavi:635-623;</attr>
</rec>
<rec time="2007/01/14 15:31:02" user="default" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/01/14 15:31:04" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\WINDOWS\SYSTEM\SVCH0ST.EXE</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:39" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MA795VDJ\WWWW[1].EXE</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.ACBM</attr>
</rec>
<rec time="2007/01/14 15:31:41" user="default" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\SYSTEM\WWWW.EXE</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">PSW.Generic2.ACBM</attr>
</rec>
<rec time="2007/01/14 15:31:43" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034345.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:44" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034366.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:45" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0034368.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:48" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035368.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:48" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035372.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic2.QVD</attr>
</rec>
<rec time="2007/01/14 15:31:51" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035423.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
<rec time="2007/01/14 15:31:52" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035427.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.ACBM</attr>
</rec>
<rec time="2007/01/14 15:31:55" user="default" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\_RESTORE\TEMP\A0035480.CPY</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">PSW.Generic2.TLV</attr>
</rec>
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#6 ·
It seems most of that is in system restore so disable and then enable it again to flush it out.
http://support.microsoft.com/kb/264887

Close all browser windows and delete this folder:
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MA795VDJ

Delete this file:
C:\WINDOWS\SYSTEM\JBHOOK.DLL

You may need to go to safe mode to delete it.
To restart in Safe Mode.
  • To boot up in Safe mode, continuously tap the F8 key while starting your computer.
  • You should see a black screen displaying the Windows Advanced Menu Options.
  • Using your keyboard's arrow keys, select Safe mode, then hit Enter.

After you have done all of that run a new virus scan and post the results.
 
M

· Registered
Joined
·
9 Posts
Discussion Starter · #7 ·
I disabled/enabled system restore and deleted the folder successfully; JBHOOK.DLL was already gone (unless I'm not looking in the right place).

Running AVG again, it looks like most have been taken care of. The only ones that show up now under Virus results are:

C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004072.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004073.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004080.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004081.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004082.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004132.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004134.CPY
C:\_RESTORE\ARCHIVE\FS28.CAB:\A0004136.CPY
(all with status of "infected, embedded object")
and
C:\_RESTORE\ARCHIVE\FS28.CAB , with status of "infected, archive"
 
1 - 8 of 8 Posts
Status
Not open for further replies.
About this Discussion
7 Replies
2 Participants
Last post:
cybertech
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top