Trojan-gen Help?

Viruses and worms
1

Hello All!

I have avast on my comp that operates WinXP Home edition and I’m running the
Avast 4.5 Home edition. I’ve installed all updates from Microsoft as well as updates from Avast.

Avast has been giving me a virus warning for Win32:Trojan-gen (other). So I scheduled a scan on boot-up and it located it in c:\windows\lmp_klib.dll
I tried the option of repair and repair all and got a Repair error 42060 I opted to move it and the comp booted up as per usual and then I got another warning same as mentioned in the beginning. I tried moving it to the virus chest, which I believe it did, but it still get the same warning upon reboot.

I downloaded and ran the Avast removal program and had it scan but strangely it did not find it.

Any suggestions as to where to proceed from here? How do I get rid of it for good?
Would this program be a solution?
Trojan Remover: http://www.simplysup.com/tremover/details.html

Your help would be much appreciated.
Thanks in advance!

Namira

2

Click on the link in my signature and follow the instructions in the malware removal section.

42060 AVAST_REPAIR_NOTREPAIRED File was not repaired
Only true virus infected files can be repaired, the others just need to be deleted.

3

Thanks Eddy, I will give it a whirl. Seems fairly straightforward.

x’s fingers

Namira

4

No luck, turned system restore OFF. Booted in Safe Mode.
Ran the 4 programs… this is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:12 PM, on 2/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Yoshiko\Desktop\hijackthis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.sympatico.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 “EPSON Stylus CX5200” /O6 “USB001” /M “Stylus CX5200”
O4 - HKLM..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [TaskMgr] C:\WINDOWS\schmocht.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I don’t if im doing this right but any other advice would be
appreciately greatly!

Namira

5

The log looks clean.
I only don’t know what schmocht.exe is?
Can you tell me?

6

Hmmm dunno what schmocht is neither…
I still get the virus/trojan warning sigh

This is my avast log exerpted:

2/15/2005 7:26:03 PM SYSTEM 1084 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{03E9A8FF-AF11-4EDA-B0FA-08BD5255C101}\RP102\A0028601.dll” file.
2/15/2005 7:26:04 PM SYSTEM 1084 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{03E9A8FF-AF11-4EDA-B0FA-08BD5255C101}\RP102\A0028614.dll” file.
2/15/2005 7:31:22 PM SYSTEM 508 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 7:32:52 PM SYSTEM 1776 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 7:49:03 PM SYSTEM 488 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 8:00:05 PM SYSTEM 1620 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 8:03:48 PM SYSTEM 1616 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 8:07:05 PM Yoshiko 2652 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\moved\lmp_klib.dll” file.
2/15/2005 8:10:37 PM SYSTEM 1692 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/15/2005 8:32:37 PM SYSTEM 1692 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{03E9A8FF-AF11-4EDA-B0FA-08BD5255C101}\RP127\A0035086.dll” file.
2/16/2005 11:34:18 AM SYSTEM 1780 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/16/2005 12:01:35 PM SYSTEM 1780 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{03E9A8FF-AF11-4EDA-B0FA-08BD5255C101}\RP127\A0035086.dll” file.
2/17/2005 1:22:47 PM SYSTEM 1784 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/18/2005 10:14:40 AM SYSTEM 1900 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/18/2005 4:41:47 PM SYSTEM 1988 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/18/2005 8:14:47 PM SYSTEM 1872 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 11:11:56 AM SYSTEM 1780 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 6:36:19 PM SYSTEM 1784 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 6:47:52 PM SYSTEM 1648 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 7:33:44 PM SYSTEM 1776 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 7:36:48 PM Yoshiko 3480 Sign of “Win32:Trojan-gen. {Other}” has been found in “c:\windows\lmp_klib.dll” file.
2/19/2005 7:41:16 PM SYSTEM 1864 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 8:15:33 PM SYSTEM 360 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 8:16:18 PM SYSTEM 360 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\LMP_KLIB.DLL” file.
2/19/2005 8:56:04 PM SYSTEM 408 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 9:32:35 PM SYSTEM 1784 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.
2/19/2005 9:38:47 PM SYSTEM 1788 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\lmp_klib.dll” file.

Ack! any thoughts?

Namira

7

From what i can find out, it is a password stealing trojan, it looks for passwords for the following programs:

mICQ
The Bat!
miranda
Trillian
Total Commander
Windows Commander

OK, your problem is, you booted into safe mode, so boot into normal mode, make sure avast is fully up to date, then run a scan (with ‘scan inside archives’ enabled) and delete/move what avast finds,then go to windows update and get all patches (if any), then run these other scanners you said you had, then redo and repost the hijackthis log.

Aftert this change your passwords for the programs mentioned above (if you use any of them)

–lee