Author Topic: WIN32:TROJAN-GEN. {UPX!} || HELP ME!  (Read 40675 times)

0 Members and 1 Guest are viewing this topic.

exorcist

  • Guest
WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« on: December 14, 2003, 04:05:44 AM »
I have the WIN32:TROJAN-GEN. {UPX!} virus and I tried to delete it and it says I can't.I tried to repair ti and ti says I cant.Hoe do I get it off?

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #1 on: December 14, 2003, 09:12:59 AM »
Give us the exact name and folder where avast finds it. Noramally  it is enough to start windows in safe mode, delete the file there and clean in the registry the references to the file.
MfG Ralf

exorcist

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #2 on: December 14, 2003, 05:40:15 PM »
ok yesterday it said it found it in my rundll.exe then it found it in winrun~1.exe and this morning it found it in trz20.tmp.help!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #3 on: December 14, 2003, 06:01:17 PM »
There is no filename rundll.exe existing under Windows(systemfiles) so maybe a Hijackthis log or an onlinescanner maybe usefull here:

Posting a hijackthis log: http://www.tomcoyote.org/hjt/
Download then unzip the file and double click on the "HijackThis" icon.
When finished loading click on the "Scan button".
Next click on the "Save Log" button. Save the log somewhere you will remember and open the log file with notepad. Then copy the contents and paste them in a reply to be checked.

A good Onlinescanner: http://www.rav.ro/scan/indexie.php
MfG Ralf

exorcist

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #4 on: December 14, 2003, 07:38:51 PM »
Logfile of HijackThis v1.97.7
Scan saved at 12:37:52 PM, on 12/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINNT\mwsvm.exe
C:\WINNT\dnjjnepj.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\qbefdvis.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\program files\steam\steam.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\hix\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\0JO7Y1QX\hijackthis[1]\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=F838C34A-295C-4D15-862F-2F0E76A7E3EA&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Shell32] WinRundll.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [ldvkpjby] C:\WINNT\dnjjnepj.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [qbefdvis] C:\WINNT\System32\qbefdvis.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [Shell32] WinRundll.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.8417824074
O16 - DPF: {A4509D9F-B2A1-4AB4-A410-7520F1C79C4E} (ClientYahoo Control) - http://kr.chat.yahoo.com/ECCHAT/ClientYahoo.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab


also this morning i woke up and it says the virus was now detecting in my trz20.tmp file

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #5 on: December 14, 2003, 08:25:48 PM »
Puh! Your Log contains many Spy and Adware, okay we will see what will happen after fixen all these with Hijackthis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=F838C34A-295C-4D15-862F-2F0E76A7E3EA&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Shell32] WinRundll.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe
O4 - HKLM\..\Run: [ldvkpjby] C:\WINNT\dnjjnepj.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [qbefdvis] C:\WINNT\System32\qbefdvis.exe
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [Shell32] WinRundll.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/stop-sign_scn.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37412.8417824074
O16 - DPF: {A4509D9F-B2A1-4AB4-A410-7520F1C79C4E} (ClientYahoo Control) - http://kr.chat.yahoo.com/ECCHAT/ClientYahoo.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Make a restart after fixing it.

I see that you made a "housecall" and a "Pandascan". Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.



MfG Ralf

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5087
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #6 on: December 14, 2003, 08:32:01 PM »
Quote
I see that you made a "housecall" and a "Pandascan". Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.]I see that you made a "housecall" and a "Pandascan". Please use the mentioned RAV Onlinescan too, it is more reliable than the other two(IMO) Please post after this a new fresh log.


RAV is quitting the antivirus business and trend has scored better in virus builiten test than RAV!!!!! >:(
« Last Edit: December 14, 2003, 10:52:25 PM by MacLover2000 »
"People who are really serious about software should make their own hardware." - Alan Kay

exorcist

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #7 on: December 14, 2003, 08:51:06 PM »
on those things do I delete those or what?what exactly do you mean by fix?

exorcist

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #8 on: December 14, 2003, 08:53:57 PM »
i MIGHT ALSO ADD THAT THE WAY i GOT TEH TROJAN WAS I WAS TRYING TO DOWNLAOD LORD OF THE RINGS 3 OFF IRC AND i'M 99.9% SURE THATS WHERE I GOT IT FROM!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #9 on: December 14, 2003, 09:01:10 PM »
Hijackthis offers the optio to fix the things it finds by mark the objects and press "fix".  "fix checked" is located next to te scan button.
MfG Ralf

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #10 on: December 14, 2003, 09:05:47 PM »
RAV is quitting the antivirus business and trend has scored better in virus builiten test than RAV!!!!! >:(

Trend is not bad, but you will see that RAV is better in finding these Malware. Trend is  week in finding Trojans and Packed(upx/aspack and so on) Malware.

.....and yes i wanted to provoke you a bit! ;)
MfG Ralf

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11652
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #11 on: December 14, 2003, 09:07:03 PM »
Quote
i MIGHT ALSO ADD THAT THE WAY i GOT TEH TROJAN WAS I WAS TRYING TO DOWNLAOD LORD OF THE RINGS 3 OFF IRC AND i'M 99.9% SURE THATS WHERE I GOT IT FROM!


So instead of 'Return of the King' it was rather 'Return of the Trojan', right? :o
If at first you don't succeed, then skydiving's not for you.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5087
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #12 on: December 14, 2003, 10:55:03 PM »
Quote
.....and yes i wanted to provoke you a bit!  
Grrrrrrr....  
Oh well. Ill get over it.  8)
"People who are really serious about software should make their own hardware." - Alan Kay

exorcist

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #13 on: December 15, 2003, 05:30:40 AM »
after i have dleted those things what do I do next?

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #14 on: December 15, 2003, 05:43:52 AM »
Make a restart and post a new log.
MfG Ralf