Help - Virus Win32:Trojan-gen

Have just downloaded Avast 4.8 Home Edition and its flagged up the follwowing virus Win32:Trojan-gen{Other} :cry:

Here’s the details from the Chest:

Infected Files

Original file name: A0087942.exe
Original location C:\System Volume Information_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
Virus Description: Win32:Trojan-gen{Other}

Also in my System Files

Name: Location:
Kernel32.dll C:\WINDOWS\system32
Winsock.dll C:\WINDOWS\system32
Wsock32.dll C:\WINDOWS\system32

Am using Operating System: Windows XP Media Center Edition Version 2002 Service Pack 2, any help would be great thanks

Kernel32.dll C:\WINDOWS\system32
Winsock.dll C:\WINDOWS\system32
Wsock32.dll C:\WINDOWS\system32

If im not wrong its for windows backup or something. Let them alone and never delete them. Some times you will see they will be two or three because they have been updated so let them in the chest they will be in security. They are there for a good reason its because they are needed for windows and avast! chest protect them so that why its in saved important files.

For the A0087942.exe i searched on google and did no find anything of it so maybe a guy will help you with it :slight_smile:

Mr.Agent

hi rtrgrl78,

Nothing wrong here, these are just back-up files from avast in case the real ones get infected, in such a case you can restore them, give us a fresh hijackthis logfile added to your next posting for analysis, you can get the latest version of this tool here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

You come too late mister polonus :slight_smile: but well like you said yes if they are infected you can restore them.

Mr.Agent

Well MrAgent,

That may be true, so I leave the hjt analysis to you this time,

pol

Im not that good with hjt analysis sorry mister :slight_smile:

Hi MrAgent,

In that case I will give it a try, and you can look over my shoulder, :wink:

polonus

The user can’t restore these files, only avast can use them.

Windows would have a fit if you tried to replace the running files, infected or not. So I will answer your next question now, I don’t know how avast would do that ;D

Hi,

So nothing to worry about, I don’t have any virus lurking? I was really paranoind there might have been a Trojan Virus in my system - I really like Avast, but it can scare with the reporting it kind of gets you think you may have got a Virus when you don’t but apart from that can’t fault it. I’ll download the ‘Hijack This’ application and keep you informed. thanks.

hi
i’m really need help for my problem
i use windows xp
when Win32:Trojan-gen {other} attack my *doc file,
everything with microsoft word (*doc) became size 638 k.bit
when i use avast, it recommendly to move to chest. it succesfull but the original *doc file become missing/hidden
but the file always right there just i cannot find.
can some one help my problem??? Pleaseeeee
p/s sorry, my english language are poor.
thank.

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.

  • Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

Please, do not post 4 times the same :stuck_out_tongue:
Just make harder the effort of help.
Follow http://forum.avast.com/index.php?topic=3353.0

Hi,
I also have a problem with the win32 trojan gen virus.
I don’t know how to remove it.
this is my hijack log, maybe anyone can help me
thx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:53, on 3/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashEnhcd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_BE&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trooner.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM..\Run: [DMAScheduler] “c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe”
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “c:\program files\common files\installshield\updateservice\issch.exe” -start
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [Krait] C:\Program Files\Razer\Krait\razerhid.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User ‘Default user’)
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Zoeken - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Gelijkwaardige pagina’s - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina’s - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Planner voor Automatische LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 9372 bytes

Nico-Sid , please start a NEW TOPIC of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.

Your system is way down level and needs Windows Service Pack 3 that has been available for over a year and the Sun Java that is installed has many security exposures…

Hi,

In response to polonus - here is my logfile from Hjackthis, unfortunately have had to attach via a .txt file as I exceeded the word limit when I tried posting before. Is there a way round that? as I’ve seen large postings on here.

Also after a recent scan, last night I got a few bleeps and warnings from Avast and in the chest were these files:

[b]Name: A0087942.exe
Original Folder: C:\System Volume Information_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
virus Description: Win32:Trojan-gen{other}

Name: A0088034.exe
Original Folder C:\System Volume Information_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP249
virus Description: Win32:Ups[Cryp]

Name: A0088322.exe
Original Folder: C:\System Volume Information_restore{3A5B5489-CC30-45FF-92AA-8E4674662524}\RP251
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX05.453
virus Description: Win32:Ups[Cryp]

Name: MS9767612.exe
Original Folder: C:\Documents and Settings\User\Local Settings\Temp\Rar$EX00.15
virus Description: Win32:Ups[Cryp]

[/b]

Any help to clear my system would be much appreciated, thanks.

Hi rtrgrl78

Just to get these files in the chest sorted to start with.

The files are okay now they are in the chest. They can no longer contaminate your system, although you may still have infected files in your system that are as yet undetected. They can be dealt with later.

As far as the files in the chest go, it may help to send copies off to avast for analysis, This is relatively easy to do. If you can go to chest and follow directions.

Right-click a file----->choose email to Alwil software------follow directions

  • classify file as undetected malware – add link to this topic from the forum

The file will be uploaded to avast on the next auto update or you can manual update if you want
Do this to each of the files.

Or instead send samples as email to virus@avast.com

  • classify file as undetected malware – add link to this topic in the forum
  • zip the message and password protect – secure password in the email body

I see you have also attached a HjT log. I will have a look but this is not my area of expertise.
Some forum members do have a lot of experience with HjT so they can help out later it need be.

Edit - Probably just some small tidy up work by look of the HjT log. But wait for someone more familiar with HjT. They will usual give you a step by step.

A disk cleanup and defrag would not hurt at this stage. If you have not done so already.

Windows XP Service Pack 3 has been available for a year and contains several Critical Security updates plus performance improvements you need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Windows XP Service Pack 3 has been available for a year and contains several Critical Security updates plus performance improvements you need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Anything less than this will mean your computer’s perforrnance and well-being are compromised.

Thanks for the response, not all the files will load up for email, and do I add the link to this site in the additional information bit? will it matter that all the files won’t go straight on to email? and finally what is the ‘next auto/manual update’ - is this something Avast would email me about?

Or instead send samples as email to virus@avast.com - classify file as undetected malware – add link to this topic in the forum - zip the message and password protect – secure password in the email body

How do you send ‘samples’ in an email from the chest?

I see you have also attached a HjT log. I will have a look but this is not my area of expertise. Some forum members do have a lot of experience with HjT so they can help out later it need be.

Edit - Probably just some small tidy up work by look of the HjT log. But wait for someone more familiar with HjT. They will usual give you a step by step.

A disk cleanup and defrag would not hurt at this stage. If you have not done so already.

Thanks will do

They aren’t actually emailed from the chest but uploaded (though it does say email to Alwil Software).

The file has to be in the chest already or you have to first add it to the chest.

You can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.