win32:trojan-gen

[onejiz8]

jtaylor 83 i need to download the program to a disk first cause icant acess the internet from safe mode i tried but i havent had any problems wit the computerlike nosie n stuff just doing this is so time consuming man i fell asleep during a scan woke up to it being done

[wyrmrider]

I think we meant for you to complete ONE of the AV scans
and all we found was a tracking cookie
good job
get some sleep
on Tech's list
either Super Antispyware or #5 check for rootkits

ON the avast off question I'm with DavidR

I did not know that TrendMicro wanted Avast Removed- thanks

which program are your trying to download?

[onejiz8]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:08 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://roadrunner.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218835128594&h=70874d75b11a3fdba7d4c1320a8cdd45/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7057 bytes

[DavidR]

Tracking cookies aren't a security issue but a minor privacy one, periodically clean out your cookies is more than enough.

What entries are you talking about ?
The avast logger (if you mean the avast log viewer) is a list of historical data of the activity, scans, detections, etc. than have been made and any data in there is just that, text data it isn't the file or a new detection.

If they are reporting your system is clean and an avast scan doesn't detect anything then your system is clean.

Or are you saying avast is still detecting something ?
If so what is the file name, location and malware name of the detection (e.g. the same as the original post, etc.) ?

[onejiz8]

DAVIDR heres my info

8/12/2008   7:39:10 PM   1218595150   Jesse   1584   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Jesse\Local Settings\Temporary Internet Files\Content.IE5\TKOT536F\load[1].exe" file. 
8/12/2008   7:42:33 PM   1218595353   Jesse   1584   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\~.exe" file. 
8/12/2008   7:42:52 PM   1218595372   Jesse   1584   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\~.exe" file. 
 

these entries are in my avast log viewer in the warning section when i was on the web avast pop up said malware found n this is where avast stuck them i just figured since it said sign of trojan-gen i might of had a virus so i beem doing all this scanning but every time it says the computer is fine except one time it said it found malware or cookie found n i installed that spyware program n it just said treats were cookies quarantine them so i did computer has been working fine n no problems that day on the web with that trojan-gen thing so i guess ive been sweating over nothing thats everything

[DavidR]

These entries don't present any security issue, they are just the contents of a text file to store historical information, so it can be displayed by the avast log viewer. They date back to 8/12/2008 and as such are not current detections.

When you are browsing and the web shield detects malware it only gives one option, 'Abort Connection,' see image (was this what you saw), this stops the infected file from being saved to your browser cache and subsequently displayed or run by your browser.

So it looks like you have no current issues, having run SAS seems to also confirm this.

[onejiz8]

yeah from what i can remember it was that it would only give one option n wouldnt do anything else but say disconnect your computer from network to provent futher infection n i starting to panic cause it said infection so this means i can delete them if there just historical info thanks for all ur help DAVIDR Whats running a sas

also tech from  avast form told me scan the computer through runscanner before i got this info from u n i found some what they call red area items that are not safe n at the the end of the red files highlighted it says files not found on the same page it says before i try to use the fix items button consult an expert are u familar wit this

[DavidR]

The alert isn't actually telling you to disconnect your computer, each page you visit makes a connection of sorts to download the files, images, etc. on that page and the Abort connection it is talking about is that page and the web shield takes care of that. You can close that page and carry on browsing.

Those old detections you posted will be in the Infected Files section of the chest where they can do no harm, assuming you sent them to the chest.

If so, there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

SuperAntiSpyware a.k.a. SAS is an anti-spyware scanner and you have it installed it means run an SAS scan.

[onejiz8]

DAVIDR
well that day i disconected from the eathernet wire i didnt get a

chance to move any of them to the virus chest the only files in my

chest are kernel32.dll,2 times date 4\16 n 8\4 n winsock.dll, date

8\23 1 time wsock32.dll, date 8\41 time they show up in system

files section n all chest files section all say no virus thing is the

dates on these dont match up wit the others on 8\12 oh yeah i

installed sas n scaned comp after i deleted all cookies temp n

history then scaned n computer says all good but since this all

happen it been at least two weeks  just the only thing that trows

me off is the dates

[DavidR]

You won't get an option to send them to the chest as they aren't on your system, they were intercepted by the web shield.

Please don't use the All chest files (I really wish they would remove this view) as it just confused the hell out of people, it isn't a section of the chest, just a collation od the three sections of the chest displayed as one view.

The chest as I said is in three parts:
1. Infected Files, self explanatory and really the only part you are interested in.

2. User Files, this allows the user to add suspect files (not detected by avast) to the chest where they can do no harm and from her they can be sent for analysis by Alwil.

3. System Files, these are back-up copies of important system files (all the ones you mentioned, leave them alone) that avast can use in the event of the original being infected. The dates are related to when avast made the back-up copy, you may have more than one version of those files as when they are updated (windows update, etc.) avast will take another copy.

[onejiz8]

Thanks davidr n to everyone else wyrmrider, tech, n  jtaylor83 for ur advice n help along the way 

[DavidR]

You're welcome.