Generic5.BZD trojan horse...

Discussion in 'Computer Support' started by sixstring_67@rogers.com, Jul 22, 2007.

  1. Guest

    I got this about a week ago and have tried many ways of getting rid
    of
    it but everytime AVG catches it again. Has anyone gotten this and
    what they were able to do? Thanks.
     
    , Jul 22, 2007
    #1
    1. Advertising

  2. Guest

    wrote:

    >I got this about a week ago and have tried many ways of getting rid
    >of
    >it but everytime AVG catches it again. Has anyone gotten this and
    >what they were able to do? Thanks.


    Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)

    First unhide your files
    http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

    Then use Autoruns to disable the file from loading
    www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx

    Use Killbox to delete ActiveScanv.dll on startup
    http://www.bleepingcomputer.com/files/killbox.php

    Just one way...


    --
    Microsoft Sees Stronger XP Sales in FY08
    www.pcworld.com/article/id,134908-page,1/article.html
     
    , Jul 22, 2007
    #2
    1. Advertising

  3. Guest

    On Jul 22, 1:15 pm, wrote:
    > wrote:
    > >I got this about a week ago and have tried many ways of getting rid
    > >of
    > >it but everytime AVG catches it again. Has anyone gotten this and
    > >what they were able to do? Thanks.

    >
    > Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)
    >
    > First unhide your fileshttp://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
    >
    > Then use Autoruns to disable the file from loadingwww.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx
    >
    > Use Killbox to delete ActiveScanv.dll on startuphttp://www.bleepingcomputer.com/files/killbox.php
    >
    > Just one way...
    >
    > --
    > Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


    Thanks. I'll try that. I'll get back to you with results.
     
    , Jul 22, 2007
    #3
  4. Guest

    On Jul 22, 1:15 pm, wrote:
    > wrote:
    > >I got this about a week ago and have tried many ways of getting rid
    > >of
    > >it but everytime AVG catches it again. Has anyone gotten this and
    > >what they were able to do? Thanks.

    >
    > Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)
    >
    > First unhide your fileshttp://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
    >
    > Then use Autoruns to disable the file from loadingwww.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx
    >
    > Use Killbox to delete ActiveScanv.dll on startuphttp://www.bleepingcomputer.com/files/killbox.php
    >
    > Just one way...
    >
    > --
    > Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


    It didn't work. I don't even have the ActiveScanv.dll file on my
    system. Thanks for the suggestion though.
     
    , Jul 22, 2007
    #4
  5. Guest

    wrote:

    >> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)


    >It didn't work. I don't even have the ActiveScanv.dll file on my
    >system. Thanks for the suggestion though.


    ActiveScanv.dll was mentioned in the description, but Virus programs
    call the same malware by a different names.

    Download, run and paste a hijackthis log into this site
    http://hijackthis.de/en (the download is at the top right)

    Google the problems.

    download and run Process Explorer
    http://www.sysinternals.com/Utilities/ProcessExplorer.html

    Double click on the process(s), reading it's image and command line
    will tell you where to find them. stop the process and delete the
    file/directory.

    Run Regedit and search for the file name(s) deleting them as you find
    them.

    Right clicking on the Process and selecting Google will describe the
    process.


    --
    Microsoft Sees Stronger XP Sales in FY08
    www.pcworld.com/article/id,134908-page,1/article.html
     
    , Jul 22, 2007
    #5
  6. Guest

    On Jul 22, 2:14 pm, wrote:
    > wrote:
    > >> Apparently you need to delete ActiveScanv.dll (google: Generic5.BZD)

    > >It didn't work. I don't even have the ActiveScanv.dll file on my
    > >system. Thanks for the suggestion though.

    >
    > ActiveScanv.dll was mentioned in the description, but Virus programs
    > call the same malware by a different names.
    >
    > Download, run and paste a hijackthis log into this sitehttp://hijackthis.de/en(the download is at the top right)
    >
    > Google the problems.
    >
    > download and run Process Explorerhttp://www.sysinternals.com/Utilities/ProcessExplorer.html
    >
    > Double click on the process(s), reading it's image and command line
    > will tell you where to find them. stop the process and delete the
    > file/directory.
    >
    > Run Regedit and search for the file name(s) deleting them as you find
    > them.
    >
    > Right clicking on the Process and selecting Google will describe the
    > process.
    >
    > --
    > Microsoft Sees Stronger XP Sales in FY08www.pcworld.com/article/id,134908-page,1/article.html


    Here's my log...

