Avast WEBforum

Other => Viruses and worms => Topic started by: arnoldo on February 10, 2004, 06:29:52 PM

Title: Win32:Trojan-gen. {UPX!}
Post by: arnoldo on February 10, 2004, 06:29:52 PM

Hi everybody.

I've a problem. I tried to repair an infected file, but the machine answered with ACCESS DENIED TO THE FILE-CANNOT PROCESS IT.

C:\\_restore\temp\A0019058.CPY

How can i do to remove it from the hd?

Thanks.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on February 10, 2004, 08:52:23 PM

Hi,


disable System-Restore, reboot, and it will be gone
see
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
reenable Restore afterwards, if you need it ;)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: stormmmy453 on February 21, 2004, 10:33:52 PM

avast is  saying  i  have a virus win95:matyas....what do  i  do

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on February 25, 2004, 11:49:33 PM

post the exact path of the "infected" file here..
and feed the board-search with matyas
probably just "false positive" in panda-files ;)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: Red1970 on February 26, 2004, 03:28:18 PM

I had the same infected files. I followed the instructions to disable the system restore (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=&docid=2001111912274039&nsf=tsgeninfo.nsf&view=pfdocs&dtype=&prod=&ver=&osv=&osv_lvl=)
and deleted my C:\_RESTORE\TEMP files by hand through Safe Mode. Once I did this, avast gave me a clean bill of health! My high speed internet runs so much smoother now, too. The instructions from above relate to Windows ME, but I'm sure they have instructions for other programs. Hope this helps!

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: cosmolady on March 01, 2004, 05:15:02 PM

i have this same virus problem... i have tried safe mode and i disabled restore but it keeps saying it is there.  what is the next step? i dont know to much about pcs so u have to got step by step plz.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 01, 2004, 05:31:35 PM

Hi cosmolady,

1. step: read above and answer the questions
2. step: enter the trojan name into the board search above
3. step:

Hi,

what WIN do you have ?
Where exactly was the infected File found  (full pathname and filename) ?

test the file with OnlineScanners e.g. from Trend & KAV (see below) to get a more specific name
(you need to temporarily disable AV-Resident Shields/Monitors to be able to scan the file online)


-remove the Virus/Malware and it's system modifications according to VirusInfos from Avast, VGREP, TrendMicro, Kaspersky;
you might also try searching for the virus name or filename with google

general removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in the registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot
 

-Secure your system (change passwords, secure shares, install patches/updates for WIN, IE etc..)
-scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro to check whether your PC is clean ;)
- reenable system restore on Win ME/XP


if it's of the trojan-gen kind: spybot, ad-aware and cwshredder might also help
if you still can't remove it, you could post a logfile of Hijackthis here

see www.lurkhere.com ->nicefiles and www.lavasoft.de

Further Details and Links via the board search above ;)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 06, 2004, 08:09:25 PM

Apparently, Avast told me that I have "Win32:Trojan-gen. {UPX}" too... and I attempted to delete it using avast, but it can not be deleted; as for an error has occured while attempting to do so. The file name is: c:\_RESTORE\ARCHIVE\FS219.CAB\W0138974.CPY.

