I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
became infected with a Trojan Horse virus:

Trojan horse Downloader.Generic8.TVN

It was under Local Settings\Temp Internet Files
Content.IE5\PWT3Az83\getfile-081220-aps(1).gif


I was able to delete it successfully but as I understand, it still
resides in my computer on another program. In addition to this, with
the aid of remote assistance I was told that my MFT was corrupted. My
question is this, is there some way of tracking down the host program
with the virus and deleting it? Also is there a way that I can tell
for myself if my MFT is actually corupted? If not, what are your
recommendations?


Thanks,

Robert

Virus Removal Info
Provided by: Malke - MS MVP:
http://www.elephantboycomputers.com/...moving_Malware

--
JS
http://www.pagestart.com


"Navyguy" <(E-Mail Removed)> wrote in message
news:83cd4afd-cdc9-4975-b5c3-(E-Mail Removed)...
>I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> became infected with a Trojan Horse virus:
>
> Trojan horse Downloader.Generic8.TVN
>
> It was under Local Settings\Temp Internet Files
> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
>
> I was able to delete it successfully but as I understand, it still
> resides in my computer on another program. In addition to this, with
> the aid of remote assistance I was told that my MFT was corrupted. My
> question is this, is there some way of tracking down the host program
> with the virus and deleting it? Also is there a way that I can tell
> for myself if my MFT is actually corupted? If not, what are your
> recommendations?
>
>
> Thanks,
>
> Robert

"Navyguy" <(E-Mail Removed)> wrote in message
news:83cd4afd-cdc9-4975-b5c3-(E-Mail Removed)...
>I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> became infected with a Trojan Horse virus:
>
> Trojan horse Downloader.Generic8.TVN
>
> It was under Local Settings\Temp Internet Files
> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
>
> I was able to delete it successfully but as I understand, it still
> resides in my computer on another program. In addition to this, with
> the aid of remote assistance

Remote assistance from whom?

> I was told that my MFT was corrupted.

And this is credible because....?

What symptoms lead you believe this?

> My
> question is this, is there some way of tracking down the host program
> with the virus and deleting it?

Possibly, but it's not necessarily helpful. You visited a site that
infected your system, it got in via the TIF folders. There may be another
launcher with a generated filename somewhere on your system, or not.

> Also is there a way that I can tell for myself if my MFT is actually
> corupted?

Generally, your system will have significant problems booting.

> If not, what are your
> recommendations?

Yes, back up your data before playing with the MFT.

>
>
> Thanks,
>
> Robert

First, back up your data.

Then, download and run ccleaner to clear the temporary internet file
folders, and the temp folders. Empty the recycle bin, run a virus scan,
if necessary with the drive attached to another system.

HTH
-pk

Install and scan with the 2 Programs below.
All info if a prob installing because of that Trojan:

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

If unable to install above Programs in Normal Mode:
Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating
Programs to remove them.
If that happens, reboot into Safe Mode with Networking (from F8 list of
Startup Options), and install, update and scan from there.

--
Mad Mike


"Navyguy" wrote:

> I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> became infected with a Trojan Horse virus:
>
> Trojan horse Downloader.Generic8.TVN
>
> It was under Local Settings\Temp Internet Files
> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
>
> I was able to delete it successfully but as I understand, it still
> resides in my computer on another program. In addition to this, with
> the aid of remote assistance I was told that my MFT was corrupted. My
> question is this, is there some way of tracking down the host program
> with the virus and deleting it? Also is there a way that I can tell
> for myself if my MFT is actually corupted? If not, what are your
> recommendations?
>
>
> Thanks,
>
> Robert
>

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/ma...e/default.mspx

2. Run this online scan (in safe mode w/networking, if need be):
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/...moving_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Navyguy wrote:
> I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> became infected with a Trojan Horse virus:
>
> Trojan horse Downloader.Generic8.TVN
>
> It was under Local Settings\Temp Internet Files
> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
>
> I was able to delete it successfully but as I understand, it still
> resides in my computer on another program. In addition to this, with
> the aid of remote assistance I was told that my MFT was corrupted. My
> question is this, is there some way of tracking down the host program
> with the virus and deleting it? Also is there a way that I can tell
> for myself if my MFT is actually corupted? If not, what are your
> recommendations?
>
>
> Thanks,
>
> Robert

It does seem like a mouthfull but I think I can handle it in the steps
as you outlined, and everyone has offered similar but separate advice
which I do appreaciate, but let me ask this if I may, would
reinstalling the OS correct this or perhaps using the Recovery disk
install with repair option? I want to thank everyone for being so
helpful with their suggestions, I appreciate it.


