Infected witn Win32: Trojan - gen : {upx}

system · 2007-11-29T09:14:05.000Z

Avast warned that I am infected with Win32: Trojan - gen : {upx}. Please help me heal this coz i am getting a hard time to delete this one…Thanks

Here’s the log of my Avast

11/28/2007 1:32:10 PM SYSTEM 1352 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\New Folder.exe” file.
11/28/2007 1:32:16 PM SYSTEM 1352 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.exe” file.
11/29/2007 12:07:52 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\New Folder.exe” file.
11/29/2007 12:08:01 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\SCVHOST.exe” file.
11/29/2007 12:08:05 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.exe” file.
11/29/2007 12:08:15 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Music\My Music.exe” file.
11/29/2007 12:08:31 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Received Files\My Received Files.exe” file.
11/29/2007 12:14:04 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\New Folder.exe” file.
11/29/2007 12:14:08 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.exe” file.
11/29/2007 12:14:15 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Music\My Music.exe” file.
11/29/2007 12:35:59 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\New Folder.exe” file.
11/29/2007 12:49:39 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.exe” file.
11/29/2007 12:49:43 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Music\My Music.exe” file.
11/29/2007 1:48:55 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\New Folder.exe” file.
11/29/2007 1:53:39 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Music\My Music.exe” file.
11/29/2007 1:53:59 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Received Files\My Received Files.exe” file.
11/29/2007 1:54:13 PM SYSTEM 1348 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.exe” file.
11/29/2007 5:08:54 PM SYSTEM 1360 Sign of “Win32:Trojan-gen {UPX}” has been found in “C:\Documents and Settings\Owner\My Documents\SCVHOST.exe” file.

and also with Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 5:36:49 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Security Administrator\newadmin.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Owner\My Documents\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [00saskda] “C:\Program Files\Security Administrator\newadmin.exe” saskda
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [PC Link] C:\PROGRA~1\NETLINK\Api.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191470567078
O17 - HKLM\System\CCS\Services\Tcpip..{0CE0384B-4D23-4E8D-93E0-463797D0E946}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip..{4C09F6C9-6520-479A-A74B-9C6B1B1D4486}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip..{0CE0384B-4D23-4E8D-93E0-463797D0E946}: NameServer = 192.168.10.1
O17 - HKLM\System\CS2\Services\Tcpip..{0CE0384B-4D23-4E8D-93E0-463797D0E946}: NameServer = 192.168.10.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

I deleted the file in safe mode manually but after a while it warns again.

Thanks for your cooperation!

Maxx_original · 2007-11-29T10:13:30.000Z

the unresolved BHOs are suspicious… have you tried a google search for their clsids?

FreewheelinFrank · 2007-11-29T10:59:29.000Z

Having two active AV scanners will not help- it will only cause conflicts and instability.

Have you tried a boot time scan with avast!? Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Try a scan with AVG in Safe Mode.

(There’s no guarantee that either AV will work properly with another present.)

Try a few online scans in Safe Mode with Networking.

F-Secure

BitDefender

Panda

Trend Micro Housecall

system · 2007-11-29T12:02:33.000Z

I already tried the safe mode scan of avast. It detects the virus, deletesit but after a while the virus comes back.

Two AV: Which is better to retain AVG or AVAST.?

Thanks guys.!!

Maxx_original · 2007-11-29T12:18:12.000Z

do you have all the critical security updates (from windows update) installed? maybe some hole is there to let the virus reinfect your computer again…

system · 2007-11-30T02:58:15.000Z

Good day,

Only an update of IE. Mine is still an IE 6.0.

FreewheelinFrank · 2007-11-30T11:08:59.000Z

Try a few rootkit scans for hidden malware.

Panda Antirootkit

Blacklight

AVG Anti-Rootkit

Have you tried the online scans?

system · 2007-12-01T03:36:44.000Z

Ok guys. Ill try to scan online…Ill post the result as soon as I am done.

system · 2007-12-01T03:50:04.000Z

Hi :

  So none of your 3 antiSPYWARE/antiTROJAN programs ( Windows
  Defender, AVG AntiSpyware, or SUPERAntiSpyware ) detected this ?

  Is there a reason you do NOT have a software firewall installed, since the
  Win XP SP2 One does NOT offer "Outbound" protection !?

system · 2007-12-02T01:14:02.000Z

Windows defender did not detect anything, however, Avg and Super detect only tracing cookies… I already scan my computer with AVG in safe mode but no virus detected.

I do not have a firewall, just the built in winwows firewall.

The rootkit detected also nothing. I am already fed with this virus.

Announcements