Here is the log from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 2:04:39 PM, on 3/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APPLICATION DATA\SEUR.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,218,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Csrss.exe
F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\PROGRAM FILES\FLASHCAPTURE\FCBHO.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Lssr] C:\WINDOWS\Application Data\seur.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\PROGRAM FILES\FLASHCAPTURE\FCIEXT.DLL/FCIEXT.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.9345023148
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb6/ComDlg32.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn-int.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn-int.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.gatewayintruders.com/gcchome/webchat/MSChatOCX.Cab
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - http://adreport.msn.com/ExternalObjects/rootinst.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {663F5307-C815-42B4-BBA9-6FF01266E2FB} (CSClient Class) - http://cuteandsingle.com/downloads/csc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {066EEF18-445D-4E0C-B0BF-EA31ACF45592} (eXperience9_webchat49.X9CHAT) - http://www.x9chat.com/X9CHAT49.cab
O16 - DPF: {93D5A014-A030-4436-97BF-81D00CC6C397} (FTC Chat Master 1.0) - http://funteenchat.com/FTCChat10.cab
O16 - DPF: {D8E1C1B6-5D13-4F13-967F-40F30CDA4D4E} (X9CHATNET24.webchatx9) - http://www.x9chat.net/X9CHAT24.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://81.129.115.213/Java/cms31212.cab
O16 - DPF: {D77A4E5C-017B-4084-8704-8C84041CF11E} (IRCWEBCHATv10.IRCWEBCHAT) - http://www.ircwebchat.net/ircdemo2.cab
O16 - DPF: {DC9CA6A0-B8DB-4457-8E02-559A3D453624} (WebWand.WandMain) - http://www.wizardsroom.com/WebWand.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/crack.cab


Please tell me what to do. I noticed that I seem to be getting popup dialogs from Internet Explorer asking me to either click "OK" or "Cancel", even though I have not opened IE. I have run SpyBot, Norton, Avast, and Hijack this. I assume that Win32:Trojan-gen. {UPX!} is causing the problem. Also, a dialog box appears when I start Windows telling me that it can not locate "Csrss.exe", which I believe was a trojan. I tried to remove the registry keys to this, but I can not find the last one which is making this window pop up. Any suggestions?

-viksra

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: raman on March 06, 2004, 11:26:24 PM

You should disable your Systemrestore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), fix these things and restart and enable the Systemrestore again:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Csrss.exe
F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKCU\..\Run: [Lssr] C:\WINDOWS\Application Data\seur.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.gatewayintruders.com/gcchome/webchat/MSChatOCX.Cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {663F5307-C815-42B4-BBA9-6FF01266E2FB} (CSClient Class) - http://cuteandsingle.com/downloads/csc.cab
O16 - DPF: {066EEF18-445D-4E0C-B0BF-EA31ACF45592} (eXperience9_webchat49.X9CHAT) - http://www.x9chat.com/X9CHAT49.cab
O16 - DPF: {93D5A014-A030-4436-97BF-81D00CC6C397} (FTC Chat Master 1.0) - http://funteenchat.com/FTCChat10.cab
O16 - DPF: {D8E1C1B6-5D13-4F13-967F-40F30CDA4D4E} (X9CHATNET24.webchatx9) - http://www.x9chat.net/X9CHAT24.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/crack.cab

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 07, 2004, 10:51:27 PM

OK. I tried what you told me to, and I removed all that junk. However, avast says that the trojan is still there. This time, when I continued the search, it also found this:

Win32:Trojan-gen. {UPX!}
c:\WINDOWS\TEMP\trz6314.TMP
0403-2, 03/05/2004


So now I have the 2 trojans on my pc. Please help me get them off. I tried deleteing them in safe mode, but that didn't work. And I don't sue system restore.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 08, 2004, 10:05:38 AM

Hi,
please read the above postings again, there are some more advice, e.g. scanning the PC/the file(s) with onlinescanners from Trend, RAV & KAV; also scan/update/fix with ad-ware, spybot and cwshredder

AFTER that, post a new hijackthis-log here, if the trojan exists still outside of system restore

P.S.: When you disable System RESTORE PROPERLY!! on Win ME, imho there shouldn't be ANY restore points/files left in the restore-folder...
 check if it's really disabled (did you reboot after disabling it) ?

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 08, 2004, 09:00:57 PM

I already read the above messages. I did all of that. I've done it multiple times. I think I found what is causing these IE dialogs to popup... easywarez.com. I got a file from http://www.hackology.com/programs/mbhttpbf/ginfo.shtml to test out on my web server, and ever since I installed that, I have been getting all these popups. It also didn't install an uninstall to the program, and it doesn't show up under the "Add/Remove Programs" window. How can I get rid of that thing? This is really annoying now. I've had a "popup" pop up advertising for porn, free games, and one that even had a huge hand pointing at me done in ASCII. I don't want any of that junk. Any suggestions on how to remove it?

-viksra

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 09, 2004, 08:30:02 AM

Quote from: whocares on March 08, 2004, 10:05:38 AM

onlinescanners from Trend, RAV & KAV; also scan/update/fix with ad-ware, spybot and cwshredder

AFTER that, post a new hijackthis-log here,

you did it all ? how about telling us some details about the results then ?  ;)

describe the popups; are those normal browser popups, or grey (blue) popups of windows Messenger service ? you can disabloe the latter via config -> services

what about the hijackthis-log ? ;)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 09, 2004, 09:23:22 PM

I have attached a picture of the dialog window that pops up. This comes up even when I have not gone to any websites. There are 3 other dialogs that I have seen, one for adult websites, another for "failed to download", and a third with a big hand pointing at me like in the famous poster of Uncle Sam.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 09, 2004, 09:26:36 PM

Uh.... what do you know. Here are the other two. One more still hasn't popped up yet.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 09, 2004, 09:27:21 PM

After clicking OK, the "Add to Favorites" window pops up.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 09, 2004, 10:21:46 PM

Hi,
(either you have to block popups for easywarez.com)

or disable the messenger/message service ("Nachrichtendienst") via control panel -> computer administration -> services

Detailed instructions probably available via the board search or google.

I can only supply a german Link with "graphical" instructions:
http://www.trojaner-info.de/nachrichtendienst/index.html

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 10, 2004, 04:08:17 AM

No, and no. I told you the program that is causing it. I don't have the Messenger service installed on my computer (Windows messenger.) I also am not getting popups from easywarez.com. As I said, I installed this exe: http://ns13.eb1.biz/~clickont/mbhttpbf.exe and now I am getting the popups. I believe it set up a server on my pc to target me those ads. Please help.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 10, 2004, 12:09:02 PM

Kaspersky says: mbhttpbf.exe infected by "Backdoor.DSSdoor.b" Virus.
please send the file to:
virus (at) asw (dot) cz

Info and removal instructions:
VGREP (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Backdoor.DSSdoor.b&product=4)

to clean up, it'd also help, if you'd post a NEW hijackthis logfile

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 10, 2004, 10:13:03 PM

I don't see the instrctions to remove the trojan on the link that you have provided me.

Logfile of HijackThis v1.97.7
Scan saved at 4:10:35 PM, on 3/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,218,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\PROGRAM FILES\FLASHCAPTURE\FCBHO.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\PROGRAM FILES\FLASHCAPTURE\FCIEXT.DLL/FCIEXT.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.9345023148
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb6/ComDlg32.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn-int.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn-int.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - http://adreport.msn.com/ExternalObjects/rootinst.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://81.129.115.213/Java/cms31212.cab
O16 - DPF: {D77A4E5C-017B-4084-8704-8C84041CF11E} (IRCWEBCHATv10.IRCWEBCHAT) - http://www.ircwebchat.net/ircdemo2.cab
O16 - DPF: {DC9CA6A0-B8DB-4457-8E02-559A3D453624} (WebWand.WandMain) - http://www.wizardsroom.com/WebWand.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/98ME/bridge.cab

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 10, 2004, 10:58:11 PM

Hi,
seems like you didn't fix all HJT entries Raman told you to:

start the PC in safeMode (F8-Boot) then fix the mentioned items, ESPECIALLY:
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
check with taskmanager, if you can find & kill the related Process

Also fix/delete all your O16-DPF entries as it's a bit too cluttered there

then rerun hijackthis and check the log again (Still in safeMode)

VGREP: you have to try all links, then you would have got e.g. here:
http://www.sophos.com/virusinfo/analyses/trojdssdoorb.html

also run Onlinescanners from
www.trendmicro.com
www.ravantivirus.com
www.bitdefender.com

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 10, 2004, 11:05:04 PM

P.S.: please first send in the file:
C:\WINDOWS\tcposmod.exe

to virus (at) asw (dot) cz

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 11, 2004, 01:33:08 AM

OK. I am a newbie. I have no idea what you are talking about when you say "HJT", because I don't see anything that says "HJT" in the log. Also, when you say FIX, do you mean "ticking" them in Hijack This? I just checked task manager by pressing Ctrl + Alt + Del to see if TCPOSMod.exe was running, and I don't see it.. can you copy & paste the exact things that I am supposed to delete for me? It would be greatly appreciated.
http://www.sophos.com/virusinfo/analyses/trojdssdoorb.html is down and says "The page cannot be displayed", along with many of the other links on that website. I know it's not a bandwidth issue, as for I am on a cable modem. I'll run those online scanners. I'll also e-mail that file to them.

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 11, 2004, 08:06:05 AM

Quote from: raman on March 06, 2004, 11:26:24 PM

You should disable your Systemrestore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm), fix these things [.. meaning check the boxes at the start of the relevant lines and click "Fix checked" ..] :

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe

O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab

Also check and fix everything that starts with O16 - DPF: {...
and hasn't got Microsoft.com / Msn.com or macromedia.com in the URL-Name
(especially if you don't know what it is/does;
don't worry, if you should really need any of this, it will be downloaded/installed again next time you visit the respective site) ;)

P.S.: "HJT" should mean "Hijackthis"


P.P.S. you have a message with the sophos info

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: cloistenbach on March 11, 2004, 10:22:38 PM

I am using Win 98se. I have just run avast! It says I have 4 Trojens......
           
               Virus Name:- Win32:Trojen-gen {other}
                  File Name:- C:\Windows\System\cd_clint.dll
               VPS Version:- 0403-7,03/11/2004

               Virus Name:- Win32:Trojen-gen {UPX!}
                  File Name:- C:\Windows\System\soundmx.exe
               VPS Version:- 0403-7,03/11/2004

               Virus Name:- Win32:Trojen-gen {UPX!}
                File Name:- C:\Windows\Temp\trz9380.TMP
               VPS Version:- 0403-7,03/11/2004

               Virus Name:- Win32:Trojen-gen {UPX!}
                File Name:- C:\Windows\fntldr.exe
               VPS Version:- 0403-7,03/11/2004

 I would be grateful if anybody could tell me how 2 get rid of these things.
 Thanks ! :)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 11, 2004, 11:16:36 PM

Hi cloistenbach,

please also read the above postings ...

you either start the PC in safeMode (F8-Boot) and then let avast delete the files .. and hope for the best that they don't return or

you scan the files with Trendonlinescan & KAV (see below; deactivate avast shield for this) & remove the trojans according to instructions from Trebd abd VGREP

and also scan with spybot & ad-aware

Links and further details via board search
 ;)

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 12, 2004, 08:37:12 PM

This:

Logfile of HijackThis v1.97.7
Scan saved at 2:30:27 PM, on 3/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TCPOSMOD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,218,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\PROGRAM FILES\FLASHCAPTURE\FCBHO.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\PROGRAM FILES\FLASHCAPTURE\FCIEXT.DLL/FCIEXT.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.9345023148
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb6/ComDlg32.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn-int.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn-int.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - http://adreport.msn.com/ExternalObjects/rootinst.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://81.129.115.213/Java/cms31212.cab
O16 - DPF: {D77A4E5C-017B-4084-8704-8C84041CF11E} (IRCWEBCHATv10.IRCWEBCHAT) - http://www.ircwebchat.net/ircdemo2.cab
O16 - DPF: {DC9CA6A0-B8DB-4457-8E02-559A3D453624} (WebWand.WandMain) - http://www.wizardsroom.com/WebWand.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} - http://www.popmonster.com/control/src/iefeatures.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/98ME/bridge.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_download.cab

Just got fixed to look like this.....

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 12, 2004, 08:37:36 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:34:25 PM, on 3/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TCPOSMOD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,218,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\PROGRAM FILES\FLASHCAPTURE\FCBHO.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\PROGRAM FILES\FLASHCAPTURE\FCIEXT.DLL/FCIEXT.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople


Better?

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 12, 2004, 09:54:15 PM

Yet another virus. Norton anti-virus 2004 did not detect this for some reason, however, "Avast!" did.

Virus Name: Win95: Matyas
File Name: c:\WINDOWS\Desktop\titanin.exe\PAV.SIG
VPS Version: 0402-2, 02/25/2004

Upon avast! finding the virus, it froze the entire computer.

-viksra

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: Lisandro on March 12, 2004, 09:56:56 PM

False positives again! Win32:Trojan-gen. {UPX!}  >:(  >:(  >:(

I hate this, this is becoming very odd and disgusting...
I cannot use my own files of AutoIt...
I have already scanned then by AVG, Norton, TrendMicro (on-line).
Now the 0403-8 start this all over again...

This is becomig annoying, I want to know how can I use my 'last', not updated 0403-7 VPS file... How can I 'uninstall' a VPS update... I think I'll have to use the manual update  :P

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on March 12, 2004, 10:10:06 PM

whocares, everything that you said was just as it is. Now how do I reverse the changes made since I wasn't told where netstat.exe originated from? Was it from the C:\Windows\System directory? C:\windows\System32 directory? Also, there is a NETSTAT.exe in the C:\windows\ folder already along with the readme-net.doc which is hidden. Do I delete the NETSTAT.exe and then rename readme-net.doc to NETSTAT.exe and move it somewhere? I also just deleted the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DSS" key.

-viksra

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on March 13, 2004, 03:21:26 PM

did you delete this tcposmod thingy from disk, too ?

scan the netstat.exe and other files in questions with KAV (see below) and delete them if infected

you could replace netstat with Win's
SFC function:
search and navigate to sfc.exe and open a dos windows in the folder there:
enter:
sfc /?
to get an idea of the function and options (replaces changed system files with correct copies)


what says the sophos info about the netstat-problem ?

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: viksra on May 26, 2004, 11:22:54 PM

Hey, this is my friends computer's HijackThis log... his computer is really messed up with a lot of junk on it. As soon as you open internet explorer, even if the homepage is set to google.com, or any website with no popups, there are about 11 popups that pop up. Please tell me what he needs to get rid of so I can let him know:

Logfile of HijackThis v1.97.7
Scan saved at 10:52:15 PM, on 5/24/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\PROGRA~1\RULEKN~1\bitsmathhope.exe
C:\Documents and Settings\jmmy.jms@verison.net\Application Data\eber.exe
C:\Program Files\America Online 7.0e\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\jmmy.jms@verison.net\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {037B1E83-11FC-FCC6-CDB3-E3DAD5F25A15} - C:\PROGRA~1\HOLESU~1\Grey up.dll (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0108.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Platform 16 sign - {E275267E-44FA-06A3-CD54-1AE88C25C0EB} - C:\PROGRA~1\HOLESU~1\Grey up.dll (file missing)
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [Loudidle] C:\PROGRA~1\RULEKN~1\bitsmathhope.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0e\aoltray.exe
O4 - Global Startup: winlogon.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix: http://www.msn.com
@showresult.com/search.php?
O13 - WWW Prefix: http://www.msn.com
@showresult.com/search.php?
O16 - DPF: {0D676488-AEB4-455D-9A8F-4E241092A0F0} - http://www.cursorzone.com/cursors/Butterfly_ani_setup_td035.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks!

Title: Re:Win32:Trojan-gen. {UPX!}
Post by: whocares on May 27, 2004, 01:11:29 PM

Hi viksra,

please edit/delete your last posting, and make a new topic with this Hijackthis-log; it gets to cluttered and mixed up here..

and please also first try the other advice, like onlinescanners trend, rav, kav &  Spybot, ad-aware, cwshredder on your friend's problem PC ;)