Thanks

Robert


On Feb 14, 10:46*pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> 1. See if you can download/run the MSRT manually:http://www.microsoft.com/security/ma...e/default.mspx
>
> 2. Run this online scan (in safe mode w/networking, if need be):http://onecare.live.com/site/en-us/center/howsafe.htm
>
> 3. Run a /thorough/ check for hijackware, including posting the requested
> logs in an appropriate forum.
>
> Checking for/Help with Hijackwarehttp://aumha.net/viewtopic.php?f=30&t=4075http://mvps.org/winhelp2002/unwanted.htmhttp://inetexplorer.mvps.org/data/prevention.htm
> * *http://inetexplorer.mvps.org/tshoot....moving_Malware
>
> **Seek expert assistance inhttp://spywarehammer.com/simplemachinesforum/index.php?board=10.0,http://forums.spybot.info/forumdispl...forum.php?f=30, or other appropriate forums.**
>
> If the procedures look too complex - and there is no shame in admitting this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Adminhttp://aumha.net
> DTS-Lhttp://dts-l.net/
>
>
>
> Navyguy wrote:
> > I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> > Windows Firewall, AVG, Spyware Blaster and *Hive Cleanup. Recently it
> > became infected with a Trojan Horse virus:
>
> > Trojan horse Downloader.Generic8.TVN
>
> > It was under Local Settings\Temp Internet Files
> > Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
> > I was able to delete it successfully but as I understand, it still
> > resides in my computer on another program. In addition to this, with
> > the aid of remote assistance I was told that my MFT was corrupted. My
> > question is this, is there some way of tracking down the host program
> > with the virus and deleting it? Also is there a way that I can tell
> > for myself if my MFT is actually corupted? If not, what are your
> > recommendations?
>
> > Thanks,
>
> > Robert- Hide quoted text -
>
> - Show quoted text -

If you did a clean install, deleting existing XP partition, formatting,
reinstalling XP, YES, the infection will be gone.

If you do a repair installation, NO; as your docs, etc, are not
touched/deleted(supposedly!), and it can be hiding anywhere.

Also, if you have Recovery, as you say, disks, that is not the same as
Microsoft XP CD.
You normally don't get a repair install option in Recovery Disks from the
computer Manufacturer.
--
Mad Mike


"Navyguy" wrote:

> It does seem like a mouthfull but I think I can handle it in the steps
> as you outlined, and everyone has offered similar but separate advice
> which I do appreaciate, but let me ask this if I may, would
> reinstalling the OS correct this or perhaps using the Recovery disk
> install with repair option? I want to thank everyone for being so
> helpful with their suggestions, I appreciate it.
>
>
> Thanks
>
> Robert
>
>
> On Feb 14, 10:46 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> > 1. See if you can download/run the MSRT manually:http://www.microsoft.com/security/ma...e/default.mspx
> >
> > 2. Run this online scan (in safe mode w/networking, if need be):http://onecare.live.com/site/en-us/center/howsafe.htm
> >
> > 3. Run a /thorough/ check for hijackware, including posting the requested
> > logs in an appropriate forum.
> >
> > Checking for/Help with Hijackwarehttp://aumha.net/viewtopic.php?f=30&t=4075http://mvps.org/winhelp2002/unwanted.htmhttp://inetexplorer.mvps.org/data/prevention.htm
> > http://inetexplorer.mvps.org/tshoot....moving_Malware
> >
> > **Seek expert assistance inhttp://spywarehammer.com/simplemachinesforum/index.php?board=10.0,http://forums.spybot.info/forumdispl...forum.php?f=30, or other appropriate forums.**
> >
> > If the procedures look too complex - and there is no shame in admitting this
> > isn't your cup of tea - take the machine to a local, reputable and
> > independent (i.e., not BigBoxStoreUSA) computer repair shop.
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> > AumHa VSOP & Adminhttp://aumha.net
> > DTS-Lhttp://dts-l.net/
> >
> >
> >
> > Navyguy wrote:
> > > I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> > > Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> > > became infected with a Trojan Horse virus:
> >
> > > Trojan horse Downloader.Generic8.TVN
> >
> > > It was under Local Settings\Temp Internet Files
> > > Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
> >
> > > I was able to delete it successfully but as I understand, it still
> > > resides in my computer on another program. In addition to this, with
> > > the aid of remote assistance I was told that my MFT was corrupted. My
> > > question is this, is there some way of tracking down the host program
> > > with the virus and deleting it? Also is there a way that I can tell
> > > for myself if my MFT is actually corupted? If not, what are your
> > > recommendations?
> >
> > > Thanks,
> >
> > > Robert- Hide quoted text -
> >
> > - Show quoted text -
>
>

