win32 trojan-gen - help!!!

Hi to all

I have a big problem. A Pc of a friend is infected. Avast releved it as Win32.Trojan-Gen.

An Avast alarm appeare all the time I try to connect to internet.
I tried to check regedit, msconfig and active process but all this application does’nt work! Maybe the trojan are blocking all application in system32 directory.

Also I can’t install a firewall beause the trojan block the firewall process at start!!!

How I can solve it? :cry:

Please Help us to Help you In order to help fully we need more information…

  • What OS are they using? is it up to date?
  • What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
  • What was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?
  • What actions have you/they taken to try and resolve the problem?
    e.g. what action did they take when avast popped-up the warning.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Hi ilceres,

Also read the information on this thread, but do nothing until you could come up with the anwers to DavidR’s questions, then follow his advice.
Interesting to read this:
http://www.dslreports.com/forum/remark,9339010~mode=flat
Success with cleaning that computer. Actually were the infected files ISNSYS.DLL & system32.winservn.exe??

greets,

polonus

ok, thank you all

S.O. is a WinXP SP1, VPS version is the last avaiable 540-5, on Avast 4.6 pro

The strange things are that if I run a full system scan avast do not releve nothing, but if I try to connect to internet the message appeare. I cant remember the file infected (stupid…), the next time I’ll signe it

I already try a scan with Ad-Aware personal in safe mode, also I cleaned Run directory in the register (in safe mode regedit work)…

What was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
What provider detected it?
I suspect Web Shield because you can’t find anything on your scan. What options were displayed e.g. ‘Abort connection’ Or Repair, Delete, move, move to chest?

To clean a system from malware (and protect it against) follow the instructions in the malware removal section on this website: http://mrspock.dsmirc.co.uk

Thank you all, I prefer a full reinstall of my system. The’re were 12 system files infected!

Thank you again :wink:

The better in your case would be not only updating the antivirus but the operational system…
Why not SP2?