Win32:Trojan-gen. {UPX!

[Bison]

This keeps reoccuring on my computer.

Virus name:Win32:Trojan-gen. {UPX!
File name:   C:\System Volume Information\_restore{7F9A7409-39C2-4150-9417-8AB04420FDDA}\RP43\A0006126.exe

I've tried Move/Rename, Delete,Repair, Move to chest and also run Avast on boot up, all without seeming to be able to remove this virus.  I keep getting the pop-up warning window several times a day.

Please advise me.

Thanks,
Jerry

[Eddy]

Disable system restore, reboot, and the problem is gone. You could have got this information if you would have done a little search on this forum also.

[Bison]

Thanks for the info.  I apologize for not searching beforehand.  How do I disable "system restore"?

Also; here is my log file from Hijackthis.
Can I safely do a repair on all these items?

Logfile of HijackThis v1.97.7
Scan saved at 5:42:11 PM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Jerry\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.rr.com/rdrun/"); (C:\Documents and Settings\Jerry\Application Data\Mozilla\Profiles\default\uizraja6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jerry\Application Data\Mozilla\Profiles\default\uizraja6.slt\prefs.js)
O2 - BHO: (no name) - {1ED43F37-57AD-4FC3-BC77-90BAEAC3DD39} - (no file)
O2 - BHO: (no name) - {470F119F-0179-76FF-2A75-53A84A2C1EB1} - C:\PROGRA~1\MPEGDE~1\CoalUp.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-010002000012} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O2 - BHO: (no name) - {FE06EC6F-C599-4ACB-A0A4-EED4DBF31027} - C:\WINDOWS\System32\pjmehlg.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: fordphonesecond - {A20BB432-DA77-E5FC-B165-F08981042ADA} - C:\PROGRA~1\MPEGDE~1\CoalUp.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1844dfc7645ce1e0e115/netzip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://dwa:dwazoo@4.42.194.23/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38188.2737384259
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://C:\Program Files\InterCAP\ActiveCGM\ActiveX\Acgm.cab



I appreciate your quick response to my initial question.

Jerry

[whocares]

Can I safely do a repair on all these items?

[JokeMode]
If you do, your Win will be A LOT safer, because not much will continue running !!!  
[/JokeMode]

DON'T FIX everything, because Hijackthis lists both GOOD and BAD items.. !!!

--> Please read the links on "VirusRemoval" in Eddy's or my Signature

 

[softwareguy]

To disable System Restore,
1. Press START+PAUSE/BREAK on your keyboard (or Control Panel -> System) (or right click My Computer -> Properties).
2. Click the System Restore tab.
3. Check the Disable System Restore on all drives checkbox.
4. Click OK.

System Restore will then be disabled...

[Eddy]

No it will not be disabled that way. You need to reboot after doint so before changes take effect

HijackThis Log file analyzer

Online log file analyzer

Use them both.

[bob3160]

Bison
After you have gotten rid of the old restore points, Don't foregt to restart System Restore.

[softwareguy]

No it will not be disabled that way. You need to reboot after doint so before changes take effect

HijackThis Log file analyzer

Online log file analyzer

Use them both.

System Restore is on my "disable-on-clean-install" list because it doesn't really revert your drive to the way it is. If you want something that really does, try GoBack. System Restore always fail on me...

[whocares]

If you want something that really does,

try an IMAGE-Program (Ghost, TrueImage, DriveImage ...)

[Eddy]

GoBack is slowing things down a lot on many systems. Here is a alternitive:

1] Do a clean install of the OS
2] Install firewall/av software
3] Install all drivers for your devices
4] Install all security patches/updates
5] Make the changes to settings as you wish
6] Install the applications you normally use and configure them
7] Create a image with Ghost

With the image you can have your system back up and running in 10-20 minutes if anything real bad would happen.

As for backup data. Create a backup and from then on a incremental backup on a regular base. Keep always the last backup and the one you made just before that one.

[bob3160]

Softwareguy,

System Restore is on my "disable-on-clean-install" list because it doesn't really revert your drive to the way it is. If you want something that really does, try GoBack.  System Restore always fail on me...  

System restore is still better than nothing for those don't have anything else or can't afford anything else.
Unless you have a commercial Immaging Program, SystemRestore should not be turned off. IMHO