Start up virus problem.

Wonder if anyone can help. i am getting avast id-ing a virus at startup. In WINNT32 I get winmon.sys evidence of Trojan gen 32. I have tried deleting, moving to chest and repairing, but every time i start up it comes back.

Doesn’t seem to be harming anything but is a nuisance and may be causing more trouble than I am yet aware. Any thoughts how to dispose of it once and for all. Thanks for any help!

  • What OS are you using? is it up to date?
  • What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
  • What was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?
  • What actions have you taken to try and resolve the problem?

Depending on the location windows may well be protecting it.

If you have XP or NT based OS schedule a boot-time scan from within avast!

Also see - Advice & Tools for virus/trojan/malware Removal & Prevention

I’m using windows 2000 pro. My avast updated as usual today I think it was04.63 originally. It is in winnt32winmon.sys as above. I’ve tried removing/repairing/deleting and this trojan gen 32 keeps recurring. Hope that helps.
Do you mean windows potecting it is good as protecting the system - or harbouring the virus as in bad!.

What EXACT vps version do you have?

Do you mean windows potecting it is good as protecting the system - or harbouring the virus as in bad!.
I'm not sure how it works in w2k pro I have never used it, but in XP files in use are protected from deletion or being moved if they are in any of the system folders. So it can be a curse when it protects malware and a saviour when it protects system files, the problem is windows doesn't know, it only assumes that because it is in a system folder it should protect it.

So there is malware that installs itself in the system folders, because it deceives users into thinking it is a system file (so the don’t want to delete it) and windows inadvertently tries to protect it because it is in a system folder.

Malware can only do this if you happen to be browsing/collecting email on a user account with admin rights, so restricting your browsing rights could stop stuff getting into the system folders - Security Tips & Tricks - DropMyRights

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Thanks again for your time. It was found in start-up again this morning. My original avast is 4.6-691 and it is recognizing the virus but apparently not getting shot of it. Thanks for your time guys if you can suggest anything else to squash it as I have tried David’s suggestions, but this is a stubborn one! I also did a boot scan, deleted the virus but it came straight back again next time!

What potential dangers does it create? Just to reiterate it’s a trojan gen 32 (other) virus.

Still strugglng with this, anyone any more thoughts?

Well something has to be generating it or you are being reinfected.

What was found when you ran HJT and checked it against the on-line analysis site?

Is there anything in the msconfig startup tab that should be disabled or looks suspicious?
Is there anything in the Task Manager Processes that looks suspicious?

What is HJT - sorry, excuse my thickness!!

How much and what sort of threat is this.

I wouldn’t really know what is suspicious!!

Avast keeps picking it up but doesn’t seem to be able to get shot of it - I don’t think it is a case of being reinfected, - I started up, avast spotted it, I deleted it, closed down straight away and started up - and there it was again

Download: http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Tutorial: http://www.tomcoyote.org/hjt/#introduction
Online analysis of your Hijackthis log: http://hijackthis.de/index.php
Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1, this has been mentioned many times in previous threads.

  1. HJT is what I have been banging on about HiJackThis and the links I gave you to download it and tutorials about it.
  2. HJT isn’t a threat rather an investigation/solution to your problems.
  3. you could past a list of the processes in the Task Manager and we can look at them, the on-line analysis of the HJT logs may well indicate them also.
  4. avast is getting shot of it, if it didn’t you would get some sort of error/warning message if it didn’t complete the action you chose. So it is coming back either through reinfection or something on your system bringing it back. Which makes running the hijackthis program more valid.

So it is time to do as I suggested download HJT and visit the tutorial sites, print them off for use off-line and take the first step.