Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dan_o on October 12, 2003, 10:00:16 PM

Title: Good way to get rid of Win32:Trojan-gen
Post by: Dan_o on October 12, 2003, 10:00:16 PM
Avast found the Trojan and the repair sometimes doesn't work so should I just delete the file or find another program or way to get rid of it?
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 13, 2003, 02:48:12 AM
Dan,

What do you mean the "repair" DOESNT WORK?
Did Avast give you the choice to move the infected file to the Chest?

I am somewhat perplexed in that my reference files do not list a win32:trojan-gen virus.
Normally, gen virii are polymorphic (basically means that the virus tries to hide detection by varying code strings) but none of the variants of which I am aware of are listed as win32:trojan.

Does Avast provide any other information?

techie
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Lisandro on October 13, 2003, 04:57:55 AM
Dan,

What do you mean the "repair" DOESNT WORK?
Did Avast give you the choice to move the infected file to the Chest?

I am somewhat perplexed in that my reference files do not list a win32:trojan-gen virus.
Normally, gen virii are polymorphic (basically means that the virus tries to hide detection by varying code strings) but none of the variants of which I am aware of are listed as win32:trojan.

Does Avast provide any other information?

techie

Hey Dan, could you answer techie?  ;)
Btw, which OS, firewall, etc. are you using...
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 13, 2003, 05:40:30 PM
dan,

I still have been unable to obtain an relevant information on the suspect viruswin32:trojan-gen

Try this for now:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

It is Panda free online scanner.  Run it and see what it tells you.  It may provide some additional facts we need to identify the actual virus (if it does indeed exist.  It may be a false positive, but we need to know if you ARE running AVAST or any anti-virus program)

 ::)
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 13, 2003, 05:47:11 PM
Btw, which OS, firewall, etc. are you using...
Technical brings up a good point.  OS, Firewall etc are needed in order for recommendations to be made to prevent any future virus infection.
Technical thinks ahead.  hahaha ;)

techie101 :)
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Dan_o on October 13, 2003, 06:01:15 PM
Ah So I should just move the infected file to the chest huh? When I click on repair sometimes I get a message saying the infected file couldn't be repaired. I'll try that and the panda thing.

Thanks for the reply guys
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Lisandro on October 13, 2003, 08:46:52 PM
When I click on repair sometimes I get a message saying the infected file couldn't be repaired.

Could you post what files (and its virus) could not be repaired?  ;)
What about your system informations (OS, firewall, etc.)  8)
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 13, 2003, 09:02:30 PM
dan,

Your not cooperating here!  Technical and I both asked you for information relevant to your problem so we can help you.

If you just wish to venture off into computer land by yourself, then we can't assist.

and it's not a Panda-thing.  Its' an online virus scanner from Panda Software.

In answer to you question about the Chest.  Yes, if you move the file to the chest, it cannot harm your system until we figure things out.  It can be restored (put back) from the chest if we determine that it is indeed a file you need.

You may not be able to Repair the file if it is protected by the System Restore feature or if the virus has attached itself to a file that is passworded.

I cannot say for sure because you won't answer our questions.

I can't read minds, only anti-virus software.   ;D

techie101


Technical,
You tried buddy.
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Lisandro on October 13, 2003, 09:09:26 PM
dan,
Your not cooperating here!  Technical and I both asked you for information relevant to your problem so we can help you.
If you just wish to venture off into computer land by yourself, then we can't assist.
I cannot say for sure because you won't answer our questions.
I can't read minds, only anti-virus software.   ;D
techie101
Technical, You tried buddy.

Thanks techie for you posts... They earn you a karma  ;D
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Freeman on October 22, 2003, 08:19:05 AM
avast! v4.1.280 (database up to date)
Windows ME
ZoneAlarm v3.7.211

Greetings,

I received the same 'virus' warning (Win32:Trojan-gen. {UPX!}) after downloading some .rar files from a site. I contacted the site owner and it appears that it isn't the files that are affected; rather avast! has trouble with UPX. This was his response:

Quote
No, it's not a virus nor a trojan but an executable file packer called UPX(http://upx.sf.net/), which is used by WinRAR for compressing the decompression program included in the sets so people don't need to install WinRAR to do just that. I guess UPX has been included by your anti-virus program since it potentially could also include a trojan or virus executable.

Cheers!
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: igor on October 22, 2003, 09:22:42 AM
(Pure) UPX has definitelly not been included into avast database to be reported as a virus just because there may be a virus inside... (we'd have to report about everything then :)).

So, if you receive the warning and you're sure the file is not infected - then it's probably a false alarm and it should be fixed. Could you please post some more information about the file - such as a link to download? Or if not possible, could you send the mentioned file to virus(at)avast.com? If it's too big, you would try to delete (most of) the content of the archive with WinRAR, just to keep the SFX engine present (or strip only the first part of the file). If you modify the archive, however, make sure that avast still gives the warning.
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: raman on October 22, 2003, 10:12:58 AM
@freeman It could be a false alarm, because Aast has still some problems wuth Winrar-SFX files which are packed with upx.

