Author Topic: Win32:Trojan-gen. {UPX!} (Read 10137 times)

The Mighty Yam · « **on:** February 22, 2005, 08:05:22 PM »

Hi all,

I need some help.

My system seems to be infected with a virus Win32:Trojan-gen. {UPX!} (my Avast On-Access scanner picks it up).

The problem is that when it is detected (e.g. file name C:\DOCUME~1\MARKAD~1\LOCALS~1\Temp\winF.tmp) and I delete it, the same virus is detected again and again just in a different .tmp file.

I have tried running a boot scan and also the latest version of Ad-Aware SE. I take all the suggested action and the system appears to be clean. But everytime I open Internet Explorer, the virus is detected again.

WHAT DO I DO!!!?

Thanks in advance for your help!

(p.s. I am running Windows XP and IE version 6.)

(p.p.s. I am afraid I am not very technically minded and so I'll need straight forward instructions)

DavidR · « **Reply #1 on:** February 22, 2005, 08:36:47 PM »

A good place to start is - Advice & Tools for virus/trojan/malware Removal & Prevention get back to us if you need more help.

The Mighty Yam · « **Reply #2 on:** February 23, 2005, 07:26:36 PM »

Thanks... but am not getting to far...

I have tried avast CLEANER but that does not find anything while my On-Access scanner still does.

I have tried to clear all TEMP-folders (via drive CleanUp AND manually), empty Temp.Int.Files folder(s) (via IE->Extras-Internetoptions->Delete files, including OFFLINE files !!) and empty java-Cache (controlPanel -> java-Plugin -> Cache)

I have also tried disable system restore INCLUDING a REBOOT!!

Have just logged onto the internet and have Win32:Trojan-gen. {UPX!} at the location C:\DOCUME~1\MARKAD~1\LOCALS~1\Temp\win2.tmp. If I delete it, move/rename it or move it to the chest, a new .tmp file at the same location comes up as being infected.

I am slightly concerned!!!

DavidR · « **Reply #3 on:** February 23, 2005, 09:07:13 PM »

Is your OS and Browser fully up to date with all relevant security updates?

1. The avast virus cleaner is a specialist tool that deals with a very limited number of true viruses. That is why the main scan can detect more malware.
2. Clear your browser cache and Temp folders.
3. Schedule a boot-time scan from within avast

Part of the instructions on the link I gave was for Eddy's website, I think you should visit that with a view to running HijackThis. Eddy's Website click the "HiJackThis Section" and also the "Malware removal instructions and applications" section, and follow the directions there and get back to us if you need more help....

PhilD · « **Reply #4 on:** February 24, 2005, 12:36:07 AM »

The originator wrote
====================================================
Hi all,

I need some help.

My system seems to be infected with a virus Win32:Trojan-gen. {UPX!} (my Avast On-Access scanner picks it up).

The problem is that when it is detected (e.g. file name C:\DOCUME~1\MARKAD~1\LOCALS~1\Temp\winF.tmp) and I delete it, the same virus is detected again and again just in a different .tmp file.

I have tried running a boot scan and also the latest version of Ad-Aware SE. I take all the suggested action and the system appears to be clean. But everytime I open Internet Explorer, the virus is detected again.

WHAT DO I DO!!!?

Thanks in advance for your help!

(p.s. I am running Windows XP and IE version 6.)

(p.p.s. I am afraid I am not very technically minded and so I'll need straight forward instructions)

========================================================

I think/hope that I have just got this off my system, I did it by deleting, in DOS, a file named XEJHE.EXE in the root directory of the main system drive C:. NOTE I am running W98SE, I don't know how you would do the equivalent under XP.

I discovered it via a combination of three utilities

- avast! which was reporting the problem as described above (Win32:Trojan-gen. {UPX!})

-sysinternals Process Explorer which showed XEJHE starting up & stopping and I knew not what it was

-Metaproduct's StartUp Organiser reported a peculiar new entry in the registry 3MyFqGXrc with the path to the XEJHE.EXE this was placed in Registry/AllUsers/Run, I removed this entry and then IMMEDIATELY exited to DOS and deleted the aforementioned file.

Hopes this helps, oh I suspect the filename XEJHE.EXE might be randomly generated i.e. it might be GT9JK.EXE on your system, same with the registry tag, but it was the latter with it's reference to XEJHE.EXE that confirmed my suspicions.

I am running a full thorough scan at the moment all those dodgy files in the temp directories are being picked up, but be killing the XEJHE.EXE file I think I eliminated the program that was spawning the "virus" infections into the temporary directories.

Hope this helps

rgds PhilD

The Mighty Yam · « **Reply #5 on:** March 03, 2005, 11:49:15 PM »

Dear All,

HELP! I have disabled system restore, rebooted and run a boot time Avast scan. It was clear. I then ran another scan post boot up. It was clear. I ran Ad-Aware. Ity was clear. I ran CWShredder 2.13. THAT was clear. I ran Bazooka. That was clear. I ran Avast Virus Cleaner. Nothing there either. So then I emptied my temp files, internet history etc.# and set a system restore point.

As soon as I connect to the internet, C:\DOCUME~1\MARKAD~1\LOCALS~1\Temp\win1B.tmp is infected with Win32:Trojan-gen. {UPX!}. Whatever action I take (i.e. move it to the chest etc) another infected .tmp file takes it's place at the same location.

I am not sure if it is related but when I run task manager, I have about six versions of SVCHOST.EXE running. Is that right?

I have posted my Hijack This log in the vain hope that someone can help fix this.

Logfile of HijackThis v1.99.1
Scan saved at 22:39:13, on 03/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SYSTEM32\msupdate.cmd
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\Msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mark Adkins\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.wannadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\SYSTEM32\msupdate.cmd"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11A18F66-B196-48E0-A33A-6E4035C278AF}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

Eddy · « **Reply #6 on:** March 04, 2005, 12:05:20 AM »

This is the result that my HJT log analyzer gives:

--------------------------------------------------------------------------------
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
--------------------------------------------------------------------------------
You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
INMEDIATLY visit http://windowsupdate.microsoft.com and install ALL security patches/updates.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

--------------------------------------------------------------------------------
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
\windows\system32\msupdate.cmd
o4 - hklm\..\run: [wintimer] "c:\windows\system32\msupdate.cmd"
o16 - dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} (msn photo upload tool) - http://by102fd.bay102.hotmail.msn.com/resources/msnpupld.cab
o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing)
o23 - service: avast! web scanner - unknown owner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing)

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
--------------------------------------------------------------------------------
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

YOUR SYSTEM IS VERY MUCH OUTDATED, IT IS REALLY TIME YOU GET ALL THE SECURITY UPDATE/PATCHES
This is not only for your OS and browser, but also for MS-Office.

The Mighty Yam · « **Reply #7 on:** March 04, 2005, 12:07:21 AM »

Thanks. I will do that but if you think my Windows and Office are outdated... you should check out my hardware! HAHAHA!

Author Topic: Win32:Trojan-gen. {UPX!} (Read 10137 times)

The Mighty Yam

Win32:Trojan-gen. {UPX!}

DavidR

Re: Win32:Trojan-gen. {UPX!}

The Mighty Yam

Re: Win32:Trojan-gen. {UPX!}

DavidR

Re: Win32:Trojan-gen. {UPX!}

PhilD

Re: Win32:Trojan-gen. {UPX!}

The Mighty Yam

Re: Win32:Trojan-gen. {UPX!}

Eddy

Re: Win32:Trojan-gen. {UPX!}

The Mighty Yam

Re: Win32:Trojan-gen. {UPX!}