Plagued by win32:trojano-2772

Avast finds files that have been compromised by win32:trojano-2772 [trj] and deletes them. But something out there replaces them upon reboot. It keeps putting a file called “taskmgr.exe” my wife’s startup folder that runs and does nothing obvious except open a window.

What is trojano-2772?

:slight_smile: I think that trojan has been mentioned several times on
this forum; however, the 1st thing I would suggest you
use to combat this trojan is to install “Ewido” available
from www.ewido.net/en . This program “specializes” in
detecting and removing trojans, worms, dialers, etc .
I use Avast & Ewido as a 2 front assult on trojans .

I searched the site, there were no references to trojano-2772… ???

I’ll check out Ewido in the morning.

Hi and welcome Tony,
Why didnt you check out Google today ;D
seems you have a worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPOSSUM.A&VSect=T

Is that taskmge.exe or taskmgr.exe?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.g.html

I am pretty sure it created a bogus taskmgr.exe in the wife’s startup folder.

I’ll check of course, but it doesn’t sound like the Opossum worm. Further, I’d expect Avast, Ediwo, or Spybot to notice Opossum since it is nearly a year old.

Wife just wants me to reformat and reinstall. Blah. I hate giving up.

Another symptom is that it seems to re-appear after a reboot. Yet even in safe mode nothing is found except the typical trojano-2772-infected file.

I have to wonder of something external isn’t re-attacking her machine periodically. We’re behind a router on a non-routable network. She’s very good about not opening attachments etc. Perhaps it is time to check my son’s computer for virus activity that might be re-infecting hers.

My machine is, of course, squeeky-clean.

Well avast is noticing something as it is throwing up the trojano-2772 warning, is it on the file you said (what is/was it’s location) and can you confirm the filename spelling is taskmgr.exe as this is a browser startpage hijacker and the other you first mentioned taskmge.exe which is a much more serious worm.

Which one it is makes dealing with it much different.

  • What was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Ok, my apologies, I don’t type well. I misspelled the name of the file in my original posting - it is taskmgr.exe, NOT taskmge.exe.

The file that avast keeps finding is either taskmgr.exe in the startup folder or a random looking file in an IE temp folder that changes from day to day. I am at work so I don’t know the exact name. Also, Avast didn’t say that the files were the problem, it said they ‘contained an instance of win32:trojano-2772[trj]’ or some such.

We’ve deleted them a million times, they keep re-appearing.

Then you have to stop what is bring them back which is why I gave the links to HiJackThis as it is good at indicating what is running on your system, not just what is infected, etc.

Where the files are or keep getting placed is important in knowing how to deal wth them.

If the random files are in the internet temp folder are they also detected by avast as trojano-2772?
If so which provider is detecting them?
Because if the Web Shield provider was running and avast can detect these files, then I would have expected that to detect it and stop it getting on the HDD in the internet temp folder.

What is your OS?

I’ll run hijackThis tonight.

We’re running XP, latest patches. Wife uses the latest rev of Firefox, not IE, generally. Avast flags all the files as being infected by 2772. I don’t know right now which provider is detecting them. The Web Shield and Email providers are running.

Tonight I will mkae more careful notes, and run HijackThis. Unless my wife goes berzerk and makes me reformat it. :o

That’s why I queried it because web shield should detect this if it is coming from the internet and effectively block it. However now that you have said you are using firefox, which uses file extensionless caching and what you say is random naming, is what firefox does in its cache. See first image.

This is one of the reasons why we ask for the full path to and including the file name, it saves time as I personally was confused when you said the Internet Temp files, I assumed incorrectly you were using IE.

If this is simply browser hijacking. which is strange if you are using firefox (I would stay away from IE except for windows update) as it is less susceptible to this kind of malware, then formatting is overkill by a long way.

Tip to ensure that firefox’s browser cache file get scanned, check the web shield provider scans all files. See image two.

This is not just a browser redirect.

While running a different anti-virus package in safe mode, I found something humorously called “trojandownloader.agent.wd” which I removed. I guess they figured that you deserve whatever you get if you don’t notice it. I read up some on the web and it seems to display the behavior I am seeing.

The problem still came back, so I will be reformatting the HD tonight.

Thanks for the help, but it is easier to start over.