On Sat, 14 Feb 2009 23:31:43 -0800 (PST), Navyguy wrote:

> It does seem like a mouthfull but I think I can handle it in the steps
> as you outlined, and everyone has offered similar but separate advice
> which I do appreaciate, but let me ask this if I may, would
> reinstalling the OS correct this or perhaps using the Recovery disk
> install with repair option? I want to thank everyone for being so
> helpful with their suggestions, I appreciate it.

*Preferred practice* is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/com...mt/sm0504.mspx

It is defenitely advantageous to create an 'image' of the operating system
and create a data/file backup of the affected PC.
The image can then restored to the impacted PC and the user's data/file is
subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less
time than scanning with complex and sophisticated AV applications.

How Do I Install Windows XP
Preparation is the key for successful installation.

1.How to Slipstream Windows XP Service Pack 3 to Create an Integrated XP
Setup Disk with SP 3
http://www.howtohaven.com/system/sli...e-pack-3.shtml
--or (maybe more user friendly)--
Create a Slip Stream version of Windows XP
http://www.webtree.ca/windowsxp/slipstream.htm
--and--
WinUpdatesList v1.23
http://www.nirsoft.net/utils/wul.html
--also--
Change the Boot Order in BIOS (good illustration)
http://pcsupport.about.com/od/fixthe...rderchange.htm

2.Clean Install Windows XP
http://www.elephantboycomputers.com/...alling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or even better because its illustrated and more reader friendly--
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how...windows_xp.htm

Alas, since many users are less prepared and/or lacking the experience;
Scanning with an AV apps. is the only option, unless the user consults a
computer technician.

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive
(presumably WinXP (C and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/down...NTISPYWAREFREE

*--and/optional--*
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.kaspersky.com/support/vir...vptool?level=2
--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and/optional--
a-squared (a²) Free or a-squared (a²) Command Line Scanner
http://www.emsisoft.com/en/software/download/
--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Down...nVersion/1/42/
--and/optional
Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in
an emergency as a disinfection utility for Windows NT, Windows 2000,
Windows XP and Windows 2003.
To use the Sophos command line software follow the steps below:
a) Download SAV32CLI
http://downloads.sophos.com/tools/sav32sfx.exe
--and--
extract the contents by double clicking the file.
b) Add the latest IDE (virus definition) files to the folder.
These can be downloaded here
http://www.sophos.com/downloads/ide/
c) Read Scanning Options with SAV32CLI.
http://www.sophos.com/support/knowle...cle/13252.html
See removing malicious files with SAV32CLI for basic information on virus,
spyware, Trojan and worm removal with SAV32CLI.
http://www.sophos.com/support/knowle...cle/13251.html

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of Malwarebytes©
and SuperAntispyware have an update feature; You may wish to keep a couple
of them installed in addtion to your resident AV/A-S applications and scan
frequently.

Both free versions of MBAM and SAS are on-demand scanners and offer no
'real-time' protection. Keep them installed and use them as
'second-opinion' scanner which is purposely (by design) recommended by
their respective authors.

