My AVG Found a Trojan But Cannot Be Healed

Hello All,

1) I have completed everything in the Read & Run Me First....

2) My AVG has found a Trojan called: Trojan horse BackDoor.Generic2.CGZ
Its "status" is Infected, Embedded object also Infected, Archive
"Selected object is inside the archive and cannot be healed...

3) I've included all my text files from scans except one. Panda ActiveScan could not be attached as I had met my 3 attachment limit on this post.

4) Major concern last week. We leave our computer on and hooked up to the internet 24/7. We turned on the monitor one day and found five items open or changed.
i) Internet Explorer was open and the address was: http: //badars.phpnet.us/ SpooIs.exe
ii) Our control panel was open and Windows Firewall was hi-lighted.
iii) A black DOS window was open and one line of text caught my eye. C:\WINDOWS>SpooIs.exe -install Access is denied. (I have screen shots of this)
iv) Our AVG had been removed
v) Our Skype name had been changed to something rude.

The computer seems to be running fine right now and we disconnect from the internet whenever we are not on.

4) Our computer is shared our children and they have a habit of downloading things when told not to. After our problem is fixed my wife and I would appreciated if any assistance could be given on how to set up accounts so they cannot download from the internet. Most likely solving most(one) of my headaches.

Thank you in advance.
Global

 

Hello Chaslang.

The Panda Active Scan has been attached to this message.

We did not install VNC, however the owner of the PC Service who built our computer installed it on our computer so that he could gain access whenever we called him with a problem. He would ask us for our IP address and then we could see him doing his work. I dont feel he would have been the one who hacked our computer.
When clicking on options in VNC, the 'Authentication' tab is selected. VNC Password Authentication is selected. When I select 'Configure', the window 'VNC Server Password' comes up asking for Password and Confirm Password. I'm assuming I should fill in this Password window? When the PC Service needs access to our computer, will VNC tell me when to enter my password?

I removed BitTorrent and Kazza through my Add or Remove Programs a little while back. I checked again tonight and it does not appear to be there.

-I ran MSconfig and selected 'Normal Startup' and then exited. It asked if I would like to reboot. I selected reboot later.

-I went in and made sure hidden files were enabled.

-I ran HijackThis and clicked on Open the Misc Tools Section. I then selected Open process manager. I selected the processes you advised me of and was given the following message for each:

The Selected process could not be killed. It may have already closed, or it may be protected by windows.
This process might be a service, which you can stop from the Services applet in Admin Tools.
(To load this window, click Start, Run and enter 'services.msc')

-At this point I felt it didn't make any sense to continue on with the instructions you layed out for me until I informed you of what happened.

Thanks,
Global

 

Hello Chaslang,

I went through all the steps that you outlined for me. HijackThis still gave me the same message, "The Selected process could not be killed. It may have already closed, or it may be protected by windows.
This process might be a service, which you can stop from the Services applet in Admin Tools.
(To load this window, click Start, Run and enter 'services.msc')"

I continued as you stated and fixed,
O4 - Startup: winboot.lnk = C:\WINDOWS\system32\dllcache\sp2\winboot.bat

I then went into safe mode and using Windows Explorer deleted, C:\WINDOWS\system32\dllcache\sp2\winboot.bat
C:\WINDOWS\ssh.exe
C:\WINDOWS\system32\win.exe

Since I'm running XP, I deleted all the files in Prefetch and ran Ccleaner.

I then reset my Web Settings in Explorer, using Major Geeks in the address.

I then rebooted my computer into normal mode. A message came up when I rebooted. It is a System Configuration Utility window.

"You have used the System Configuration Utility to make changes to the way Windows starts.

The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run everytime Windows starts.

Choose the Normal Startup mode of the General Tab to start windows normally and undo the changes you made using the System Configuration Utility.

Dont show this message or launch the System Configuration Utility when windows starts.
OK"

I have not touched this window or selected OK, because frankly I have no idea what I should do. I will wait to hear from you before I do anything and if possible could you point out the steps I will need to take for this.

Things I have noticed are that my computer is running very very slow. Whenever I select an application, ie: open FireFox or AVG to update it can take anywhere from 10 to 45 seconds to open.

One additional question, should I keep Counter Spy on my computer or should I remove it now?

I will attach a new HijackThis log.

Thanks again,
Global

 

Hello again Chaslang,

In addition to my other post, I have encountered one other problem.

When I went to check my email in Microsoft Outlook a "Outlook Send/Receive Progress" window was up. It was showing an error message.

! Task 'my email address - Sending and Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).'

Would this have happened while we were doing our fixes? Any suggestions?

Thanks
Global

 

Hello Chaslang,

My apologies on missing step 2.

I have now selected normal startup and rebooted my computer. I have also uninstalled Counter Spy. Things seem to be running a bit faster.

Did you have a chance to look at my HijackThis log? Am I Malware free? My AVG still indicates that I have the same virus in my computer, (Trojan horse BackDoor.Generic2.CGZ) any suggestions?

I really do appreciate all the help Major Geeks and its techs do to help people out. Thank you very much.

Global

Please enjoy your holidays.

 

Hello Chaslang,

I do hope you enjoyed your holidays. I'm sure you need them from time to time to recharge your batteries after answering all of our questions.

I will attach another log when I arrive home tonght.

The Trojan horse BackDoor.Generic2.CGZ is no longer in AVG since I flushed the system restore points as you suggested.

I have gone through the post on "How to protect yourself from Malware". I have a question regarding step 3) Firewall. I have a router on my computer, can I run one of the Firewall programs as suggested in section 3 along with my router? Of the five listed, which one would you suggest?

Thanks again Chaslang and I will post that hijackthis log tonight.

Global2004

 

Hello Chaslang,

Here is my updated Hijackthis log.

Thanks for your help.
Global

 

I went through the steps you outlined in the previous post.

After rebooting my computer, I ran Windows Explorer and looked for c:\winnt\system32\taskgmr.exe. It does not appear to be there as you suggested it might not.

I have attached a new Hijackthis log to this post.

*One additional question- I've read some of your suggestions to other people in other forums regarding some programs that run at startup and that some really dont need to start a startup. There are a few that start up when I boot my system that I would like to stop.

1) Can you give me the steps on how to stop these programs at startup? ie) VNC
2) Can these programs still be started only when I require them?

Thanks again Chaslang. My wife and I really do appreciate the service you and Major Geeks provide.

Cheers,
Global

 

Hello Chaslang,

The only time I utilize VNC is when we contact our PC Service about a problem and then they hook in. Me or my wife never use it to get on the computer from off site. VNC also concened us as I mentioned earlier in the posts about seeing a hacker playing around on our computer. I just thought if it doesn't startup at reboot we'd be much safer.

A couple of other programs I thought we could remove at startup are things like Skype, DVD43 and Daemon. Daemon was put on our system by the PC Service and I really dont understand it and have never used it.

By the way, did that last HijackThis log check out?

Again I just wanted to stress to you how much my wife and I appreciate all of your time and help you have given us. It seems to have been much more useful than the assistance we get from our PC Service.

Cheers,
Global