Author Topic: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}  (Read 7817 times)

0 Members and 1 Guest are viewing this topic.

mai

  • Guest
PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« on: October 18, 2005, 08:24:22 PM »
hello..

please help me regarding removal of Win32:Trojan-gen. {Other} virus.... i have avast version 4.6 ... and OS is XP

MrBabis

  • Guest
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #1 on: October 18, 2005, 08:35:15 PM »
1) Schedule boot scan in AVAST (look in the drop-menu of avast GUI)
2) Use some online scanner to scan you computer
3) Use antispyware to scan you computer

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89427
  • No support PMs thanks
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #2 on: October 18, 2005, 09:05:14 PM »
mai - please keep to this topic and abandon the duplicate one you started 14 minutes later
Edit: URL link removed due to other topic being removed.

From the other thread by xmas:
Quote
Can you give us some more info?
For exampel the address of the infected file, how many files were infected?
VPS version, program version?

You can try to do a boot-time scan.
« Last Edit: October 18, 2005, 09:17:23 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline XMAS

  • Avast translator
  • Super Poster
  • ***
  • Posts: 1211
  • Santa is watching you ;)
    • avast! in Bulgarian
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #3 on: October 18, 2005, 09:09:22 PM »
mai - please abandon this thread and keep to the one you started 14 minutes before http://forum.avast.com/index.php?topic=16966.0.

Duplicate posting for the same thing just cause duplication of effort and confusion for those who volunteer their help, thanks.

Hey David I gues the other topic has dissapear  ???
The link doesn't work.

And, yes, mai, please make only one topic if you have questions!!! Don't start same topics please!
« Last Edit: October 18, 2005, 09:11:20 PM by .:X:M:A:S:. »
You've Got To Get Close To The Flame To See What It's Made Of...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89427
  • No support PMs thanks
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #4 on: October 18, 2005, 09:14:20 PM »
I guess one of the moderators saw the duplication and removed it, at least we are now only concerned with the one topic.
« Last Edit: October 18, 2005, 09:17:47 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mai

  • Guest
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #5 on: October 19, 2005, 07:25:57 AM »
hello...

i did not intentionally duplicate the post....my system shut down automatically and so i was not sure whether the problem was posted or not....

the avast on access scanner displays the message of the presence of the trojan in corncern , and the recommended action id Move to chest.... i follow accordingly , but the message keeps on coming in short intervals of time... it says the infection is there in the msdirectx.sys file..... what to do ??

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #6 on: October 19, 2005, 10:19:10 AM »
Hi Mai,

Find the fix for msdirectx.sys here:

http://forum.avast.com/index.php?topic=14618.msg142666#msg142666
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mai

  • Guest
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #7 on: October 19, 2005, 07:22:34 PM »
hi...

i have run the HijackThis software ...the log file is as follows... can anybody go thru this and tell me what to do ??

Logfile of HijackThis v1.99.1
Scan saved at 10:48:04 PM, on 10/19/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Winamp3\winampa.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hiloa\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{11BCFD7A-9363-4168-B5B7-8EB03C5FAC97}: NameServer = 61.0.128.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{11BCFD7A-9363-4168-B5B7-8EB03C5FAC97}: NameServer = 61.0.128.65 61.0.0.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89427
  • No support PMs thanks
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #8 on: October 19, 2005, 07:53:10 PM »
Your OS is well out of date and many vulnerabilities have been patched by Microsoft, SP2 also includes a number of security enhancements, so I would advise you visit windows update urgently, otherwise as fast as you plug a hole another will appear.

Once you have updated to XP SP2 you will also be able to update IE6 to SP2 also, further improving security.

You don't appear to be using a software firewall, I suggest you install one of the freeware ones, Zone Alarm is fine as it has a relatively friendly interface.

There are a number of unknown and nasty entries see this on-line analysis of your log http://hijackthis.de/logfiles/9a4de72a6d979bf4643c6c8009e96612.html and checkout the unknown entries using google, etc.

This is the most serious:
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe    Nasty
Variant of the SmitFraud alias FAKEALE-C TROJAN!           Hit rate: 99 % (result)

A google search for PSGUARD Removal returns many hits this is just one of them - http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_bswexe_WindowsFY-t17258.html

« Last Edit: October 19, 2005, 07:54:59 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}
« Reply #9 on: October 19, 2005, 11:00:38 PM »
Mai,

You need to follow the advice in the link in my previous posting. The only extra help I can give you is that the file you need to enter into Killbox is D:\WINDOWS\System32\xpjava.exe

You must follow noahdfear's advice:

Use Killbox as instructed on the above file.

Fix this entry with HijackThis!:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

And make the registry changes as instructed.

Don't forget to remove PSGuard as per David's posting. Have you got any mysterious blue screen messages? If not, try removing PSGuard from add/remove programs in Control Panel (If it's there) and then run Ewido. If you have the blue screen message, you will need to run the smitRem.exe program.

Ewido:

http://www.ewido.net/en/

The instructions at BleepingComputer are more comprehensive: folllow them for best results!
« Last Edit: October 19, 2005, 11:33:30 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog