Win32: Trojan-Gen Is Ruining My Life -- Help Me Please!

[xfilesfangirl]

Hello everyone!  I'm new to the forums and I just love Avast!  Anyway, I have a problem.  For the past few days I keep getting a notification that my computer is infected with the Win32Trogan-gen virus.  I keep moving it to the chest but it still pops up so I delete it and yet again, it returns.  I've also disabled System Restore and ran Spybot and Adware.  I have a firewall too.  Anyway, why can't I get rid of this thing and why does it keep popping up?  Any help would be appreciated!

[mauserme]

Welcome to the forum xfilesfangirl.

Try running an avast! boot scan followed by a complete scan with the free version of AVG Antispyware

http://free.grisoft.com/doc/20/lng/us/tpl/v5

Make sure to quarantine rather delete, and post again with the results.

[xfilesfangirl]

Thank you for replying!  I'm going to do that right now as we speak!  Is this something I should be freaking out about?  I do alot of online shopping and stuff and I have this image in my head of this little virus logging all of my credit card info and stuff.  I'm paranoid.  *lol* 

[xfilesfangirl]

Okay, both the bootscan and the spyware scan came up with 0 infected files.  Does this mean that I'm safe now?  How do I know this virus isn't somewhere hiding and lurking in the background? 

[mauserme]

Well, don't freak out about it but you're right to be concerned about the possibilities.

How do I know this virus isn't somewhere hiding and lurking in the background? 

Why don't you post a HijackThis log and I'll take a look:

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

The log may be long - feel free to use 2 or more posts if you need to.

[DavidR]

Hello everyone!  I'm new to the forums and I just love Avast!  Anyway, I have a problem.  For the past few days I keep getting a notification that my computer is infected with the Win32Trogan-gen virus.  I keep moving it to the chest but it still pops up so I delete it and yet again, it returns. 

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Hopefully the AVG anti-spyware suggested by mauserme will detect the file that is regenerating this malware.

What is your firewall ?
As if as I suspect there may be a program downloading this malware, then a firewall should be able to block unauthorised outbound Internet Connections (XPs firewall doesn't provide outbound protection).

[xfilesfangirl]

Hello everyone!  I'm new to the forums and I just love Avast!  Anyway, I have a problem.  For the past few days I keep getting a notification that my computer is infected with the Win32Trogan-gen virus.  I keep moving it to the chest but it still pops up so I delete it and yet again, it returns. 

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Hopefully the AVG anti-spyware suggested by mauserme will detect the file that is regenerating this malware.

What is your firewall ?
As if as I suspect there may be a program downloading this malware, then a firewall should be able to block unauthorised outbound Internet Connections (XPs firewall doesn't provide outbound protection).

The log viewer says that it has been found in C:\System Volume Information\restore or _restore.

AVG doesn't seem to detect anything although I'm going to scan it again when I get offline.  My firewall is called Jetico. 

[xfilesfangirl]

Well, don't freak out about it but you're right to be concerned about the possibilities.

How do I know this virus isn't somewhere hiding and lurking in the background? 

Why don't you post a HijackThis log and I'll take a look:

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

The log may be long - feel free to use 2 or more posts if you need to.

Okay, thank you! Here you go (I hope I did this right):

Logfile of HijackThis v1.99.1
Scan saved at 12:03:08 PM, on 5/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\wmconnectc\wwm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%3Fui%3Dhtml%26zy%3Dl&ltmpl=yj_wsad&ltmplcache=2&hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B59571-1340-4939-AB62-69745E50A6F7}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[FreewheelinFrank]

Hi xfilesfangirl,

Run HijackThis! again, put a tick next to these entries then click 'fix':

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

I believe they are all related to malware which has been deleted, so it should be easy to remove them- please check with HijackThis! that they have gone.

To remove malware in System Restore, create a clean restore point, then delete all older, infected points:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#manual
http://www.bleepingcomputer.com/tutorials/tutorial56.html#delete

You really need to update to XP SP2 to be secure, but at the very least, use an alternative browser like Firefox or Opera- much more secure than IE on SP1!

[mauserme]

Do you still have McAfee installed?  You will need to get rid of either it or avast! as you don't want 2 antivirus programs at the same time.

You should also update Acrobat Reader to 8.  Here's a link

http://www.adobe.com/products/acrobat/readstep2.html

And for sure get SP2 as FwFrank mentioned.

Are you still getting any trojan warnings (after deleting the old restore points)?


EDIT:  This one was Windows Live Messenger

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

and this was Site Adviser

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


So these were probably the culprits

O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)

O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

[xfilesfangirl]

Hi xfilesfangirl,

Run HijackThis! again, put a tick next to these entries then click 'fix':

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

I believe they are all related to malware which has been deleted, so it should be easy to remove them- please check with HijackThis! that they have gone.

To remove malware in System Restore, create a clean restore point, then delete all older, infected points:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#manual
http://www.bleepingcomputer.com/tutorials/tutorial56.html#delete

You really need to update to XP SP2 to be secure, but at the very least, use an alternative browser like Firefox or Opera- much more secure than IE on SP1!

Thanks!  You rock!  I deleted those files and ran another scan of Avast and it said I am clean.  I hope this did the trick! 

[xfilesfangirl]

Do you still have McAfee installed?  You will need to get rid of either it or avast! as you don't want 2 antivirus programs at the same time.

You should also update Acrobat Reader to 8.  Here's a link

http://www.adobe.com/products/acrobat/readstep2.html

And for sure get SP2 as FwFrank mentioned.

Are you still getting any trojan warnings (after deleting the old restore points)?


EDIT:  This one was Windows Live Messenger

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

and this was Site Adviser

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


So these were probably the culprits

O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)

O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

Oh don't worry I don't have McAfee.  I tried to install it but it slowed down my laptop too much (maybe because I'm still on dial-up).  I only have Avast now.  I'll update Adobe as you advise.  I'm sorry for sounding stupid but what is SP2?  Yeah, I'm a computer idiot.  I deleted the files Frank suggested and scanned my computer and so far so good.  Let's hope the virus is gone from my life.  I do wonder how I got it since I only visit about four websites regularly and they are 'reputable' sites ya know.

[xfilesfangirl]

I haven't deleted any old system restore points yet and I was thinking I might leave system restore turned off.  Is this a bad idea? 

[xfilesfangirl]

Okay, I just read that turning off System Restore deletes all old restore points.  I think I'll just leave it turned off if that's not a bad idea.

[mauserme]

Service Pack 2 (SP2) is the most current version of Windows XP.  It is much more secure that Service Pack1.  Here's a link

http://www.microsoft.com/windowsxp/sp2/default.mspx

System Restore is sort of a personal choice.  Since yours is off you don't need to worry about clearing any old restore points.  My preference has changed to leave it turned on now since I've had a couple times I wished for it after installing drivers that conflicted.  And it would be wise to set a restore point before installing SP2, I think.

Since McAfee is not installed you can fix these lines in HijackThis too

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe