# Very weird Trojan virus problem - Trojanhorse.Downloader.Agent2.XWR



## Huzefa (Jun 19, 2010)

This is a weird problem I have currently been encountering...

This trojan/virus is called Trojanhorse.Downloader.Agent2.XWR as per the AVG free resident sheild report below...

*img692.imageshack.us/img692/1671/capturergfe.jpg

*img541.imageshack.us/img541/6431/capturecj.jpg

and it keeps on creating .tmp folders in my windows temp folder continuously...
*img820.imageshack.us/img820/5315/tempfolder.jpg

and sometimes the PC crashes with a BSOD, page fault in non-paging area.

I even check the RAM modules for any errors, there r none.
I have scanned with malwarebytes , trendmicro's housecall , AVGfree scanned the whole HD
And they all cant find one thing!!!

Guys pls help, anyone know what could be done ???


----------



## rhitwick (Jun 19, 2010)

If possible scan ur system in safe mode.

And try other scanners too, as Avira, Kaspersky, NOD32


----------



## cute.bandar (Jun 19, 2010)

try using startup control monitor to prevent the virus from starting at windows startup


----------



## swatkat (Jun 19, 2010)

Download and install the free version of Malwarebytes Anti-Malware, from here:
Malwarebytes' Anti-Malware: Malwarebytes

Download and install CCleaner, from here:
Download CCleaner 2.32.1165 - FileHippo.com

Boot into Safe Mode and then run a full system scan using Malwarebytes. Remove any  threat that Malwarebytes may find. Run CCleaner and click "Run Cleaner" to remove all the temp/unnecessary files. Finally, run a scan using AVG and remove any threat that it may find.

Reboot PC to normal mode and check if you still get any warnings from AVG.


----------



## Huzefa (Jun 22, 2010)

thnkx for the help 
Though even after all this , ad-aware , malwarebyes anti-malware, trendmicro's housecall, Trojan remover (Download Trojan Remover) in safe mode with no networking...
All of these have not detected any virus or trojan...
YET when AVGfree resident shield is active it still detects this very same virus in the svchost.exe file as per above image captures...
And when I keep the resident shield part of AVGfree active, I get bsod's with error as 'page fault in non-paging area'
Funnily the AVG scanner detects no Malware / virus / trojan.

Inspite of all this, there r hundreds of these .tmp folders created in the windows\temp folder, image capture below... and these are the very folders that are giving the AVGfree resident shield alerts...
*img94.imageshack.us/img94/1968/capturetemp.jpg

And just now I got this alert from AD-alert's adwatch live
*img80.imageshack.us/img80/520/adwatchcapture.jpg

its just too mysterious, just what is going on ??? ???


----------



## swatkat (Jun 22, 2010)

Hi,
Download HijackThis from here:
TrendSecure | Download TrendMicro HijackThis

Run HijackThis.exe and click "Do a system scan and save a logfile". Once HijackThis completes scanning, it will create a file named hijackthis.log. Copy the contents of that logfile and paste it here.

Note: Do not fix anything in HijackThis.


----------



## rajurajus (Jun 22, 2010)

Hi,

I am getting the same issue. And previously Chrome was my default browser. I am now unable to open chrome. It crashes and doesnt show anything.
OS: Windows 7

Additional information is that, my Taskmanager shows a total of 14 process for svchost.exe alone.


```
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:49 AM, on 22-Jun-10
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\Raju\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\ZTE Wireless Terminal\bin\App.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Raju\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Users\Raju\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix: 
O17 - HKLM\System\CCS\Services\Tcpip\..\{7905F6F5-8BD4-46A4-97F9-5B4441A3EA67}: NameServer = 218.248.240.181 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC65DA70-133E-4506-A36D-1BA3AD9F4FAE}: NameServer = 8.8.8.8
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: UDisk Monitor - Unknown owner - C:\Program Files\ZTE Wireless Terminal\bin\MonServiceUDisk.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 4949 bytes
```


----------



## Gauravs90 (Jun 22, 2010)

I must say download trial version of good AVs just to remove that torjon
Good AV's are Norton, NOD, Kaspersky, avast, avira.
Only use these AV's to remove any malware.
AVG and all others AVs u have used except malwarebyte are 3rd grade AVs. they are no good at already infected system.


