This is getting ridiculous....

[jazzymina]

Hello,

I can't believe that I am back writing ANOTHER post about the same (bleeping) virus that has been bothering me for months . Just when I think everything is going okay, the damn thing pops up again.

Avast says that some file in my temp.folder contains a sample of the before mentioned virus.
Apparently it is a Win32.Trojan-gen {other} virus and I already have four samples of it in my virus chest, all of them with different extensions starting with the letter V.

 So the name of the current virus is Win32:Trojan-gen {Other} V7BGEHA03260. The strange thing is that it always pops up AFTER a I ran a scan a few days earlier, then the scan doesn't mention anything, then a few days later: bam,virus.


Also, lately I have been starting to get weird pop-ups of C:\WINDOWS\explorer.exe and other weird Win32.files that are asking my permission to enter my network.

I am posting another hijack this log, so please have a look.  I don't know what to do anymore, either this is a serious virus that Avast can't remove, or it's a bug or something. I scanned the files in the viruschest and posted the log below.

Move files to temporary folder: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp
FileID: 0000000015  Original file name: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\VB2G3Qa02420\VB2G3Qa02420  New folder: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\15
FileID: 0000000014  Original file name: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\V3B0FHa03604\V3B0FHa03604  New folder: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\14
FileID: 0000000017  Original file name: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\V7BGFHa03260  New folder: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\17
FileID: 0000000016  Original file name: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\V7CCFHa02608  New folder: C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\16

C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\14  Win32:Trojan-gen. {Other}C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\17  Win32:Trojan-gen. {Other}
C:\DOCUME~1\YASEMI~1\LOCALS~1\Temp\asw10E.tmp\17  Win32:Trojan-gen. {Other}
------------------------------------------------------------------------------------------
Action was completed successfully!

Logfile of HijackThis v1.99.1
Scan saved at 15:07:55, on 3-5-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\J2RE14~1.2\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[DavidR]

This is not the same virus coming back each time just that it is being caught by a Generic signature that is what the Gen in Win32:Trojan-gen {Other} is about and the V? ?? ?? ?? ? may simply be a varient identification (but I can't confirm that).

avast is obviously dealing with it because it is being detected and you can move it to the chest.

Without more information on the weird pop-ups, I couldn't hazard a guess as to their cause, you are howver correct to stop network access to anything you didn't initiate. I would also suggest that you give firefox a try, it is less susceptable to adware/spyware/malware than IE.

A quick look at you HJT log and it looks clear. For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

[whocares]

Hi,

seems to me like your system and especially browser is not configured securely enough:

please work through the link "VirusRemoval" below and follow the advice on securing your browser & system better,
e.g. use ZoneModel, disable activeX & scripting except for known secure sites, or better use a different browser other than the notorioulsy unsafe IE

 

[Lisandro]

Also, have you tried to delete the temporary Internet files?
To do this go to Internet explorer >Tools > Internet options > Delete files > Click delete all offline content (just to be sure) > click ok.
It might take some time to delete them.

[jazzymina]

Okay, as for the first part about the Avast 4.ini. file, sorry, I don´t understand what you mean with that David.  Could you please explain that to me?

And as for Avast ´dealing´with this virus, well I think Avast should start handling the virus ALREADY. I am getting a bit desperate right about now, because I ran several scans with Avast and with online scanners and still....

As for deleting internet temporary files, I have CrapCleaner and I run it regularly. And I also have Mozilla/Firefox as a secondary browser, which from now on I will be using more often than IE. In addition to Spybot and Ad-ware I have almost every free anti-spyware possible on my computer (SpywareGuard, SpywareBlaster, Microsoft Anti-Spyware). Most of those programmes protect me against active x scripting. Next to that I use Sygate which protects me from hijackings and such, 3 other freeware anti-virus programmes which I run sometimes, and Hijack this. I don't know what more I can do to protect my computer.

But what should I do now? Because Avast detects the virus and moves it to the virus chest, but the virus stays present on my computer. I can't locate the file for manual removal, because AVAST  says it is in my temporary folder, but it doesn't appear there. And my hijack this log seems to clean, so I still don't know which file is infected and where the file is located.

Please help.. How do I finally get rid of this Win32:Trojan-gen {Other} virus?

[Lisandro]

Jazzymina, If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x.

Enable/Disable System restore on Windows ME:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887

Enable/Disable System restore on Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

[DavidR]

Okay, as for the first part about the Avast 4.ini. file, sorry, I don´t understand what you mean with that David. Could you please explain that to me?

I can't recollect how that got there, as it doesn't relate to your problem, I have edited it out of the original post.

And as for Avast ´dealing´with this virus, well I think Avast should start handling the virus ALREADY. I am getting a bit desperate right about now, because I ran several scans with Avast and with online scanners and still....

avast keeps deleting it that is it's job, however there are many ways it can get back in by mostly weak security, such as IE's BHOs (browser helper objects), or ActiveX and the fact IE is an integral part of windows. So when a piece of adware/spyware/malware gets past IE it has to an extent also compromised your OS.

As for deleting internet temporary files, I have CrapCleaner and I run it regularly. And I also have Mozilla/Firefox as a secondary browser, which from now on I will be using more often than IE. In addition to Spybot and Ad-ware I have almost every free anti-spyware possible on my computer (SpywareGuard, SpywareBlaster, Microsoft Anti-Spyware). Most of those programmes protect me against active x scripting. Next to that I use Sygate which protects me from hijackings and such, 3 other freeware anti-virus programmes which I run sometimes, and Hijack this. I don't know what more I can do to protect my computer.

