Author Topic: Good way to get rid of Win32:Trojan-gen  (Read 14381 times)

0 Members and 1 Guest are viewing this topic.

Dan_o

  • Guest
Good way to get rid of Win32:Trojan-gen
« on: October 12, 2003, 10:00:16 PM »
Avast found the Trojan and the repair sometimes doesn't work so should I just delete the file or find another program or way to get rid of it?

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #1 on: October 13, 2003, 02:48:12 AM »
Dan,

What do you mean the "repair" DOESNT WORK?
Did Avast give you the choice to move the infected file to the Chest?

I am somewhat perplexed in that my reference files do not list a win32:trojan-gen virus.
Normally, gen virii are polymorphic (basically means that the virus tries to hide detection by varying code strings) but none of the variants of which I am aware of are listed as win32:trojan.

Does Avast provide any other information?

techie
« Last Edit: October 13, 2003, 03:46:00 AM by techie101 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re:Good way to get rid of Win32:Trojan-gen
« Reply #2 on: October 13, 2003, 04:57:55 AM »
Dan,

What do you mean the "repair" DOESNT WORK?
Did Avast give you the choice to move the infected file to the Chest?

I am somewhat perplexed in that my reference files do not list a win32:trojan-gen virus.
Normally, gen virii are polymorphic (basically means that the virus tries to hide detection by varying code strings) but none of the variants of which I am aware of are listed as win32:trojan.

Does Avast provide any other information?

techie

Hey Dan, could you answer techie?  ;)
Btw, which OS, firewall, etc. are you using...
The best things in life are free.

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #3 on: October 13, 2003, 05:40:30 PM »
dan,

I still have been unable to obtain an relevant information on the suspect viruswin32:trojan-gen

Try this for now:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

It is Panda free online scanner.  Run it and see what it tells you.  It may provide some additional facts we need to identify the actual virus (if it does indeed exist.  It may be a false positive, but we need to know if you ARE running AVAST or any anti-virus program)

 ::)
« Last Edit: October 13, 2003, 05:44:42 PM by techie101 »

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #4 on: October 13, 2003, 05:47:11 PM »
Btw, which OS, firewall, etc. are you using...
Technical brings up a good point.  OS, Firewall etc are needed in order for recommendations to be made to prevent any future virus infection.
Technical thinks ahead.  hahaha ;)

techie101 :)

Dan_o

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #5 on: October 13, 2003, 06:01:15 PM »
Ah So I should just move the infected file to the chest huh? When I click on repair sometimes I get a message saying the infected file couldn't be repaired. I'll try that and the panda thing.

Thanks for the reply guys

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re:Good way to get rid of Win32:Trojan-gen
« Reply #6 on: October 13, 2003, 08:46:52 PM »
When I click on repair sometimes I get a message saying the infected file couldn't be repaired.

Could you post what files (and its virus) could not be repaired?  ;)
What about your system informations (OS, firewall, etc.)  8)
The best things in life are free.

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #7 on: October 13, 2003, 09:02:30 PM »
dan,

Your not cooperating here!  Technical and I both asked you for information relevant to your problem so we can help you.

If you just wish to venture off into computer land by yourself, then we can't assist.

and it's not a Panda-thing.  Its' an online virus scanner from Panda Software.

In answer to you question about the Chest.  Yes, if you move the file to the chest, it cannot harm your system until we figure things out.  It can be restored (put back) from the chest if we determine that it is indeed a file you need.

You may not be able to Repair the file if it is protected by the System Restore feature or if the virus has attached itself to a file that is passworded.

I cannot say for sure because you won't answer our questions.

I can't read minds, only anti-virus software.   ;D

techie101


Technical,
You tried buddy.
« Last Edit: October 13, 2003, 09:08:03 PM by techie101 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re:Good way to get rid of Win32:Trojan-gen
« Reply #8 on: October 13, 2003, 09:09:26 PM »
dan,
Your not cooperating here!  Technical and I both asked you for information relevant to your problem so we can help you.
If you just wish to venture off into computer land by yourself, then we can't assist.
I cannot say for sure because you won't answer our questions.
I can't read minds, only anti-virus software.   ;D
techie101
Technical, You tried buddy.

Thanks techie for you posts... They earn you a karma  ;D
The best things in life are free.

