Trojan.PSW.Generic.TFT maybe reoccuring

I have AVG Free, Ewido, Spybot, ad-aware, and all the others listed on this site yet for some reason when I scan my computer with all of these. Sometimes they each find different things the others didn't well I've noticed here lately that when I scan AVG finds a trojan or ewido finds a trojan, and I think it's the same one it's called, Trojan Horse.PSW.Generic.TFT and it's located Common Files/Shared/Web Folders/ibm00002.dll, now how could I keep getting the same one if I keep removing it to the vault?

update it found 6 now, I'm gonna be sick, Trojan Horse.PSW.Generic.TFT, Trojan Horse PSW.Generc.TXA, Trojan Horse.Generic.TFR, Trojan Horse PSW.Generic.TFS Trojan Horse Downloader.VB.DU, and Trojan Horse PSW.Generic.TFU, how could I get all of these?

update it found 6 now, I'm gonna be sick, Trojan Horse.PSW.Generic.TFT, Trojan Horse PSW.Generc.TXA, Trojan Horse.Generic.TFR, Trojan Horse PSW.Generic.TFS Trojan Horse Downloader.VB.DU, and Trojan Horse PSW.Generic.TFU, how could I get all of these? and should I be concerned of losing my important information, credit card numbers, things like that?

Consider each of the tools mentioned as separate specialty tools just like a brain surgeon and heart surgeon have a common medical knowledge base but not the state-of-the-art expertise nor supporting infrastructure to expertly deal with broader issues outside their immediate functional area of specialization. One tool may be like a fork whereas you might require the use of a spoon to more completely address a given issue. An AV tool may have some limited (partial) capabilities with SOME Trojans but is generally going to be inadequate on many such issues (complete detection and removal) compared to a more specialized Trojan tool like EWIDO.


Name: [Shell]
Status: X
File: ibm0000*.exe (* = digit)

Added by the Troj/Torpig-C http://www.sophos.com/virusinfo/anal...ojtorpigc.html and Troj/Torpig-J http://www.sophos.com/virusinfo/anal...ojtorpigj.html TROJANS! - Filenames spotted include ibm00001.exe ibm00002.exe ibm00005.exe and so on.
http://castlecops.com/startuplist-11220.html
---------------------------------------------------------------

I'm afraid I have unpleasant news for you. You have a very dangerous infection on this machine. With a serious infection like this, I would recommend that you seriously consider a reformat and reinstall.

If you do not want to do this, do not ever use the computer for anything confidential. In that case, we will need your latest HijackThis log for assessment and damage control.


The infection installs itself primarily in machines that have not had all the Win XP updates installed. It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to anything else present...

My best recommendation is to Disconnect from internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security. Even after removal of the infection, you could be vulnerable to another attack or takeover as soon as you connect to the net again.

You are strongly advised to do the following immediately:
1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.

2. If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all your account numbers.

3. From a clean computer, change *ALL* your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Also take any other steps appropriate for an attempted identity theft.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Wow, that's fantastic, but AVG Seems to have removed it I've ran all the scans, ad-aware, avg, and all the ones I've mentioned before, and it's not showing up, now my question is could it have gotten into my secondary harddrive? if so how can I make a Winxp disk with all the updates until now so I don't have to install everything again.

Here's my hijack this log, PS I only went to my bank account once, and I don't think that it was on my machine prior to this, but I could be wrong, I guess that's why you always update, could you tell me what updates to install not to waste my harddrive space.

Logfile of HijackThis v1.99.1
Scan saved at 1:47:10 AM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Documents and Settings\Crown Ambassador\My Documents\Downloads\Programs\utorrent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Windows Media Player\wmplayer.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://video.msn.com/v/us/v.htm?f=01...bfb2239d&p=&t=
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - F:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - F:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - F:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: Download All Links with IDM - F:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - F:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\idmmbc.dll
O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - F:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please contact me asap as to what to do and what to look for... Un-freakin' believable.

There is no complete way to ensure that such a trojan's related (deeply entrenched) components have ALL been COMPLETELY eradicated. And, such an item was most likely found on your primary drive:

Common Files/Shared/Web Folders/ibm00002.dll



Any ongoing sensitive activity such as banking on such a compromised PC makes ignoring such a possibility inadvisable.




Steps that may help MINIMIZE any 'big brother' issues can include:



To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(Windows XP) To Turn OFF System Restore.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
4. Click Apply.

REBOOT.

To Turn ON System Restore.

1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
2. Create new System Restore points.

(Windows ME) See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
   http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
   http://www.microsoft.com/windows/ie/default.asp
   
   • http://www.securityfocus.com/news/11273
     If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
   
   
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
   AVG: http://free.grisoft.com/doc/1
   Avast: http://www.avast.com/eng/avast_4_home.html
   
   
3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
   Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
   Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
   MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
   
   
4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
   Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
   *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
   Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
   
   It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
   
   
5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
   Mozilla Firefox: http://www.mozilla.org/products/firefox/
   
   
6. Consider increasing your browser security by using these programs:
   SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
   SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
   • If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
     
   • IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
     http://www.spywarewarrior.com/uiuc/resource.htm
   
   
7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
   • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
   • Next select ‘Open host file manager’ button.
   • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
   • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
     
     EXCERPT:
     Quote:

     #start of lines added by WinHelp2002 # [Misc A - Z] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 e.abnad.net 127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona] . . . #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:

• Keep all of these programs up-to-date, and
• Use them on a regular basis.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

so if I were to update now would it stop the information from being sent or is it too late, just so that I can still use the net until I reformat?

is there a chance that my files have been compromised like documents and things like that?

And if I save them to my other hard drive could they infect it so I'd have to reformat it.

The reason I asked about the XP disk is because I've got XP sp1 disk, and then I have install xp xp2 so that XP will read my 200 gb hd so when I reinstall everything it will be recognized and have all the lastet security patches so as not to run into this problem again?

Even though I've removed the dll file isn't that the core of the program, is it possible that it will start at startup but not be able to collect anything since it doesn't have a core?