Author Topic: Win32 Trojan-gen(other)  (Read 52301 times)

0 Members and 1 Guest are viewing this topic.

deadforyou

  • Guest
Win32 Trojan-gen(other)
« on: February 24, 2005, 04:19:04 AM »
Hello heres my info to start off with-

Winxppro sp2
amd duron 800mhz 256mb ram
dsl
windows firewall
avast! 4.6 with latest definitions
found win32trojan-gen(other) in following files-
windows\trz1.tmp
windows\winsms.dll

i move them to chest and they still reappear tried deleting them still reappear and tried using the cleaner and that found no virus body anywhere what should i do

lee16

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #1 on: February 24, 2005, 11:49:44 AM »
Hi deadforyou,

Please see here: http://members.home.nl/edeijl/ache/cleaning.htm

Run though all the steps/suggestions there, then post a FULL Hijackthis log here so we can comfirm your system is clean.

*Note*, all of these steps/suggestions should be run in normal mode (not Safe Mode).

--lee

Tappy

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #2 on: February 24, 2005, 08:52:28 PM »
Hi
I have similar problem as deadforyou. I have WIN XP pro on Pen. 2.8. I am getting WIN32:trojan-gen.{UPX!} on my system. I run avast and delete the file, then run both Spybot-search and destroy and Ad-aware to delete anything else. When I log on (high speed) to the internet (even before opening Explorer) I get the notification from avast that a virus(WIN32:trojan-gen.{UPX!}) has been detected. If I try to delete or move to chest, another same one is detected. This will go on as long as I keep deleting or moving them. If I log of the internet, I can run the previous mention programs and clean my system(??) until I log on the internet again. Please Help.....

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32 Trojan-gen(other)
« Reply #3 on: February 24, 2005, 08:58:31 PM »
Then follow the advice given by Lee.

And detected where and in what file, help us to help you.

- What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Tappy

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #4 on: February 25, 2005, 05:36:04 PM »
Here is my HijackThis Log. I hope someone could help me.

Logfile of HijackThis v1.99.1
Scan saved at 12:59:23 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\msupdate.cmd
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\SYSTEM32\msupdate.cmd"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06c4a02ae9af4801bd17/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32 Trojan-gen(other)
« Reply #5 on: February 25, 2005, 05:38:12 PM »
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Tappy

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #6 on: February 25, 2005, 05:42:25 PM »
Thanks. Sorry for the persistence but this trojan is driving me nuts.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32 Trojan-gen(other)
« Reply #7 on: February 25, 2005, 05:47:19 PM »
You can also use Eddy's HJT analyser tool (always good to get a second opinion), available at the link that Lee gave above your first post.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

lee16

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #8 on: February 25, 2005, 06:13:19 PM »
Tappy,

If you provid the file name and location as David asked last time ill be ahppy to give you some step by step instructions.  ;)

--lee

Tappy

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #9 on: February 25, 2005, 06:48:19 PM »
OK Here is where avast is indicating "file name": C:\Documents and Settings\David\Local Settings\Temp\win6.tmp

I assume the file is win6.tmp. Actually that temp folder is full of tmp files and other things.

Just a note, I ran my log file from HighJackThis on the the online scan and fixed the files in highjackthis as indicated by the results of the analysis and there still is no difference. As soon as I logged on to the internet the WIN32:trojan-gen.{UPX!} was detected by Avast. I would greatlt appreciate any help. If you need further info just let me know.

lee16

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #10 on: February 25, 2005, 07:16:33 PM »

Open hijackthis and do the following (unless you feel one one/some should stay).
--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
proxyoverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [WinTimer] "C:\WINDOWS\SYSTEM32\msupdate.cmd"
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
o16 - dpf: {0ec4c9e3-ec6a-11cf-8e3b-444553540000} (wavetab control) - http://www.riffinteractive.com/setup/rifflick.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://software-dl.real.com/06c4a02ae9af4801bd17/netzip/rdxie601.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab28578.cab


--------------------------------------------------------------------------------
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
--------------------------------------------------------------------------------
Nothing found.

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [updreg] c:\windows\updreg.exe
o4 - hklm\..\run: [openwares liveupdate] c:\program files\liveupdate\liveupdate.exe
o4 - hklm\..\run: [winampagent] c:\program files\winamp\winampa.exe
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
o4 - startup: palnetaware.lnk = c:\program files\paltalk\pnetaware.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe
o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe
o4 - global startup: kodak software updater.lnk = c:\program files\kodak\kodak software updater\7288971\program\backweb-7288971.exe


Then Open taskmanager and kill the proccess "pnetaware.exe"

Then delete the folder C:\Program Files\Paltalk
Then delete this file C:\WINDOWS\SYSTEM32\msupdate.cmd
Delete all temp files, you can do this with a program if you want. (http://www.ccleaner.com/ccdownload2.php)

Then reboot your system and run any scanners, then see if the problem persists.
Either way redo and repost your hijackthis log so we can confirm your system is not infected anymore.

--lee
« Last Edit: February 25, 2005, 07:19:31 PM by lee16 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Win32 Trojan-gen(other)
« Reply #11 on: February 25, 2005, 07:32:25 PM »
Clear your temp files and browser cache (temp internet files)


Did you also delete the file as well as the fix in hijackthis?

When it was detected again where was it detected and what was the filename it was in?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Tappy

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #12 on: February 25, 2005, 09:05:57 PM »
Hi
It's been an half hour logged on the internet and that trojan has not been detected by avast. For those who have helped me (Lee & David) thank you so much. Anyway here is the last log I got from highjackthis:

Logfile of HijackThis v1.99.1
Scan saved at 3:54:21 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~1\OFFICE\OUTLOOK.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Win32 Trojan-gen(other)
« Reply #13 on: February 25, 2005, 09:22:29 PM »
- Your system is not up to date
- Your IE is not up to date
- I don't see a firewall. Are you using a router with hardware firewall? If not, get a firewall.

In short:
Your system is more vulnarable to attacks/infections than it should be.
I strongly suggest you visit the MS update site and install ALL securty patches/updates for Windows as well as for Office.

lee16

  • Guest
Re: Win32 Trojan-gen(other)
« Reply #14 on: February 25, 2005, 10:19:46 PM »
Hi again Tappy,

Just released i missed something in your hijackthis log, its this:

O4 - Startup: PowerReg Scheduler.exe

Apart from that your log is clean.

Also what Eddy said is try, even though your SP1 is upto date, SP2 is even more secure and can help prevent malware from getting on your system again.
You will have to update to SP2 soon anyway, as Microsoft has decided that are forcing people to update to SP2 very soon  :-\

Have a nice weekend now  ;)

--lee