Win32:Trojan-gen. {UPX!}

[arnoldo]

Hi everybody.

I've a problem. I tried to repair an infected file, but the machine answered with ACCESS DENIED TO THE FILE-CANNOT PROCESS IT.

C:\\_restore\temp\A0019058.CPY

How can i do to remove it from the hd?

Thanks.

[whocares]

Hi,


disable System-Restore, reboot, and it will be gone
see
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
reenable Restore afterwards, if you need it

[stormmmy453]

avast is  saying  i  have a virus win95:matyas....what do  i  do

[whocares]

post the exact path of the "infected" file here..
and feed the board-search with matyas
probably just "false positive" in panda-files

[Red1970]

I had the same infected files. I followed the instructions to disable the system restore (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=&docid=2001111912274039&nsf=tsgeninfo.nsf&view=pfdocs&dtype=&prod=&ver=&osv=&osv_lvl=)
and deleted my C:\_RESTORE\TEMP files by hand through Safe Mode. Once I did this, avast gave me a clean bill of health! My high speed internet runs so much smoother now, too. The instructions from above relate to Windows ME, but I'm sure they have instructions for other programs. Hope this helps!

[cosmolady]

i have this same virus problem... i have tried safe mode and i disabled restore but it keeps saying it is there.  what is the next step? i dont know to much about pcs so u have to got step by step plz.

[whocares]

Hi cosmolady,

1. step: read above and answer the questions
2. step: enter the trojan name into the board search above
3. step:

Hi,

what WIN do you have ?
Where exactly was the infected File found  (full pathname and filename) ?

test the file with OnlineScanners e.g. from Trend & KAV (see below) to get a more specific name
(you need to temporarily disable AV-Resident Shields/Monitors to be able to scan the file online)


-remove the Virus/Malware and it's system modifications according to VirusInfos from Avast, VGREP, TrendMicro, Kaspersky;
you might also try searching for the virus name or filename with google

general removal procedure:
- disable system restore on Win ME/XP
- kill respective Backdoor/Trojan process with task manager
- search for the file/process names in the registry; remove the malware's startup entries in the registry
- disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot
 

-Secure your system (change passwords, secure shares, install patches/updates for WIN, IE etc..)
-scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro to check whether your PC is clean
- reenable system restore on Win ME/XP


if it's of the trojan-gen kind: spybot, ad-aware and cwshredder might also help
if you still can't remove it, you could post a logfile of Hijackthis here

see www.lurkhere.com ->nicefiles and www.lavasoft.de

Further Details and Links via the board search above

[viksra]

Apparently, Avast told me that I have "Win32:Trojan-gen. {UPX}" too... and I attempted to delete it using avast, but it can not be deleted; as for an error has occured while attempting to do so. The file name is: c:\_RESTORE\ARCHIVE\FS219.CAB\W0138974.CPY.

Here is the log from Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 2:04:39 PM, on 3/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\APPLICATION DATA\SEUR.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,218,00.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Csrss.exe
F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - D:\PROGRAM FILES\FLASHCAPTURE\FCBHO.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Lssr] C:\WINDOWS\Application Data\seur.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\PROGRAM FILES\FLASHCAPTURE\FCIEXT.DLL/FCIEXT.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashCapture (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.9345023148
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb6/ComDlg32.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn-int.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn-int.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.gatewayintruders.com/gcchome/webchat/MSChatOCX.Cab
O16 - DPF: {AD0E37CE-0A0E-4183-83E9-902CC84A4185} (RootInstaller Class) - http://adreport.msn.com/ExternalObjects/rootinst.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {663F5307-C815-42B4-BBA9-6FF01266E2FB} (CSClient Class) - http://cuteandsingle.com/downloads/csc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {066EEF18-445D-4E0C-B0BF-EA31ACF45592} (eXperience9_webchat49.X9CHAT) - http://www.x9chat.com/X9CHAT49.cab
O16 - DPF: {93D5A014-A030-4436-97BF-81D00CC6C397} (FTC Chat Master 1.0) - http://funteenchat.com/FTCChat10.cab
O16 - DPF: {D8E1C1B6-5D13-4F13-967F-40F30CDA4D4E} (X9CHATNET24.webchatx9) - http://www.x9chat.net/X9CHAT24.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://81.129.115.213/Java/cms31212.cab
O16 - DPF: {D77A4E5C-017B-4084-8704-8C84041CF11E} (IRCWEBCHATv10.IRCWEBCHAT) - http://www.ircwebchat.net/ircdemo2.cab
O16 - DPF: {DC9CA6A0-B8DB-4457-8E02-559A3D453624} (WebWand.WandMain) - http://www.wizardsroom.com/WebWand.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/crack.cab


Please tell me what to do. I noticed that I seem to be getting popup dialogs from Internet Explorer asking me to either click "OK" or "Cancel", even though I have not opened IE. I have run SpyBot, Norton, Avast, and Hijack this. I assume that Win32:Trojan-gen. {UPX!} is causing the problem. Also, a dialog box appears when I start Windows telling me that it can not locate "Csrss.exe", which I believe was a trojan. I tried to remove the registry keys to this, but I can not find the last one which is making this window pop up. Any suggestions?

-viksra

[raman]

You should disable your Systemrestore, fix these things and restart and enable the Systemrestore again:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Csrss.exe
F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKCU\..\Run: [Lssr] C:\WINDOWS\Application Data\seur.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.gatewayintruders.com/gcchome/webchat/MSChatOCX.Cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {663F5307-C815-42B4-BBA9-6FF01266E2FB} (CSClient Class) - http://cuteandsingle.com/downloads/csc.cab
O16 - DPF: {066EEF18-445D-4E0C-B0BF-EA31ACF45592} (eXperience9_webchat49.X9CHAT) - http://www.x9chat.com/X9CHAT49.cab
O16 - DPF: {93D5A014-A030-4436-97BF-81D00CC6C397} (FTC Chat Master 1.0) - http://funteenchat.com/FTCChat10.cab
O16 - DPF: {D8E1C1B6-5D13-4F13-967F-40F30CDA4D4E} (X9CHATNET24.webchatx9) - http://www.x9chat.net/X9CHAT24.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} - http://www.2020search.com/toolbar/2020Search.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/crack.cab

[viksra]

OK. I tried what you told me to, and I removed all that junk. However, avast says that the trojan is still there. This time, when I continued the search, it also found this:

Win32:Trojan-gen. {UPX!}
c:\WINDOWS\TEMP\trz6314.TMP
0403-2, 03/05/2004


So now I have the 2 trojans on my pc. Please help me get them off. I tried deleteing them in safe mode, but that didn't work. And I don't sue system restore.

[whocares]

Hi,
please read the above postings again, there are some more advice, e.g. scanning the PC/the file(s) with onlinescanners from Trend, RAV & KAV; also scan/update/fix with ad-ware, spybot and cwshredder

AFTER that, post a new hijackthis-log here, if the trojan exists still outside of system restore

P.S.: When you disable System RESTORE PROPERLY!! on Win ME, imho there shouldn't be ANY restore points/files left in the restore-folder...
 check if it's really disabled (did you reboot after disabling it) ?

[viksra]

I already read the above messages. I did all of that. I've done it multiple times. I think I found what is causing these IE dialogs to popup... easywarez.com. I got a file from http://www.hackology.com/programs/mbhttpbf/ginfo.shtml to test out on my web server, and ever since I installed that, I have been getting all these popups. It also didn't install an uninstall to the program, and it doesn't show up under the "Add/Remove Programs" window. How can I get rid of that thing? This is really annoying now. I've had a "popup" pop up advertising for porn, free games, and one that even had a huge hand pointing at me done in ASCII. I don't want any of that junk. Any suggestions on how to remove it?

-viksra

[whocares]

onlinescanners from Trend, RAV & KAV; also scan/update/fix with ad-ware, spybot and cwshredder

AFTER that, post a new hijackthis-log here,

you did it all ? how about telling us some details about the results then ?  

describe the popups; are those normal browser popups, or grey (blue) popups of windows Messenger service ? you can disabloe the latter via config -> services

what about the hijackthis-log ?

[viksra]

I have attached a picture of the dialog window that pops up. This comes up even when I have not gone to any websites. There are 3 other dialogs that I have seen, one for adult websites, another for "failed to download", and a third with a big hand pointing at me like in the famous poster of Uncle Sam.

[viksra]

Uh.... what do you know. Here are the other two. One more still hasn't popped up yet.