1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan Virus

Discussion in 'Virus & Other Malware Removal' started by redsox13, Sep 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. redsox13

    redsox13 Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    93
    I used Avast Antivirus to run a scan on my CPU upon reboot and it found the following virus. File C/Documents and Settings/Dan/Local Settings/Temp/Thi38 BB.tmp/Twaintec.dll
    it says that it was infected by: win32: Trojan-gen.

    It saked me to delete it so I said yes but then it told me tht it is in my wondows files so I was afraid to delete and screw everything up. Is it safe to delete since it is in my temp files?
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Generally anything in Temp folders is safe to delete...but may not be deletable as you see. The file in question is more adware than trojan though the difference is becoming harder to see these days. The item that it "belongs" to is also active in Windows and cannot be simply deleted... so we use utilities that can remove it easily for you.

    You can use something like AdAware and Spybot to detect and remove these type of "adwares". Would also be advisable for you to post a Hijackthis log for review...
    Basically, you create a new folder somewhere such as My Doucments or the desktop, name it HJT, download Hijackthis.exe to that folder (not a temporary location) and run Hijackthis....hit the SCAN button, and when it is done, the Save Log button will become active...you then save the logfile as hijackthis.txt which will open with Notepad...and copy/paste the entire log into a reply here in this thread. Someone will advise you on what to do. Do the log posting before you use AdAware etc...there are still a few things that must be uninstalled via Add/Remove programs before using anything else.
    Get HJT here:

    http://tools.radiosplace.com/HijackThis.exe
     
  3. redsox13

    redsox13 Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    93
    Logfile of HijackThis v1.98.2
    Scan saved at 12:39:20 PM, on 21/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\lexpps.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\SECRETMAKER\secretmaker.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dan\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unb.ca/webmail
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.unb.ca/webmail
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0757122492f1e2fbbd20/netzip/RdxIE601.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9274454F-0A46-4824-AFF0-3EDDBA2DB446}: NameServer = 198.164.30.2 198.164.4.2
     
  4. redsox13

    redsox13 Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    93
    could somebody take a look at this?
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It appears that twaintec.dll could indeed be a trojan!
    It all depends> the same filename is present in some bundled spyware or it could be BiSpy, info here on BOTH the adware type and trojan and how to find and remove them. (nothing shows in your log about it)

    http://www.pchell.com/support/twaintec.shtml

    The things in your log I question are BearShare> which is always reccommended that you not use, from what I have learned. Doesn't matter what version of it or how you have modified it> it's P2P file sharing and we always advise you to remove it. If as I think you are in Canada, it may be legal for you to use. Will possibly bring you things you do not want, tho!

    2. You seem to be using both AVG and Avast!> if both are active, that is not good, use one as active and turn one off from starting up with Windows. That's the preferred way to use two antivirus programs.

    3. did you set this up?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Could be interfering with your use of Internet Explorer.
     
  6. redsox13

    redsox13 Thread Starter

    Joined:
    Sep 14, 2003
    Messages:
    93
    Somebody installed bear share on my cpu but I removed it. Is it still there?

    as for point 3 I have no clue how to set things up like that os I doubt that I did it
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, OK< uninstall BearShare from either Add/Remove Programs or it's own built in uninstaller from Start>All Programs>BearShare> uninstaller....whichever it uses.
    If you did already that's good, I am just making sure it was removed correctly. It's also not uncommon for a file or folder to remain after an uninstall, and really common for things to be left by ad-based bundled programs like BS....there was only one entry in your last log. It said "paused" next to it...which makes me wonder.
    If you have anything turned off using MSConfig, we can see that in your HJT log and will ask you to turn them back on... Start>Run>type in the run line msconfig and hit Enter or OK....look in the Startup tab, see if any items are not checked, and put checks back in those...but, be sure you record what you are checking as you may want to return to having them not start up....we do need to see everything for now, though.
    Someone else may have reinstalled it but have it set not to start up and you may not be aware of that.

    The one item in your log may perhaps be just a leftover, so if you do not see BS installed anymore, we can fix that item, when you post a new HJT log.

    SpyBot Search and Destroy has some features that could have set up the locked or restricted "Control panel present" for IE, let's check it:

    Start up SpyBot, online right now is OK> at the top next to File, hit the Mode tab, and switch to Advanced. Then, hit the Tools item at bottom, then hit "IE Tweaks" and see if there are checkmarks in the two boxes...if so, remove them.

    Re-run Hijackthis and post a new log.

    You did turn off one antivirus program from starting up when Windows does, correct? You can have problems using two active background a/v programs at same time.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276083

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice