Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Generic5.BZD trojan horse...

Reply
Thread Tools

Generic5.BZD trojan horse...

 
 
sixstring_67@rogers.com
Guest
Posts: n/a
 
      07-22-2007
I got this about a week ago and have tried many ways of getting rid
of
it but everytime AVG catches it again. Has anyone gotten this and
what they were able to do? Thanks.

 
Reply With Quote
 
 
 
 
Pennywise@DerryMaine.Gov
Guest
Posts: n/a
 
      07-22-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

>I got this about a week ago and have tried many ways of getting rid
>of
>it but everytime AVG catches it again. Has anyone gotten this and
>what they were able to do? Thanks.


Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)

First unhide your files
http://www.bleepingcomputer.com/tuto...l62.html#winxp

Then use Autoruns to disable the file from loading
http://www.microsoft.com/technet/sys.../AutoRuns.mspx

Use Killbox to delete ActiveScanv.dll on startup
http://www.bleepingcomputer.com/files/killbox.php

Just one way...


--
Microsoft Sees Stronger XP Sales in FY08
http://www.pcworld.com/article/id,13...1/article.html
 
Reply With Quote
 
 
 
 
sixstring_67@rogers.com
Guest
Posts: n/a
 
      07-22-2007
On Jul 22, 1:15 pm, (E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> >I got this about a week ago and have tried many ways of getting rid
> >of
> >it but everytime AVG catches it again. Has anyone gotten this and
> >what they were able to do? Thanks.

>
> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)
>
> First unhide your fileshttp://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
>
> Then use Autoruns to disable the file from loadingwww.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx
>
> Use Killbox to delete ActiveScanv.dll on startuphttp://www.bleepingcomputer.com/files/killbox.php
>
> Just one way...
>
> --
> Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


Thanks. I'll try that. I'll get back to you with results.

 
Reply With Quote
 
sixstring_67@rogers.com
Guest
Posts: n/a
 
      07-22-2007
On Jul 22, 1:15 pm, (E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> >I got this about a week ago and have tried many ways of getting rid
> >of
> >it but everytime AVG catches it again. Has anyone gotten this and
> >what they were able to do? Thanks.

>
> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)
>
> First unhide your fileshttp://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
>
> Then use Autoruns to disable the file from loadingwww.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx
>
> Use Killbox to delete ActiveScanv.dll on startuphttp://www.bleepingcomputer.com/files/killbox.php
>
> Just one way...
>
> --
> Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


It didn't work. I don't even have the ActiveScanv.dll file on my
system. Thanks for the suggestion though.

 
Reply With Quote
 
Pennywise@DerryMaine.Gov
Guest
Posts: n/a
 
      07-22-2007
(E-Mail Removed) wrote:

>> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)


>It didn't work. I don't even have the ActiveScanv.dll file on my
>system. Thanks for the suggestion though.


ActiveScanv.dll was mentioned in the description, but Virus programs
call the same malware by a different names.

Download, run and paste a hijackthis log into this site
http://hijackthis.de/en (the download is at the top right)

Google the problems.

download and run Process Explorer
http://www.sysinternals.com/Utilitie...sExplorer.html

Double click on the process(s), reading it's image and command line
will tell you where to find them. stop the process and delete the
file/directory.

Run Regedit and search for the file name(s) deleting them as you find
them.

Right clicking on the Process and selecting Google will describe the
process.


--
Microsoft Sees Stronger XP Sales in FY08
http://www.pcworld.com/article/id,13...1/article.html
 
Reply With Quote
 
sixstring_67@rogers.com
Guest
Posts: n/a
 
      07-22-2007
On Jul 22, 2:14 pm, (E-Mail Removed) wrote:
> (E-Mail Removed) wrote:
> >> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)

> >It didn't work. I don't even have the ActiveScanv.dll file on my
> >system. Thanks for the suggestion though.

