win32:trojan-gen

[Eddy]

stumpie and Ka Honu,

click on the link in my signature and follow the instructions in the malware removal section.

[stumpie]

Ok .. I got rid of it ,, Computer is working fine ,, I'm going to copy and paste what I did from another web site ..I did what it said to do TWO TIMES just to make sure  .....  What a PAIN this has been ... But its gone !!!!    Here ya go ..   Good luck ...

FINALLY got it gone!
Here is what I had to do that actually worked in XP.
open the task manager (CTL ALT DEL) , go to "processes". Highlight and end process for any process shown as "websiteviewer", a number such as "127021.exe" "dialer.wsv" and the main culprit "prvdi.exe". You may not have all of them.
Then search the computer for any files that have thoise names, and delete them. Then empty your recycle bin. Next search the registry (click "find", then "on this page" for all the files and delete any found. (Pushing the f3 key continues the search after one is found.)
Search computer files (including the system files) and the resistry files twice to make sure you got it all, recheck the task manager to make sure they haven't shown up again, (if so, start over!) then shut off your computer by disconnecting the power. Do not shut off normally or it could come back. Plug it back in and you should be set to go.

[KAZZER]

I had win32:trojan-gen{other} in my volume files and could NOT get rid of it despite deleting and chesting my files on avast. I came on one of your forums earlier and got a link to mcaffee systemrestore info. I followed the advice to turn of sys restore re-boot computer then turn on sys restore and hey presto no more trojan. Its gone. hope this is some help to anyone with this trojan.

[ejlog]

hello, I am back. I thought the C:\windows\system32\dload.exe   win32:trojan-gen was gone from my computer but its back.  here is my hijack this log.  any ideas what i can do?

Logfile of HijackThis v1.98.2
Scan saved at 10:08:03 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Stamps.com Internet Postage\ipostage.exe
C:\Documents and Settings\Eric Logan\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi1.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi1.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/3_0_0_804/sdcregie.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E64CE83-A0DE-4AFA-B072-A53A3C7E862C}: NameServer = 192.168.0.1,4.2.2.2

[Eddy]

See reply 15 in this thread for what to do.

[ejlog]

I have followed all the steps.  my system restore is disabled to scanning the system in safe mode and removing any spyware, adware, and viruses.  then, I rebooted normally and within 20 minutes or so i get the dload.exe and some new ones now.  one is called 127057.exe. 

so when I run these adware, and virus scans, they are detected and removed, but within time they are back.  what else can i do?

[ejlog]

bueller?  bueller?

[davidtrent]

``````` a newbe to this forum but not to avast and i tell you i feel let down on one pc only ........ out of 4 pc's the one with home xp is the one that has this exploit and all the gurus with all the grand hy-jack this advice ......... i really thought thats what anti-virus was for ............. stopping this nagging worm, not telling you after the fact its already in system restore.  We have all the p-c's updated and have installed spybot s&d and adaware se pro and a2 and a2 hyjack free and start-up guard and and and and too many to list with avast updated. We have done enough to remove all of the files and for days its gone and without anyone even navigating from home page for days , BAM its back. So i'll just click to chest it and wait patiently for avast or microsoft ( ha ha ) to get it in gear  and sew up this hole....( hint you guys at avast )

[DavidR]

So i'll just click to chest it and wait patiently for avast or microsoft ( ha ha ) to get it in gear  and sew up this hole....( hint you guys at avast )

Hint - without information it is extremely difficult to resolve your problem.

- Is your OS up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?

avast is catching it, if it is being reported as win32:trojan-gen - what avast can't do is stop your system being attacked - and it would appear it is detecting it when it comes back, avast can't/doesn't stop it coming back.