Freeman

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #9 on: October 22, 2003, 08:19:05 AM »
avast! v4.1.280 (database up to date)
Windows ME
ZoneAlarm v3.7.211

Greetings,

I received the same 'virus' warning (Win32:Trojan-gen. {UPX!}) after downloading some .rar files from a site. I contacted the site owner and it appears that it isn't the files that are affected; rather avast! has trouble with UPX. This was his response:

Quote
No, it's not a virus nor a trojan but an executable file packer called UPX(http://upx.sf.net/), which is used by WinRAR for compressing the decompression program included in the sets so people don't need to install WinRAR to do just that. I guess UPX has been included by your anti-virus program since it potentially could also include a trojan or virus executable.

Cheers!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Good way to get rid of Win32:Trojan-gen
« Reply #10 on: October 22, 2003, 09:22:42 AM »
(Pure) UPX has definitelly not been included into avast database to be reported as a virus just because there may be a virus inside... (we'd have to report about everything then :)).

So, if you receive the warning and you're sure the file is not infected - then it's probably a false alarm and it should be fixed. Could you please post some more information about the file - such as a link to download? Or if not possible, could you send the mentioned file to virus(at)avast.com? If it's too big, you would try to delete (most of) the content of the archive with WinRAR, just to keep the SFX engine present (or strip only the first part of the file). If you modify the archive, however, make sure that avast still gives the warning.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Good way to get rid of Win32:Trojan-gen
« Reply #11 on: October 22, 2003, 10:12:58 AM »
@freeman It could be a false alarm, because Aast has still some problems wuth Winrar-SFX files which are packed with upx.

@dan_o: You will be able to moe the file if you start your computer in safe mode. You can test the troj-gen here, so you do not need to install the activeX crap from Panda, which only forces Avast to give you an other Viruswarning on some Pandafiles, which will be installed.
MfG Ralf

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #12 on: October 22, 2003, 04:02:54 PM »
dan,

You can normally move an infected file to the Chest instead of trying to delete or repair it.  This keeps it in a safe place until you determine if it is indeed harmful.
Avast will not allow you to "tamper" with files that are in the System Restore, or those that are passworded.   Igor provided a tip that you should remember when this occurs.

Please look at the setting of your Standard Shield module in the On Access Protection. Right click on the A ball in the try, select On Access Protection, then Standard Shield from the side table.   If it is set on HIGH lower it to Normal and try again.  The higher the sensitivity, the more false positives that may result.  This applies to both On Access and normal Scan functions in Avast.

Avast will tell you when it detects a file that is  "potentially"harmful.  It is now up to you to determine what to do with it!

From what you have presented, it more than likely is a false positive.  We now need to get rid of the warning from your system using the methods provided here.

Good luck
Techie

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Good way to get rid of Win32:Trojan-gen
« Reply #13 on: October 22, 2003, 04:24:08 PM »
Well, setting the level of Standard Shield protection affects the number of files being scanned (so it could influence the potential false alarms reported in non-executable files) - but it doesn't change the method "how" the files are scanned, such as scanning inside archives, virus targeting, etc. (at least I think so :)).
The .exe files will always be scanned, no matter if you set the sensitivity to High or Normal - they're too important to be skipped. If the problem appears in a WinRAR-SFX, then it really is an .exe file - so changing this setting probably wouldn't help.

The best thing to do would be to submit the problematic file so that we could fix the false alarm. Since WinRAR is quite popular, we would definitelly like to do it.

techie101

  • Guest
Re:Good way to get rid of Win32:Trojan-gen
« Reply #14 on: October 22, 2003, 09:29:06 PM »
Well, setting the level of Standard Shield ........ (so it could influence the potential false alarms reported in non-executable files) - but it doesn't change the method "how" the files are scanned.

* Igor, No...changing the sensitivity will not change where Avast scans but will change HOW it performs the scan.  I  believe that the types of files and code strings that Avast looks for are modified.  (at least I think so. haha)

Avast will ALWAYS scan boot sectors, executables both 16 and 32 bit as well as MS DOS based programs, but not so apparent is that IT WILL NOT scan Config.sys, MS DOS.sys, Pagefile.sys, Win386.swp, System or User.da, nor the Windows\temp\*.tmp file by default. (*You can modify these or add to them by changing the settings of the Standard Shield in the OAP module.

Quote
The best thing to do would be to submit the problematic file so that we could fix the false alarm. Since WinRAR is quite popular, we would definitelly like to do it.

In order to assist the Avast Team, please send the file/s in order to prevent a reoccurrence.

Thanks,
Techie  :D