After the software is updated, it is suggested scanning the system in Safe
Mode (this does not apply to MBAM).
"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
Malwarebytes Researcher of MBAM.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Win...904a11033.mspx
http://www.bleepingcomputer.com/tuto...utorial61.html

Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...ols/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.theeldergeek.com/forum/in...6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

5.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Additional references:
How to optimize or reset Internet Explorer 7
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer 7 for Windows XP and
Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either
http://antirootkit.com/forums/index....81ffe4361c3a17
--or--
http://www.thespykiller.co.uk/index.php?board=3.0

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/bui...wnloading-slim

If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
--or--
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/windo...n-vista-or-xp/

Good luck

> ...would
> reinstalling the OS correct this or perhaps using the Recovery disk
> install with repair option?

A format & reinstall would take care of it, yes, but a Repair Install would
not.

Some notes:

=> Reinstalling will leave you with the equivalent of a "new computer" so
you'll need to take care of everything here again:

5 steps to help protect your new computer before you go online
http://www.microsoft.com/protect/com...nced/xppc.mspx

=> If a Norton or McAfee free-trial came with the machine when you bought
it, the free-trial will be reinstalled, too, but it will NOT be valid!
Before installing a replacement anti-virus app (see below), you'll need to
uninstall the free-trial via Add/Remove Programs AND THEN run the
appropriate removal tool:

Norton Removal Tool
http://service1.symantec.com/SUPPORT...05033108162039

McAfee Consumer Products Removal Tool three-step fix
[Do Steps #1 & #2 only]
http://service.mcafee.com/FAQDocument.aspx?id=TS100507

=> You've had AVG Free installed yet you ended up with an infection. I
would not recommend relying on it after your reinstall Windows. I can
recommend NOD32 or Kaspersky (not the suites); If cost is a factor, I'd
recommend Avira AntiVir (free).

Good luck!

Protect Your PC!
http://www.microsoft.com/athome/secu...r/default.mspx

Steps To Help Prevent Spyware
http://www.microsoft.com/protect/com...e/prevent.mspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/protect/com...s/prevent.mspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Navyguy wrote:
> It does seem like a mouthfull but I think I can handle it in the steps
> as you outlined, and everyone has offered similar but separate advice
> which I do appreaciate, but let me ask this if I may, would
> reinstalling the OS correct this or perhaps using the Recovery disk
> install with repair option? I want to thank everyone for being so
> helpful with their suggestions, I appreciate it.
>
>> 1. See if you can download/run the MSRT
>> manually:http://www.microsoft.com/security/ma...e/default.mspx
>>
>> 2. Run this online scan (in safe mode w/networking, if need
>> be):http://onecare.live.com/site/en-us/center/howsafe.htm
>>
>> 3. Run a /thorough/ check for hijackware, including posting the requested
>> logs in an appropriate forum.
>>
>> Checking for/Help with
>> Hijackwarehttp://aumha.net/viewtopic.php?f=30&t=4075http://mvps.org/winhelp2002/unwanted.htmhttp://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot....moving_Malware
>>
>> **Seek expert assistance
>> inhttp://spywarehammer.com/simplemachinesforum/index.php?board=10.0,http://forums.spybot.info/forumdispl...forum.php?f=30,
>> or other appropriate forums.**
>>
>> If the procedures look too complex - and there is no shame in admitting
>> this
>> isn't your cup of tea - take the machine to a local, reputable and
>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>> --
>> Navyguy wrote:
>>> I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
>>> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
>>> became infected with a Trojan Horse virus:
>>
>>> Trojan horse Downloader.Generic8.TVN
>>
>>> It was under Local Settings\Temp Internet Files
>>> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>>
>>> I was able to delete it successfully but as I understand, it still
>>> resides in my computer on another program. In addition to this, with
>>> the aid of remote assistance I was told that my MFT was corrupted. My
>>> question is this, is there some way of tracking down the host program
>>> with the virus and deleting it? Also is there a way that I can tell
>>> for myself if my MFT is actually corupted? If not, what are your
>>> recommendations?
>>
>>> Thanks,
>>
>>> Robert- Hide quoted text -
>>
>> - Show quoted text -

