Author Topic: Help - Virus Win32:Trojan-gen (Read 9840 times)

rtrgrl78 · « **on:** May 09, 2009, 10:10:53 PM »

Have just downloaded Avast 4.8 Home Edition and its flagged up the follwowing virus Win32:Trojan-gen{Other} :'(

Here's the details from the Chest:

Infected Files

Original file name: A0087942.exe
Original location C:\System Volume Information\_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
Virus Description: Win32:Trojan-gen{Other}

Also in my System Files

Name:         Location:
Kernel32.dll      C:\WINDOWS\system32
Winsock.dll      C:\WINDOWS\system32
Wsock32.dll      C:\WINDOWS\system32

Am using Operating System: Windows XP Media Center Edition Version 2002 Service Pack 2, any help would be great thanks

Mr.Agent · « **Reply #1 on:** May 09, 2009, 10:25:47 PM »

Kernel32.dll C:\WINDOWS\system32
Winsock.dll C:\WINDOWS\system32
Wsock32.dll C:\WINDOWS\system32

If im not wrong its for windows backup or something. Let them alone and never delete them. Some times you will see they will be two or three because they have been updated so let them in the chest they will be in security. They are there for a good reason its because they are needed for windows and avast! chest protect them so that why its in saved important files.

For the A0087942.exe i searched on google and did no find anything of it so maybe a guy will help you with it

Mr.Agent

polonus · « **Reply #2 on:** May 09, 2009, 10:30:37 PM »

hi rtrgrl78,

Nothing wrong here, these are just back-up files from avast in case the real ones get infected, in such a case you can restore them, give us a fresh hijackthis logfile added to your next posting for analysis, you can get the latest version of this tool here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

Mr.Agent · « **Reply #3 on:** May 09, 2009, 10:32:36 PM »

You come too late mister polonus

but well like you said yes if they are infected you can restore them.

Mr.Agent

polonus · « **Reply #4 on:** May 09, 2009, 10:33:40 PM »

Well MrAgent,

That may be true, so I leave the hjt analysis to you this time,

pol

Mr.Agent · « **Reply #5 on:** May 09, 2009, 10:35:28 PM »

Im not that good with hjt analysis sorry mister

polonus · « **Reply #6 on:** May 09, 2009, 10:47:31 PM »

Hi MrAgent,

In that case I will give it a try, and you can look over my shoulder,

polonus

DavidR · « **Reply #7 on:** May 09, 2009, 11:45:46 PM »

Quote from: Mr.Agent on May 09, 2009, 10:32:36 PM

You come too late mister polonus but well like you said yes if they are infected you can restore them.

The user can't restore these files, only avast can use them.

Windows would have a fit if you tried to replace the running files, infected or not. So I will answer your next question now, I don't know how avast would do that

rtrgrl78 · « **Reply #8 on:** June 20, 2009, 09:49:03 PM »

Quote from: polonus on May 09, 2009, 10:30:37 PM

hi rtrgrl78,

Nothing wrong here, these are just back-up files from avast in case the real ones get infected, in such a case you can restore them, give us a fresh hijackthis logfile added to your next posting for analysis, you can get the latest version of this tool here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

Hi,

So nothing to worry about, I don't have any virus lurking? I was really paranoind there might have been a Trojan Virus in my system - I really like Avast, but it can scare with the reporting it kind of gets you think you may have got a Virus when you don't but apart from that can't fault it. I'll download the 'Hijack This' application and keep you informed. thanks.

aremang82 · « **Reply #9 on:** June 25, 2009, 04:31:57 AM »

hi
i'm really need help for my problem
i use windows xp
when Win32:Trojan-gen {other} attack my *doc file,
everything with microsoft word (*doc) became size 638 k.bit
when i use avast, it recommendly to move to chest. it succesfull but the original *doc file become missing/hidden
but the file always right there just i cannot find.
can some one help my problem?

Pleaseeeee
p/s sorry, my english language are poor.
thank.

DavidR · « **Reply #10 on:** June 25, 2009, 03:14:21 PM »

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.
- Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Lisandro · « **Reply #11 on:** June 25, 2009, 05:37:18 PM »

Quote from: aremang82 on June 25, 2009, 04:31:57 AM

hi
i'm really need help for my problem
i use windows xp
when Win32:Trojan-gen {other} attack my *doc file,
everything with microsoft word (*doc) became size 638 k.bit
when i use avast, it recommendly to move to chest. it succesfull but the original *doc file become missing/hidden
but the file always right there just i cannot find.
can some one help my problem? Pleaseeeee
p/s sorry, my english language are poor.
thank.

Please, do not post 4 times the same

Just make harder the effort of help.
Follow http://forum.avast.com/index.php?topic=3353.0

Nico-Sid · « **Reply #12 on:** July 03, 2009, 03:39:55 AM »

Hi,
I also have a problem with the win32 trojan gen virus.
I don't know how to remove it.
this is my hijack log, maybe anyone can help me
thx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:53, on 3/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashEnhcd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_BE&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trooner.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Krait] C:\Program Files\Razer\Krait\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Zoeken - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Planner voor Automatische LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9372 bytes

YoKenny · « **Reply #13 on:** July 03, 2009, 11:25:35 AM »

Nico-Sid , please start a NEW TOPIC of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.
- Go to this link http://forum.avast.com/index.php?board=4.0 click the NEW TOPIC button at the right of the list and post there.

Your system is way down level and needs Windows Service Pack 3 that has been available for over a year and the Sun Java that is installed has many security exposures..

rtrgrl78 · « **Reply #14 on:** July 07, 2009, 11:09:03 PM »

Hi,

In response to polonus - here is my logfile from Hjackthis, unfortunately have had to attach via a .txt file as I exceeded the word limit when I tried posting before. Is there a way round that? as I've seen large postings on here.

Also after a recent scan, last night I got a few bleeps and warnings from Avast and in the chest were these files:

Name: A0087942.exe
Original Folder: C:\System Volume Information\_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
virus Description: Win32:Trojan-gen{other}

Name: A0088034.exe
Original Folder C:\System Volume Information\_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
virus Description: Win32:Ups[Cryp]

Name: A0088322.exe
Original Folder: C:\System Volume Information\_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP251
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX05.453
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C:\Documents and Settings\User\Local Settings\Temp\Rar$EX00.15
virus Description: Win32:Ups[Cryp]

Any help to clear my system would be much appreciated, thanks.