help...me...

Every day when I log in on net I m attacked by virus Trojano 302 (trj).
Well Avast detect it and i always put him in the chest an delet him,but he always reappear when i m on the net.It is happening last few days…Even now when i m writening this message avast is working and detecting that virus in various files.
And when i m not on the net i scan my system and avast find nothing.
I m very confused and i dont know what to do.
I would like if someone can tell me how can i remove him without …that unpopular format C:
Best wishes to u all… :smiley:

Welcome to the forums,

Some more detail about o.s
path to the file etc would be helpfull.

as a first course, have you tried AdAware S.E. and Spybot on your system as this might be caused by installing some software such as WeatherBug

Do a search to see if any of these files are on your system

C:\WINDOWS\system32\addwj32.exe
C:\WINDOWS\system32\iexw32.exe
C:\WINDOWS\system32\mfcde32.exe
C:\WINDOWS\winbl32.exe
C:\WINDOWS\System32\bbbfr.exe

Click on the link in my signature, follow the steps on that page to clean and protect your system properly.

its very aggressive…its open portals to porno sites and my comp
opens unknown number of Expl.
I have windows XP…help…

Have you already done as I suggested?

I have pic up shredder …it found nothin but i m still attacked…i remove with ad -aware some possible hijack,but it always appear when i m on the net.
here some files from chest:
C\windows\appde32.exe
c\doc. and sett\in secure class loader
c\windows\netul.exe
c\windows\ntjh32.exe
c\windows\system32\sdkgq32.exe

and they are different all the yimes

how to disable system restore?
you mean to read that black letters… ???
where can i find firewall???

Get and use at least the applications I mention in the first table on that page.

You can find links to everything you need (applications) on that page, as well as links to information like “how to disable system restore”

  • Read the entire page.
  • Follow the directions given there.

Take your time. Better slow and spend some time on it now, than later feeling sorry. :wink:

I had an identical problem a couple months ago. It was caused by a dirty mcc.exe process and was not picked up by any AV or anti spyware at the time. Check in task manager to see if you have this process running, but don’t kill or delete it yet because it can be legit. Don’t want advertise for them but if you give me a hint of the sites it’s opening I can confirm if it’s the same problem I had.

GF, if it is as you suspect, HijackThis will pick it up and be able to deal with it.

Well.tahnx Edddie…but I think after all day battle with that virus i think i m losing my pation to do format C:
I do everything what you say on your site…and …nothing helps because i have problem with that “process”.

First I shout down at system restore monitoring.That was good.

Then I went to safe mode and try with Avast to find virus…and i found it.:slight_smile:
Now …i couldnt delet it because it was in the that fil was in use by another process…Tha i remember that u said to turn of in task manager process…Now that is problem…wich one???
I try to switch off all process…and normally i shout down comp.

Now i have new window till i write this…wait a second…listen

C:\windows\system32apiip.exe file name

                                                          executable file viruses

avast! will try to repair the file according to teh Virus Recovery Database.Files with no database record cannot be repaired.

                                         Repair               Cancel

What should i do??? ;D I will do repair…and lifes go on

Cannot be repaired… :smiley:
Now i have that window with alarm…cannot delete cannot move to chest cannot repair
I m lost

Hi,
please post the HIJACKTHIS-Logfile here, and we’ll try and help you…
:wink:
If you can’t find the link: http://hjt.klaffke.de/en
:wink:

Yup, post the HJT log here. Don’t worry, we will get you through this.

Remember, the easy way (format, clean install of everything) isn’t the best way. If you learn how to handle a thing like this, you will have learned and may benefit from it later :smiley:

Perhaps getting the programmes Eddy suggests downloaded first and printing out the page of suggestions, then physically removing your internet connection, by unplugging the cable so your machine is not connected during the clean up process might help?

exactly the same problem with trojano 302…is there someone who knows how to get rid of this?

hello ppl…i m very sorry but i m fighting this two days…
first of all i pic up everything that eddy says …but i m still what process i should terminate in safe mode.

second i m constantlu attacked by various viruse now new one is Trojan (gen) and some JS and today a new one.Well i have problem with AD Aware.
Everytime i do scan i delete some possible brows.hijack.and when i deleti it appears again evry time when i start up my comp.
Here is that new virus i have told you Win32:Opas-a-fSG (Wrm).
What is that?

What should i post here that u said ?I cold just write u names of hijack browser…its some http: easy-biz.com .Thats on ad aware.

Just tell me what process i have to turn off.I entr safe mode i disable montoring, i do everything but dont know what is that harmfull process?

Please do as many people have asked, run hijackthis, save the log file and attach it to a post here as a text file (.txt). If you have trouble doing this, then cut and paste the log file text into the post.

People want to help, but you need to help them to help you and the information contained in the hijackthis log file will do that.

I am getting ready to troubleshoot a machine with Trojano 302 too. I will follow the steps that Eddy has outlined above. Is there any cure for this virus which can be run from within Avast?

here it goes…

Logfile of HijackThis v1.98.2
Scan saved at 16:20:55, on 9/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ipiz.exe
C:\WINDOWS\System32\windows\services.exe
C:\WINDOWS\System32\twink64.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\System32\ir.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Marija i Zeljko\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\runwin32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49FE9E16-856A-3121-F94B-0D522A4EABA7} - C:\WINDOWS\ippe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [VirtualDrive] “C:\Program Files\FarStone\VirtualDrive\VDTask.exe” /AutoRestore
O4 - HKLM..\Run: [vcdplayx] “C:\WINDOWS\vcdplayx.exe”
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ipiz.exe] C:\WINDOWS\ipiz.exe
O4 - HKLM..\Run: [Windows] C:\WINDOWS\System32\windows\services.exe
O4 - HKLM..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM..\RunOnce: [addtj.exe] C:\WINDOWS\addtj.exe
O4 - HKLM..\RunOnce: [ipru.exe] C:\WINDOWS\ipru.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{39E1B5B0-3B85-4A70-A67D-D0F6CB180AB6}: NameServer = 212.62.32.1 212.62.32.5

i couldnt done better…sorry for space…
i think that u wont mind me…