Please help- Win32:Trojan-gen. {VC}

Discussion in 'adware, spyware & hijack cleaning' started by jennyjav14, May 23, 2004.

Thread Status:
Not open for further replies.
  1. jennyjav14

    jennyjav14 Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Please help me. I have run Ad-aware, Spy Bot and Avast and it keeps saying that I have this Win32:Trojan-gen. {VC} and it cannot be removed or cleaned. This also comes up- C:\Documents and Settings\Administrator\Local Settings\Temp\Belt.cab\Belt.exe. My computer is rather slow now and I get so many popups even though I have a block and also I keep getting redirected to this Incredifind search engine. I ran this program on hijackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:11:34 AM, on 5/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Compaq Wireless LAN\Client Manager\CmCOM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inline.cpqcorp.net/searchpane.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Jordan Buser
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconfig.cpqcorp.net
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://inline.compaq.com/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [PostInst] seps\postinst.exe
    O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Compaq Client Manager.lnk = C:\Program Files\Compaq Wireless LAN\Client Manager\CmCOM.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://inline.compaq.com
    O15 - Trusted Zone: http://ie.config.asia.compaq.com
    O15 - Trusted Zone: http://ie.config.eur.compaq.com
    O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
    O15 - Trusted Zone: http://ie.config.jp.compaq.com
    O15 - Trusted Zone: http://ie.config.ecom.dec.com
    O15 - Trusted Zone: http://ie.config.tandem.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.websearch.com/Dnl/T_99/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38011.6635069444
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O4 - HKLM\..\Run: [PostInst] seps\postinst.exe
    O4 - HKLM\..\Run: [PostImg] C:\Drivers\postimg.exe
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - Trusted Zone: http://ie.config.asia.compaq.com
    O15 - Trusted Zone: http://ie.config.eur.compaq.com
    O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
    O15 - Trusted Zone: http://ie.config.jp.compaq.com
    O15 - Trusted Zone: http://ie.config.ecom.dec.com
    O15 - Trusted Zone: http://ie.config.tandem.com

    Reboot, and delete

    file
    seps\postinst.exe
    C:\Drivers\postimg.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe

    folder
    C:\Program Files\Common files\updater

    These may be hidden files. See HERE for how to show hidden files.

    The O6 entries are an optional fix. If you set these restricions yourself, using Spybot's immunize feature, and wish to retain them, leave the boxes unchecked.

    The O15 entries are also optional. Personally I allow nothing in the "trusted zone", as any site listed there has unrestricted access to your computer, without your knowledge! If you trust these sites that much , then leave the entries unfixed.

    Then post a new log, and say if the problems persist.
     
  3. jennyjav14

    jennyjav14 Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Thank you very much for the quick response. I'm going to delete these and I will get back if it doesn't work. Thanks so much!
     
  4. jennyjav14

    jennyjav14 Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Sorry another question. I ran Avast earlier and it said that I am infected with Belt.exe. I think it is in quarentine. Was this problem going to be fixed in your directions? I think my main problems were Incredifind and Belt.exe which is impossible to delete! Thanks.
    -Jennifer
     
  5. jennyjav14

    jennyjav14 Registered Member

    Joined:
    May 23, 2004
    Posts:
    4
    Haha you can ignore my last post. I ran the virus scan that had caught Belt.exe and it came out clean. Thanks so much again.
     
Thread Status:
Not open for further replies.