Infected with WIN 32: Trojan-Gen

Hi guys, I opened an .exe file which is about 300mb in size thinking that a virus couldn’t possibly be so large only to have Avast pop a warning of the above virus.

I moved it to chest, and googled on how to remove it. I proceeded to safe mode, ran Malwarebytes Anti-Malware and Superantispyware and spybot but all of them found nothing. I then proceeded to delete the file in the chest.

I’m currently running a scan again to double-confirm that I’m virus-free.

So my question here is, am I safe if I delete the files I moved to chest?

The exe might not be the infected file if it is an installation (archive) file it could contain.

Other scanners won’t find anything if you have it in the chest as a0 it is a protected area and b) the files in there are encrypted.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Deleting a file so soon after putting it in the chest kind of defeats the point of putting it in the chest, you might as well have deleted it to start with.

However, deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Once a file is in the chest you are safe it can’t do anything from there and once deleted it is history.

Thanks for the quick reply.

The file that I opened was a .exe file, but it was 1 part of a 3part .RAR file.

Here is what Avast Log Viewer had,

"Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Users\Personal\AppData\Local\Temp\IXP000.TMP\start.exe” file.

EDIT: I have also deleted the 3 RAR files that I downloaded from a torrent.

So the start.exe was 300MB ?
If so I would say there is a possibility that it was a bad detection.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Whilst downloading some torrents from unknown/untrusted sources are of a higher risk.

Unfortunately there is little that can be done to try and analyse the file (it is over the 10MB upload limit) at: VirusTotal - Multi engine on-line virus scanner a very useful resource.

The 3 part .RAR files add up to 300mb, the one I opened is around a 100mb.

However, the file I opened wasn’t named start.exe, but it was an .exe file, in a .RAR icon, which is around 100mb file size. The directory of where I opened the file wasn’t what AVAST! Log Viewer registered.

I have deleted the 3 .RAR files too, so I am unable to provide any data on it too. Should I run Hijackthis or something that can detect Win32 to make sure my computer is clean?

IXP000.tmp was a file needed for some ms informations
evidently the name has also been used for a virus
hard to tell now

run malwarebytes anti malware update–check any baddies THEN CLICK “REMOVE SELECTED”
post a log (if the log says “no action taken” do it again :slight_smile:

you could also try Super Anti Spy quarantine do not delete/ remove
do not include cookies in your report- just cut them out

do you have any other apps installed like Spybot?
also
try a boot time avast scan
rt click the ball and “update Programs” (just to make sure)
then open avast and schedule a boot time scan, reboot
post log

things from a torrent have a higher chance of being affected

after the above scans post a HJT and I’ll take a look at it

At least if you want that file you could download it again- not like system trashed

when you post
what os, firewall, browser cpu memory etc

avast would scan within the RAR or exe as you try to extract it so no it won’t be showing file you opened but the infected file it found within it.

The same is true of the directory as when you open an archive file like a RAR it will be unpacked in a temporary location, it is this extraction in the temp location that is triggering avast to scan the newly created files and when it detects the infected/suspect start.exe file.

Personally I don’t believe HJT would show anything relating to this as it never got to set anything up as it would appear that as you unpacked the RAR avast jumped on the start.exe so it wouldn’t have been able to run.

I agree with DAVIDR about this hit
however if you have been using torrent
and want to do the scans suggested
I’ll look at your HJT and see if anything else has snuck aboard

Hi guys, I did the scans once I saw what wyrmrider said, here are the results:

MBAM Log:

Malwarebytes’ Anti-Malware 1.28
Database version: 1189
Windows 6.0.6000

23/9/2008 3:23:55 AM
mbam-log-2008-09-23 (03-23-55).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 120483
Time elapsed: 1 hour(s), 21 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Avast:

09/23/2008 03:32
Scan of all local drives

File C:\Users\Personal\Desktop\Music_-FromNowOn___???-FromNowOn??+??????«???».rar.td????«???»\chmnrzt01.mp3 Error 42126 {RAR archive is corrupted.}
Number of searched folders: 17717
Number of tested files: 300001
Number of infected files: 0

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:07 AM, on 23/9/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.mediacorp.com.sg/board/index.php?s=46e61b2ed98a143efaa82f5b6c5cab5f
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘NETWORK SERVICE’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


End of file - 8078 bytes

Yeah, you’re right, because there was an error popup from WINRAR that prevented the .RAR file from being extracted. I deleted the 3 .RAR files immediately after.

What do you suggest I do now?

Maybe you could run a full on-line scanning, but I think you’re clean and this is a false positive. But who knows…

Full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

Thanks for all the help, you guys are awesome. :slight_smile:

You’re welcome… the faster you get clean, the most will be our happiness :wink:

I honestly believe avast stopped whatever it was in its tracks so it didn’t get a chance to do anything, assuming that the detection was a good one.

Having already run SAS, MBAM and Spybot S&D and come up empty, personally I would say you have done enough. I also don’t see anything obvious in your HJT log.

I agree with David R
what to do now?
Firewall?
Real time anti spyware protection
remind me what OS, Browser, CPU, RAM

On Wednesday update Spybot, immunize and turn on sd-helper and t-timer if you have not selected another real time anti-malware protector

hosts file
spywareblaster


Just for information, this one …

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

… belongs to Windows Live Messenger.


Good Work

Your HJT does not show an active third party firewall
you can make Vista firewall work but it is a lot of work
I’m not a vista user but I see reports that COMODO works well (do not install the CLAM AV)
best to look at the on line manual so you can tell what the install options mean
the defender+ is ok

Windows defender works well for real time anti spyware

you can close all your browser windows including this one and FIX this with HJT
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
this is inactive so no big deal
that’s it from HJT land

there are a lot of things running at start up that do not need to be- taking resources
you could use DECRAPIFIER to sort through pre-installed garbage

go to SECUNIA and run Secunia software inspector and get all your programs updated

post back and let us know how you are doing

I recommend the installation of Spywareblaster by Javacool
and a Hosts file
post back if you want/need recommendations
This is a volunteer forum so you will get all the answers :slight_smile:

you can close all your browser windows including this one and FIX this with HJT O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) this is inactive so no big deal

I would still say leave this alone as if the user is using Windows Live Messenger (and hasn’t uninstalled it) it isn’t inactive, regardless of what HJT says (this has happened in the past where it even reported some avast files as missing), so potentially this could be a big deal.