Hello everyone! I’m new to the forums and I just love Avast! Anyway, I have a problem. For the past few days I keep getting a notification that my computer is infected with the Win32Trogan-gen virus. I keep moving it to the chest but it still pops up so I delete it and yet again, it returns. I’ve also disabled System Restore and ran Spybot and Adware. I have a firewall too. Anyway, why can’t I get rid of this thing and why does it keep popping up? Any help would be appreciated!

Welcome to the forum xfilesfangirl.

Try running an avast! boot scan followed by a complete scan with the free version of AVG Antispyware

http://free.grisoft.com/doc/20/lng/us/tpl/v5

Make sure to quarantine rather delete, and post again with the results.

Thank you for replying! I’m going to do that right now as we speak! Is this something I should be freaking out about? I do alot of online shopping and stuff and I have this image in my head of this little virus logging all of my credit card info and stuff. I’m paranoid. lol

Okay, both the bootscan and the spyware scan came up with 0 infected files. Does this mean that I’m safe now? How do I know this virus isn’t somewhere hiding and lurking in the background?

Well, don’t freak out about it but you’re right to be concerned about the possibilities.

Why don’t you post a HijackThis log and I’ll take a look:

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

The log may be long - feel free to use 2 or more posts if you need to.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Hopefully the AVG anti-spyware suggested by mauserme will detect the file that is regenerating this malware.

What is your firewall ?
As if as I suspect there may be a program downloading this malware, then a firewall should be able to block unauthorised outbound Internet Connections (XPs firewall doesn’t provide outbound protection).

The log viewer says that it has been found in C:\System Volume Information\restore or _restore.

AVG doesn’t seem to detect anything although I’m going to scan it again when I get offline. My firewall is called Jetico.

Okay, thank you! Here you go (I hope I did this right):

Logfile of HijackThis v1.99.1
Scan saved at 12:03:08 PM, on 5/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\wmconnectc\wwm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%3Fui%3Dhtml%26zy%3Dl&ltmpl=yj_wsad&ltmplcache=2&hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [JeticoPFStartup] “C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe”
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip..{51B59571-1340-4939-AB62-69745E50A6F7}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Hi xfilesfangirl,

Run HijackThis! again, put a tick next to these entries then click ‘fix’:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

I believe they are all related to malware which has been deleted, so it should be easy to remove them- please check with HijackThis! that they have gone.

To remove malware in System Restore, create a clean restore point, then delete all older, infected points:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#manual
http://www.bleepingcomputer.com/tutorials/tutorial56.html#delete

You really need to update to XP SP2 to be secure, but at the very least, use an alternative browser like Firefox or Opera- much more secure than IE on SP1!

Do you still have McAfee installed? You will need to get rid of either it or avast! as you don’t want 2 antivirus programs at the same time.

You should also update Acrobat Reader to 8. Here’s a link

http://www.adobe.com/products/acrobat/readstep2.html

And for sure get SP2 as FwFrank mentioned.

Are you still getting any trojan warnings (after deleting the old restore points)?

EDIT: This one was Windows Live Messenger

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

and this was Site Adviser

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

So these were probably the culprits

O2 - BHO: (no name) - {80f36fd4-ba9e-43c0-98b9-caecfdc4c28e} - C:\WINDOWS\system32\ckc079.dll (file missing)

O20 - Winlogon Notify: ckc079 - ckc079.dll (file missing)

Thanks! You rock! I deleted those files and ran another scan of Avast and it said I am clean. I hope this did the trick!

Oh don’t worry I don’t have McAfee. I tried to install it but it slowed down my laptop too much (maybe because I’m still on dial-up). I only have Avast now. I’ll update Adobe as you advise. I’m sorry for sounding stupid but what is SP2? Yeah, I’m a computer idiot. I deleted the files Frank suggested and scanned my computer and so far so good. Let’s hope the virus is gone from my life. I do wonder how I got it since I only visit about four websites regularly and they are ‘reputable’ sites ya know.

I haven’t deleted any old system restore points yet and I was thinking I might leave system restore turned off. Is this a bad idea?

Okay, I just read that turning off System Restore deletes all old restore points. I think I’ll just leave it turned off if that’s not a bad idea.

Service Pack 2 (SP2) is the most current version of Windows XP. It is much more secure that Service Pack1. Here’s a link

http://www.microsoft.com/windowsxp/sp2/default.mspx

System Restore is sort of a personal choice. Since yours is off you don’t need to worry about clearing any old restore points. My preference has changed to leave it turned on now since I’ve had a couple times I wished for it after installing drivers that conflicted. And it would be wise to set a restore point before installing SP2, I think.

Since McAfee is not installed you can fix these lines in HijackThis too

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

Thank you! I will fix those too. I’ll also download the updated XP package. I noticed this on my Hijack this scan:

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Is this a bad file too?

No, its OK:

http://www.liutilities.com/products/wintaskspro/processlibrary/wltrysvc/

Description: wltrysvc.exe is a process belonging to the Broadcom Corporation Wireless Network Tray Applet, which interacts with your broadband hardware. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

After you install SP2 check for Windows critical updates. There will probably be many to download and you may have to check several times to get them all. Keep checking until there are none left.

Thank you again! You rock! I’m sure I’ll be downloading stuff all night now. lol

The trojan alerts have stopped, right? SP2 won’t install on an infected computer.

Unless you have something to replace the system restore function, an effective back-up and restore strategy, then NO you shouldn’t leave system restore disabled.

I have SR disabled, but I do a weekly image of my hard drive using an imaging program that makes an exact copy of your partition/drive and saves a copy to a second hard drive (or partition, a bad idea IMHO) or to a DVD. I also make daily or more frequent back-up of my data files or things that I don’t want to lose, emails, address book, favourites/bookmarks, registration keys/information, etc.

So if the worst comes to the worst I restore the last weekly image and last daily back-up any loss is minimal.