PLEASE HELP!!!removal of Win32:Trojan-gen. {Other}

Viruses and worms
1

hello…

please help me regarding removal of Win32:Trojan-gen. {Other} virus… i have avast version 4.6 … and OS is XP

2
  1. Schedule boot scan in AVAST (look in the drop-menu of avast GUI)
  2. Use some online scanner to scan you computer
  3. Use antispyware to scan you computer
3

mai - please keep to this topic and abandon the duplicate one you started 14 minutes later
Edit: URL link removed due to other topic being removed.

From the other thread by xmas:

Can you give us some more info? For exampel the address of the infected file, how many files were infected? VPS version, program version?

You can try to do a boot-time scan.

4

Hey David I gues the other topic has dissapear ???
The link doesn’t work.

And, yes, mai, please make only one topic if you have questions!!! Don’t start same topics please!

5

I guess one of the moderators saw the duplication and removed it, at least we are now only concerned with the one topic.

6

hello…

i did not intentionally duplicate the post…my system shut down automatically and so i was not sure whether the problem was posted or not…

the avast on access scanner displays the message of the presence of the trojan in corncern , and the recommended action id Move to chest… i follow accordingly , but the message keeps on coming in short intervals of time… it says the infection is there in the msdirectx.sys file… what to do ??

7

Hi Mai,

Find the fix for msdirectx.sys here:

http://forum.avast.com/index.php?topic=14618.msg142666#msg142666

8

hi…

i have run the HijackThis software …the log file is as follows… can anybody go thru this and tell me what to do ??

Logfile of HijackThis v1.99.1
Scan saved at 10:48:04 PM, on 10/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Winamp3\winampa.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hiloa\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [WinampAgent] “D:\Program Files\Winamp3\winampa.exe”
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [googletalk] “D:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip..{11BCFD7A-9363-4168-B5B7-8EB03C5FAC97}: NameServer = 61.0.128.65 61.0.0.5
O17 - HKLM\System\CS1\Services\Tcpip..{11BCFD7A-9363-4168-B5B7-8EB03C5FAC97}: NameServer = 61.0.128.65 61.0.0.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe

9

Your OS is well out of date and many vulnerabilities have been patched by Microsoft, SP2 also includes a number of security enhancements, so I would advise you visit windows update urgently, otherwise as fast as you plug a hole another will appear.

Once you have updated to XP SP2 you will also be able to update IE6 to SP2 also, further improving security.

You don’t appear to be using a software firewall, I suggest you install one of the freeware ones, Zone Alarm is fine as it has a relatively friendly interface.

There are a number of unknown and nasty entries see this on-line analysis of your log http://hijackthis.de/logfiles/9a4de72a6d979bf4643c6c8009e96612.html and checkout the unknown entries using google, etc.

This is the most serious:
O4 - HKLM..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe Nasty
Variant of the SmitFraud alias FAKEALE-C TROJAN! Hit rate: 99 % (result)

A google search for PSGUARD Removal returns many hits this is just one of them - http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_bswexe_WindowsFY-t17258.html

10

Mai,

You need to follow the advice in the link in my previous posting. The only extra help I can give you is that the file you need to enter into Killbox is D:\WINDOWS\System32\xpjava.exe

You must follow noahdfear’s advice:

Use Killbox as instructed on the above file.

Fix this entry with HijackThis!:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

And make the registry changes as instructed.

Don’t forget to remove PSGuard as per David’s posting. Have you got any mysterious blue screen messages? If not, try removing PSGuard from add/remove programs in Control Panel (If it’s there) and then run Ewido. If you have the blue screen message, you will need to run the smitRem.exe program.

Ewido:

http://www.ewido.net/en/

The instructions at BleepingComputer are more comprehensive: folllow them for best results!