I would suggest that you use firefox as your primary browser and IE only when you have to, e.g. windows update (you can even use an IE based browser such as Avant or Maxthon to do that). A major factor in the ability of virus infection to do major damage is it has the same permissions you have when you browse, e.g. are you logged on as a user with admin rights?

I suggest you read this - DropMyRights - Browsing the Web and Reading E-mail Safely as an Administrator. I only browse with admin rights as and when I visit windows update otherwise you can't update.

But what should I do now? Because Avast detects the virus and moves it to the virus chest, but the virus stays present on my computer. I can't locate the file for manual removal, because AVAST says it is in my temporary folder, but it doesn't appear there. And my hijack this log seems to clean, so I still don't know which file is infected and where the file is located.

Please help.. How do I finally get rid of this Win32:Trojan-gen {Other} virus?

As I keep saying this is likely not to be the exact same virus, just that it is being detected by a generic check and classed as w32:Trojan-gen, which is a very common detection, you only have to check these forums and see. It is unlikely that they are all the exact same virus.

From this it is obvious that it is the Standard Shield that is detecting this infection and not Web Shield as you would get the warning and abort the connection and the virus wouldn't get on your HDD, are you using the Web Shield and is it working?

Check out some of these to test.
http://www.eicar.org/anti_virus_test_file.htm
Web Shield Test
http://www.eicar.org/download/eicar.com

JPEG Exploit
http://www.nod32.de/download/jpegcompoc.jpg
http://www.nod32.de/download/jpegcompoc.zip

[jazzymina]

Hi David,

Thanks for the info, I don't log on as a administrator (I think) but I'll check it out later.

For what it is worth I think my version of Avast is malfunctioning. I clicked on on boths links that you provided me, about NOD32( www.nod32.de) and eicar.  Avast prompted immediately and said both them were infected. I aborted connection at the NOD32 page, and moved the other virus (at the page of eicar) to the virus chest.

Since I don't think you would subject my computer to viruses, there must me something wrong with my virusscanner. I am thinking about permanently switching to another virusscanner, or reinstallingl a new version of AVAST.

[DavidR]

You might not log on as an administrator, but your account may well have admin rights, rather than being a restricted account.

I don't understand your problem, that is the correct action ignoring the first link that just gives background information (to make you aware what the test is about and it is harmless) and it gives a number of different eicar tests that you can run.

If you clicked any of the links on that page you would have received either a Web Shield or Standard Shield warning.

The ones in the top row of the selections would give a Web Shield warning and the ability to abort the connection so it doesn't get to your HDD.

The ones in the bottom row will not be scanned by the Web Shield because they use the SSL protocol (Secure Sockets Layer, e.g. encrypted transmission), avast can't scan encrypted data during download, but when it arrives on the HDD (in your temporary internet cache) avast's Standard Shield can detect it and it needs to be moved to the Chest (or deleted, etc.).

It would appear that the Web Shield and Standard Shield are acting as they should. The Eicar tests are simply to test that your AV reacts correctly when it encounters a virus, the eicar test in this case.

What do you think is wrong with your virus scanner?
I can't see anything in your post to show a problem, other than you may have clicked one of the tests that can't be monitored by web shield (i.e. encrypted).

[neal62]

In regards to this statement you made:

"Next to that I use Sygate which protects me from hijackings and such, 3 other freeware anti-virus programmes which I run sometimes, and Hijack this. I don't know what more I can do to protect my computer."

Do you have these 3 other freeware anti-virus programes on the H.D. of your pc? Or, are these web based freeware anti-virus programs? If they are on you pc Avast does not function to its fullest extent with another Anti-Virus program on the same machine. Also as mentioned your System Restore if turned on could be part of the problem.

[snowhead]

Hi Jazzymina ,
             I've been trying to get rid of a similar ,or the same , trojan for about a month .I am new to avast but all the malware removers i have tried do not stop the thing coming back on restart. I scan on restart with avast in the docs and settings where it lives ,but it is still there ,it also appears in a system restore file ,so I have tried in the past to disable the system restore but still didn't remove it . Have you got emsisoft.com free scan and remove sw called A2 ? This gives you a full address and and maybe a fuller name for the trojan. For me it works well...the name it comes up with is "rootkit.h" and in my case it is in docs and settings\bill\msdirectx.sys.
                        I have read through this forum but being a bit of an old duffer am am not sure what to do next. I always use firefox , am not too worried about getting new infections with avast security in place but I do seem to be getting a lot of freezeups , may be nothing to do with the trojan ,but I would still like to dump it for good. Any help would be appreciated.

[xistenz]

Rootkit.h eh? Goto http://www.f-secure.com/blacklight/try.shtml and download the Blacklight Rootkit scanner beta. Then scan your system using it.

[snowhead]

Tried f-secure download , found 1 hidden item ; copq.exe.
  After the first scan and clean nothing was found , but coming back sometime later , further scans show the same item every time. I will now search to find out something about copq ,
 Thanks Bill.

[FreewheelinFrank]

Hi Snowhead,

It might have been better to start a new thread here, but anyway:

Ewido free version doesn't have a memory scan and a squared does but it isn't the best. The two best anti-Trojan scanners with working free versions to try if you are having problems with a Trojan are TDS-3 and TrojanHunter.

http://tds.diamondcs.com.au/
http://www.trojanhunter.com/

Trojans can reappear if your operating system and browser are not bang up to date, and if you are not protected by a firewall.

There are a few references to copq.exe on the web as a malware file. If you have renamed it using BlackLight and it is coming back, then some other component of the malware (a running process for example) is re-creating it. Try a boot time scan with avast! after checking for the latest updates, and also run the anti-Trojan programs above.

[snowhead]

Hi FreewheelinFrank ,
               Sorry to have jumped in with my input , thanks for the suggestions , will give these a go.