On Feb 15, 8:22*am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> > ...would
> > reinstalling the OS correct this or perhaps using the Recovery disk
> > install with repair option?
>
> A format & reinstall would take care of it, yes, but a Repair Install would
> not.
>
> Some notes:
>
> => Reinstalling will leave you with the equivalent of a "new computer" so
> you'll need to take care of everything here again:
>
> 5 steps to help protect your new computer before you go onlinehttp://www.microsoft.com/protect/computer/advanced/xppc.mspx
>
> => If a Norton or McAfee free-trial came with the machine when you bought
> it, the free-trial will be reinstalled, too, but it will NOT be valid!
> Before installing a replacement anti-virus app (see below), you'll need to
> uninstall the free-trial via Add/Remove Programs AND THEN run the
> appropriate removal tool:
>
> Norton Removal Toolhttp://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200503310816...
>
> McAfee Consumer Products Removal Tool three-step fix
> [Do Steps #1 & #2 only]http://service.mcafee.com/FAQDocument.aspx?id=TS100507
>
> => You've had AVG Free installed yet you ended up with an infection. *I
> would not recommend relying on it after your reinstall Windows. *I can
> recommend NOD32 or Kaspersky (not the suites); If cost is a factor, I'd
> recommend Avira AntiVir (free).
>
> Good luck!
>
> Protect Your PC!http://www.microsoft.com/athome/secu.../default..mspx
>
> Steps To Help Prevent Spywarehttp://www.microsoft.com/protect/computer/spyware/prevent.mspx
>
> Steps to Help Prevent Computer Wormshttp://www.microsoft.com/protect/computer/viruses/worms/prevent.mspx
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Adminhttp://aumha.net
> DTS-Lhttp://dts-l.net/
>
>
>
> Navyguy wrote:
> > It does seem like a mouthfull but I think I can handle it in the steps
> > as you outlined, and everyone has offered similar but separate advice
> > which I do appreaciate, but let me ask this if I may, would
> > reinstalling the OS correct this or perhaps using the Recovery disk
> > install with repair option? I want to thank everyone for being so
> > helpful with their suggestions, I appreciate it.
>
> >> 1. See if you can download/run the MSRT
> >> manually:http://www.microsoft.com/security/ma...e/default.mspx
>
> >> 2. Run this online scan (in safe mode w/networking, if need
> >> be):http://onecare.live.com/site/en-us/center/howsafe.htm
>
> >> 3. Run a /thorough/ check for hijackware, including posting the requested
> >> logs in an appropriate forum.
>
> >> Checking for/Help with
> >> Hijackwarehttp://aumha.net/viewtopic.php?f=30&t=4075http://mvps.org/winhelp2002...
> >>http://inetexplorer.mvps.org/tshoot.....org/sramesh2k....
>
> >> **Seek expert assistance
> >> inhttp://spywarehammer.com/simplemachinesforum/index.php?board=10.0,htt...,
> >> or other appropriate forums.**
>
> >> If the procedures look too complex - and there is no shame in admitting
> >> this
> >> isn't your cup of tea - take the machine to a local, reputable and
> >> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> >> --
> >> Navyguy wrote:
> >>> I have a Dell Dimension 8200 with XP SP3, with DSL connection. I have
> >>> Windows Firewall, AVG, Spyware Blaster and Hive Cleanup. Recently it
> >>> became infected with a Trojan Horse virus:
>
> >>> Trojan horse Downloader.Generic8.TVN
>
> >>> It was under Local Settings\Temp Internet Files
> >>> Content.IE5\PWT3Az83\getfile-081220-aps(1).gif
>
> >>> I was able to delete it successfully but as I understand, it still
> >>> resides in my computer on another program. In addition to this, with
> >>> the aid of remote assistance I was told that my MFT was corrupted. My
> >>> question is this, is there some way of tracking down the host program
> >>> with the virus and deleting it? Also is there a way that I can tell
> >>> for myself if my MFT is actually corupted? If not, what are your
> >>> recommendations?
>
> >>> Thanks,
>
> >>> Robert- Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -



Whew, so much information! I hardly know where to begin!