>
> ActiveScanv.dll was mentioned in the description, but Virus programs
> call the same malware by a different names.
>
> Download, run and paste a hijackthis log into this sitehttp://hijackthis.de/en(the download is at the top right)
>
> Google the problems.
>
> download and run Process Explorerhttp://www.sysinternals.com/Utilities/ProcessExplorer.html
>
> Double click on the process(s), reading it's image and command line
> will tell you where to find them. stop the process and delete the
> file/directory.
>
> Run Regedit and search for the file name(s) deleting them as you find
> them.
>
> Right clicking on the Process and selecting Google will describe the
> process.
>
> --
> Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 4:02:03 PM, on 7/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jimmy\My Documents
\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware
\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program
\AHQInit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /
STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL
\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ
\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs
\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs
\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan
Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
4.7\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins
\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
208.67.220.220,208.67.222.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:
\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:
\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Fast User Switching Compatibility
FastUserSwitchingCompatibilityBITS
(FastUserSwitchingCompatibilityBITS) - Unknown owner - C:\WINDOWS
\System32\usmtf.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio
Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZONELABS\vsmon.exe

I'll continue to keep you informed. Thanks.


 
Reply With Quote
 
Plato
Guest
Posts: n/a
 
      07-22-2007
(E-Mail Removed) wrote:
>
> I got this about a week ago and have tried many ways of getting rid
> of
> it but everytime AVG catches it again. Has anyone gotten this and
> what they were able to do? Thanks.


Try installing some additional anti-virus programs and try running them
in safe mode.

--
http://www.bootdisk.com/


 
Reply With Quote
 
Pennywise@DerryMaine.Gov
Guest
Posts: n/a
 
      07-22-2007
(E-Mail Removed) wrote:

>> Download, run and paste a hijackthis log into this site http://hijackthis.de/en (the download is at the top right)


>Here's my log...


By site I ment the web page above, but a looking at the log at that
web site:


Remove:

Elite\TJEnder.exe :NO
http://spywarefiles.prevx.com/RREEJI...ENDER.EXE.html

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
208.67.220.220,208.67.222.222
All of these with red X

\System32\usmtf.exe (remove or rename for sure)
Usually I'd say send it to this site to see what it is
http://www.virustotal.com/flash/index_en.html but it's down.


Your running DirectCD.exe and Roxio suprise'd you
don't have CD problems.
--
Blues Brothers Bridge Jump in Google Earth
http://www.gearthblog.com/blog/archi...ers_bridg.html
 
Reply With Quote
 
Beauregard T. Shagnasty
Guest
Posts: n/a
 
      07-22-2007
Plato wrote:

> (E-Mail Removed) wrote:
>> I got this about a week ago and have tried many ways of getting rid
>> of it but everytime AVG catches it again. Has anyone gotten this
>> and what they were able to do? Thanks.

>
> Try installing some additional anti-virus programs and try running
> them in safe mode.


Even better, try some dedicated anti-malware programs:

# SUPERAntiSpyware for home use: http://superantispyware.com/
# A-Squared anti-trojan program:
http://www.emsisoft.com/en/software/free/
# Spybot Search & Destroy: http://www.safer-networking.org/

Be sure to 'update database' before running scan.

--
-bts
-Motorcycles defy gravity; cars just suck
 
Reply With Quote
 
sixstring_67@rogers.com
Guest
Posts: n/a
 
      07-23-2007
Thanks to everyone for their suggestions. I will try them all and
report back soon with any new findings.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: "Win32:Trojan-gen. {VC}""Win32.trojan-gen.{UPX!}" jamesa01 Computer Support 2 02-27-2006 02:54 PM
"Win32:Trojan-gen. {VC}" "Win32:Trojan-gen. {UPX!}" D@Z Computer Support 5 01-30-2006 07:52 PM
New trojan spam tells you where to download trojan as "MS beta antispy" Joel Rubin Computer Support 2 03-07-2005 02:26 AM
Mozilla is a trojan Yankee Rebel Firefox 46 01-05-2005 10:23 PM
Unknown Trojan causing wireless connection to fail Headtheball Wireless Networking 1 10-03-2004 03:02 PM



Advertisments