    Logfile of HijackThis v1.99.1
    Scan saved at 4:02:03 PM, on 7/22/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\TrojanHunter 4.7\THGuard.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jimmy\My Documents
    \hijackthis_199\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.msn.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    \blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
    \WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware
    \Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    \qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
    Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program
    \AHQInit.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /
    STARTUP
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL
    \CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ
    \AHQTB.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real
    \Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    \iTunesHelper.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs
    \ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs
    \ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
    Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan
    Elite\TJEnder.exe :NO
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
    4.7\THGuard.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
    background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
    BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins
    \NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
    F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
    F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer =
    208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1FC26434-24A1-46A1-8D69-
    F68A50F17D3B}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
    208.67.220.220,208.67.222.222
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:
    \PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:
    \Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
    Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
    - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology
    Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Fast User Switching Compatibility
    FastUserSwitchingCompatibilityBITS
    (FastUserSwitchingCompatibilityBITS) - Unknown owner - C:\WINDOWS
    \System32\usmtf.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio
    Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
    \Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
    Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
    C:\WINDOWS\system32\ZONELABS\vsmon.exe

    I'll continue to keep you informed. Thanks.
     
    , Jul 22, 2007
    #6
  7. Plato Guest

    wrote:
    >
    > I got this about a week ago and have tried many ways of getting rid
    > of
    > it but everytime AVG catches it again. Has anyone gotten this and
    > what they were able to do? Thanks.


    Try installing some additional anti-virus programs and try running them
    in safe mode.

    --
    http://www.bootdisk.com/
     
    Plato, Jul 22, 2007
    #7
  8. Guest

    wrote:

    >> Download, run and paste a hijackthis log into this site http://hijackthis.de/en (the download is at the top right)


    >Here's my log...


    By site I ment the web page above, but a looking at the log at that
    web site:


    Remove:

    Elite\TJEnder.exe :NO
    http://spywarefiles.prevx.com/RREEJI338607/TJENDER.EXE.html

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
    208.67.220.220,208.67.222.222
    All of these with red X

    \System32\usmtf.exe (remove or rename for sure)
    Usually I'd say send it to this site to see what it is
    http://www.virustotal.com/flash/index_en.html but it's down.


    Your running DirectCD.exe and Roxio suprise'd you
    don't have CD problems.
    --
    Blues Brothers Bridge Jump in Google Earth
    www.gearthblog.com/blog/archives/2007/07/blues_brothers_bridg.html
     
    , Jul 22, 2007
    #8
  9. Plato wrote:

    > wrote:
    >> I got this about a week ago and have tried many ways of getting rid
    >> of it but everytime AVG catches it again. Has anyone gotten this
    >> and what they were able to do? Thanks.

    >
    > Try installing some additional anti-virus programs and try running
    > them in safe mode.


    Even better, try some dedicated anti-malware programs:

    # SUPERAntiSpyware for home use: http://superantispyware.com/
    # A-Squared anti-trojan program:
    http://www.emsisoft.com/en/software/free/
    # Spybot Search & Destroy: http://www.safer-networking.org/

    Be sure to 'update database' before running scan.

    --
    -bts
    -Motorcycles defy gravity; cars just suck
     
    Beauregard T. Shagnasty, Jul 22, 2007
    #9
  10. Guest

    Thanks to everyone for their suggestions. I will try them all and
    report back soon with any new findings.
     
    , Jul 23, 2007
    #10
  11. Guest

    AVG is not reporting the Generic5 trojan anymore. I'm keeping my
    fingers crossed. Here's what I did.

    1. Ran AVG and it caught the Generic5 trojan 3 times over.
    2. AVG was able to heal the files and send them to the vault.
    3. Disabled system restore at this point.
    4. Re-booted computer.
    5. Turned back on System Restore
    6. Ran AVG and it didn't catch any Generic 5 trojans
    7. Re-booted again
    8. Ran AVG and it didn't catch any Generic 5 trojans
    9. Re-booted again
    10. Ran AVG and it didn't catch any Generic 5 trojans

    Thanks again to all for the suggestions.
     
    , Jul 25, 2007
    #11
  12. Leythos Guest

    In article <>,
    says...
    > AVG is not reporting the Generic5 trojan anymore. I'm keeping my
    > fingers crossed. Here's what I did.


    Try cross posting instead of multi-posting, your post has already been
    responded to in another group you posted to.

    --
    Leythos - (remove 999 to email me)

    Learn more about PCBUTTS1 and his antics and ethic and his perversion
    with Porn and Filth. Just take a look at some of the FILTH he's created
    and put on his website: http://www.futurehardware.in/595578-2.htm all
    exposed to children (the link I've include does not directly display his
    filth). You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
     
    Leythos, Jul 25, 2007
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Chapman

    Trojan Horse cannot be put in vault by AVG free version

    Jim Chapman, Aug 7, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    563
    °Mike°
    Aug 7, 2003
  2. bb3

    Re: AVG can't eliminate Trojan Horse virus

    bb3, Aug 8, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    468
  3. PhilGreg

    Re: AVG can't eliminate Trojan Horse virus

    PhilGreg, Aug 9, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    509
    PhilGreg
    Aug 9, 2003
  4. Jim Chapman

    Trojan Horse

    Jim Chapman, Aug 15, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    549
  5. Follow-up to Generic5.BZD trojan...

    , Jul 25, 2007, in forum: Computer Support
    Replies:
    5
    Views:
    514
Loading...

Share This Page