Well let me try to encapsulate in brief; This all started when my MSN
Msgr stopped logging in automatically about a month ago. I had posted
the problem on other groups in hopes of resolving the problem but the
only suggestions were that I uninstall and reinstall which is what I
did. I was then infected with the Trojan virus and deleted it, and at
this point I accepted help via remote assistance and it was then that
it was discovered that my MFT was corrupted he said. He made many
changes to my system and at one point I couldn't access the user
accounts or system restore. After further changes it required a system
restart but it did not come back up. I had to use another computer
which I have at my disposal to help rbrin my computer back up. With
the Recovery disk inserted and with the bios changed previously to
select the cd/dvd drive but before I could select install or repair
the computer came back on its own, why or how I don't know. However
the boot sequence has changed so that this is what happens now:
Startup>Dell Splash>Windows Splash>Defragging>Logon Message> then I
get (2) boxes, the first is highlighted and says: Unable to log you on
because of an account restriction, behind that is a logon box grayed
out with username-Adminitrator and underneath password. Once I click
the OK in the first highlighted box however it says Windows starting
up, To begin, check on your username> I do this and it takes me
Windows>Desktop. MsnMsgr still does not sign in automatically however
once clicked everything works as before.

I downloaded and ran a MSRT full system scan and it found nothing.

I have uninstalled AVG and installed Avira in its place (I understand
theres a risk of uninstalling and reinstalling too much and I may have
done so with AVG). I've updated it and run a full system scan which
found (8) Detections and (3) warnings, however after the scan I could
only see the following (5) in the quarantine which it apparently put
there automatically:

TR/Crypt.XPACK.Gen
C:\System Volume Information\_restore{3141675-6CBE-4639 etc and ends
with .exe
C:\Program Files\My Document Programs\setup.exe

Contains recognition pat.
C:\Documents and Settings\my name\Local Settings\Application Data
\Microsoft\Wind...\500055A6-0000009B.eml
C:\Documents and Settings\my name\Local Settings\Application Data
\Microsoft\Wind...\0A2633B2-0000008C.eml
C:\Documents and Settings\my name\Local Settings\Application Data
\Microsoft\Wind...\064831119-0000008B.eml

This is an extract of the Notepad after scanning

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 20:48:21
ANTIVIR2.VDF : 7.1.2.13 2048 Bytes 2/11/2009 20:48:22
ANTIVIR3.VDF : 7.1.2.27 79360 Bytes 2/15/2009 20:48:23
Engineversion : 8.2.0.79
AEVDF.DLL : 8.1.1.0 106868 Bytes 2/15/2009 20:48:37
AESCRIPT.DLL : 8.1.1.47 348539 Bytes 2/15/2009 20:48:35
AESCN.DLL : 8.1.1.7 127347 Bytes 2/15/2009 20:48:34
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 22:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2/15/2009 20:48:33
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 2/15/2009 20:48:32
AEHEUR.DLL : 8.1.0.90 1573237 Bytes 2/15/2009 20:48:31
AEHELP.DLL : 8.1.2.0 119159 Bytes 2/15/2009 20:48:27
AEGEN.DLL : 8.1.1.16 332148 Bytes 2/15/2009 20:48:26
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 19:05:56
AECORE.DLL : 8.1.6.5 176501 Bytes 2/15/2009 20:48:24
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir
personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 15, 2009 14:50

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wltuser.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'eBayTBDaemon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'uphclean.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'ioloServiceManager.exe' - '1' Module(s) have been
scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '62' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\JSetup.exe
[0] Archive type: CAB SFX (self extracting)
--> \disk1\data1.cab
[WARNING] No further files can be extracted from this archive.
The archive will be closed
C:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: Sunday, February 15, 2009 15:51
Used time: 1:01:08 Hour(s)

The scan has been done completely.

8439 Scanning directories
284164 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
284162 Files not concerned
5354 Archives were scanned
3 Warnings
0 Notes

Should I now proceed to One Care full scan via Safe Mode or do
something else?

Thanks,
Robert