----------



## Huzefa (Jun 22, 2010)

@swatkat 
here's my hijackthis logfile...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:23 PM, on 6/22/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Quick Heal\Quick Heal Total Security\EMLPROUI.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *192.168.1.1/StaRouter.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Total Security Toolbar - {5C6227F4-39E2-4468-B69E-29AEB12A7F88} - C:\PROGRA~1\QUICKH~1\QUICKH~1\antiphis.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Anti Popup - {EFCA9D4B-F2E8-487d-8505-E4D0E459ABFE} - C:\PROGRA~1\QUICKH~1\QUICKH~1\apop.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Total Security Toolbar - {5C6227F4-39E2-4468-B69E-29AEB12A7F88} - C:\PROGRA~1\QUICKH~1\QUICKH~1\antiphis.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: En&queue current page with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link tar&get with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O8 - Extra context menu item: Open &link target with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with BI&D - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open current page with BID Link Explorer - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - *platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOBCA7~1\GO36F4~1.DLL
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Online Protection System - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
O23 - Service: Quick Heal Total Security Mail Protection - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Quick Heal Total Security Startup Handler (Startup Handler) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\strtsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10489 bytes


----------



## swatkat (Jun 22, 2010)

@Huzefa,
It seems like Vundo infection. We need to use few specialized tools to remove it. Download and run ComboFix from here:
A guide and tutorial on using ComboFix
(Please go through the information given at the above website, before running ComboFix)

Once the ComboFix completes scanning, it produces a log file. Post back the contents of that log file.


----------



## coderunknown (Jun 22, 2010)

buddy also do a full update & scan with a-squared Free. chances are any hidden virus will be revealed. if not, go as swatkat suggested. do a scan with combofix. but do remember, if a-squared removes the infection, don't use combofix. is a very strong piece of software & may result in further damage of your Windows installation if not handled carefully.


----------



## Huzefa (Jun 22, 2010)

Is there some other utility than combofix ? I am kindof reluctant to use this tool... the last time I used it, I had to format my old PC n reinstall everything... something had gone wring then, and caused due to combofix...
Vundo... but I dont get any pop-ups nor are my system resources affected...


----------



## swatkat (Jun 22, 2010)

Hmmm... Can you try VundoFix?
VundoFix by Atribune


----------



## Opiecool2008 (Jun 23, 2010)

I experienced this problem myself.
Then I got the solution for me 
I change my AVG with Kaspersky, uninstall AVG, install Kaspersky Internet Security 2010 (even it's only trial)
Then I did full scan. It detect a LOT of Trojan guys on my harddisk.
And not only that, Kaspersky did a big favour for me by removing all of the Trojan.

Actually I got the other thing to. There was some kind of virus that stated appear in my memory. It was TDSS or something which CAN'T removed by kaspersky. I did some google and found out that I'm not the only one. 
Then I got this hint to download TDSSkiller. You can find it everywhere. 

Hope this would help


----------



## rajurajus (Jun 23, 2010)

@ Huzefa
Throw off AVG. Install Kaspersky Trial. Then follow the steps in below given link. That helped me to remove the Trojan and now i am able to see my chrome browser back.

How to remove malware belonging to the family Rootkit.Win32.TDSS

@                                                                         swatkat
Thanks for your suggestions.

@ Gauravs90
Thanks for letting me know the actual status of AVG - The Poor crap.

@Opiecool2008
Your are 100% right. And i tried the same before seeing your post.


----------



## abhijangda (Jun 23, 2010)

hey frnd, there's one more solution. install any linux on ur partition and install avast on that linux. do full scan frm there, it should detect and remove those viruses/trojans. or just take ur HDD to ur frnds house. do a complete scan of your HDD using his HDD(it will be good if he is using linux). it may detect virus. other antivirus may not be detecting virus because they are active in memory. also after scanning through good av, scan ur computer through spybot s&d antispyware. also u should update ur scanner before scanning. i hope this will do the job. good luck.


----------



## Huzefa (Jun 28, 2010)

thnkx for ur replies guys...
the system now dosent seem to have any virus'es present...
Though I dont know what I did and how it got removed.
Malwarebytes anti-malware found a dll inthe windows\system32 folder called 'yycvhzt.dll' and removed it after informing me to restart the PC, Had to do it twice to make sure its gone...
Next used AD-Aware to scan, it too found some malware n removed it...

Now AVG dosent give the resident sheild warning, but I still have the windows tmp folder creating problem...
every 2 minutes one tmp folder gets created in the windows\temp folder
by the end of the day I have nearly a thousand such folders... Dont understand why this is happening, It cant be a normal function of windows...

*img820.imageshack.us/img820/5315/tempfolder.jpg

By now There r no trojans/viruses in this system, Have scanned it lots of times and found nothing now...
Wat to do about the folders, thats the main Q now...
Thnkx again everyone...


----------



## Huzefa (Jul 3, 2010)

Huzefa said:


> thnkx for ur replies guys...
> the system now dosent seem to have any virus'es present...
> Though I dont know what I did and how it got removed.
> Malwarebytes anti-malware found a dll inthe windows\system32 folder called 'yycvhzt.dll' and removed it after informing me to restart the PC, Had to do it twice to make sure its gone...
> ...



any ideas guys ???


----------