@dan_o: You will be able to moe the file if you start your computer in safe mode. You can test the troj-gen here (http://www.kaspersky.com/remoteviruschk.html), so you do not need to install the activeX crap from Panda, which only forces Avast to give you an other Viruswarning on some Pandafiles, which will be installed.
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 22, 2003, 04:02:54 PM
dan,

You can normally move an infected file to the Chest instead of trying to delete or repair it.  This keeps it in a safe place until you determine if it is indeed harmful.
Avast will not allow you to "tamper" with files that are in the System Restore, or those that are passworded.   Igor provided a tip that you should remember when this occurs.

Please look at the setting of your Standard Shield module in the On Access Protection. Right click on the A ball in the try, select On Access Protection, then Standard Shield from the side table.   If it is set on HIGH lower it to Normal and try again.  The higher the sensitivity, the more false positives that may result.  This applies to both On Access and normal Scan functions in Avast.

Avast will tell you when it detects a file that is  "potentially"harmful.  It is now up to you to determine what to do with it!

From what you have presented, it more than likely is a false positive.  We now need to get rid of the warning from your system using the methods provided here.

Good luck
Techie
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: igor on October 22, 2003, 04:24:08 PM
Well, setting the level of Standard Shield protection affects the number of files being scanned (so it could influence the potential false alarms reported in non-executable files) - but it doesn't change the method "how" the files are scanned, such as scanning inside archives, virus targeting, etc. (at least I think so :)).
The .exe files will always be scanned, no matter if you set the sensitivity to High or Normal - they're too important to be skipped. If the problem appears in a WinRAR-SFX, then it really is an .exe file - so changing this setting probably wouldn't help.

The best thing to do would be to submit the problematic file so that we could fix the false alarm. Since WinRAR is quite popular, we would definitelly like to do it.
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: techie101returns on October 22, 2003, 09:29:06 PM
Well, setting the level of Standard Shield ........ (so it could influence the potential false alarms reported in non-executable files) - but it doesn't change the method "how" the files are scanned.

* Igor, No...changing the sensitivity will not change where Avast scans but will change HOW it performs the scan.  I  believe that the types of files and code strings that Avast looks for are modified.  (at least I think so. haha)

Avast will ALWAYS scan boot sectors, executables both 16 and 32 bit as well as MS DOS based programs, but not so apparent is that IT WILL NOT scan Config.sys, MS DOS.sys, Pagefile.sys, Win386.swp, System or User.da, nor the Windows\temp\*.tmp file by default. (*You can modify these or add to them by changing the settings of the Standard Shield in the OAP module.

Quote
The best thing to do would be to submit the problematic file so that we could fix the false alarm. Since WinRAR is quite popular, we would definitelly like to do it.

In order to assist the Avast Team, please send the file/s in order to prevent a reoccurrence.

Thanks,
Techie  :D
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Hornus Continuum on October 23, 2003, 05:49:43 AM
From the help file:

Quick Scan. Only the possibly dangerous files are scanned, according to their extension.  It means that the files with extensions EXE, SCR, COM, DOC, etc. are scanned.  Within the file, avast! looks only for those viruses that infect the corresponding type of file.  It means that macroviruses are not searched for in EXE files etc.

Standard Scan. Only the possibly dangerous files are scanned, according to their content.  The file extension is ignored.  Again, only the viruses corresponding the the particular file type are searched for.

Thorough Scan. All files are tested, against all viruses.

Regards,
Hornus
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: Freeman on October 23, 2003, 07:16:05 AM
Igor,

Well, I deleted the contents of the .rar file so I was just left with the 'solid SFX RAR archive', and I still received the virus warning. The site from which I downloaded the file from is here (http://www.snesmusic.org/spcsets/) (or here (http://www.snesmusic.org/spcsets/actr.exe) for a direct download).

Hope that helps.

Cheers!
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: igor on October 23, 2003, 09:23:39 AM
Thanks for the links. I'll pass the file to be checked.
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: seancoles on October 24, 2003, 06:23:30 AM
I have the same notification of Win32:Trojen-gen it was found at c:\winnt\winlogon.exe
c:\winnt\explorer.exe  
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: seancoles on October 24, 2003, 06:25:59 AM
also at

C:\WINNT\system32\rep.EXE
C:\WINNT\system32\rmtcfg\files\secure.exe

any suggestions?
Title: Re:Good way to get rid of Win32:Trojan-gen
Post by: igor on October 24, 2003, 09:25:07 AM
Well, you can also send the files to virus(at)avast.com to be checked.
However, in your case - the winlogon.exe file really looks suspicious to me... (in my opinion, the winlogon.exe file should be inside the system32 directory, not in the windows root).