WIN32:TROJAN-gen{other}

Can some one help me get rid of this thing???..Thanks!!!

Here is my hijack-this post:

Logfile of HijackThis v1.99.1
Scan saved at 7:47:25 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Gary\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKCU..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Also avast shows : C:windows/temp/trz.1tmp, C:windows/temp/trz.2trz, and C:windows/temp/trz.3tmp
Any suggestions to get rid of these???

                         Thanks for any help......

Hi Mustang Man,

The analysis of your log is available here for 3 days:

http://www.hijackthis.de/logfiles/7770ed7dbf5b9ccc07764d1bdf911614.html

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one.

This entry can be fixed (It’s not an active nasty- it has been deactivated.)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Please ignore references to avast! and missing files- it is a bug in the analysis only.

To remove the files you mention, you must delete temporary files:

C:windows/temp/trz.1tmp, C:windows/temp/trz.2trz, and C:windows/temp/trz.3tmp

There is an excellent utility to do this called CCleaner:

http://www.ccleaner.com/

Please run this program, ensuring that you have checked both Internet Explorer and Windows temporary files.

Well I tried CCleaner but I still get the same warnings when I run AVAST, Can I get rid of this or is AVAST wrong?

Please advise,Thanks

Hi Mustang Man,

You could try a scan with a specialist anti-Trojan program:

http://www.ewido.net/en/

And putting a firewall in place is urgent if you don’t have one.

Go to start>Contol Panel>Security Centre and check that Windows’ firewall is turned on at least.

Hi Mustang Man,

Try this tool. It is for this occasion very useful: go to
http://www.majorgeeks.com/download4126.html, download and you can take this trash from your comp.

Greets,

polonus

Well I tried this web site:http://www.ewido.net/en/ and it detects the trojan, and says that it removes it, but when ire-try avast it says that it’s still there. Then I re-run ewindo again and it confirms it’s still there…Any other sugestions???Thanks

Hi Mustang Man,

Have you done a boot time scan with avast! (Blue screen at reboot)?

If not, try that first. (Pull down menu from avast! console.)

If that doesn’t work, try these two powerful anti-Trojan programs- they both have a free trial:

TDS-3 (Download the definitions file and move to the program folder.)

http://tds.diamondcs.com.au/

and TrojanHunter

http://www.trojanhunter.com/

Sorry to interrupt but I wasn’t really sure how to start a new thread.
Anyone ever heard of Win32:TipSea-E [Trj] before ? I googled it but here is the only place I could find anything about it at all and what’s here ain’t much.
All of this started a while ago when I fell asleep while on line (don’t you hate the next day you’ve got that keyboard imprint across your face and everyone wants to type something on it ?)…I woke up, next thing you know someone else became the admin of my computer. Couldn’t go to DOS or anything. Couldn’t load Norton or McAfee from a cd, couldn’t even get a online scan to work - nothing there but a blank page.
“Whoever” was pretty shrewd I must admit. Finally found a program called " Supervisor.Exe" on here. Deleted but the battle still rages on just a bit. Slowly but surely I’m getting it back.
Any idea’s on the trojan ?
Why is it that if you have a trojan on ur computer and it has it’s own POP3 - why can’t we use it to discover the owner’s e-mail addy ?
Thanx ya’ll !

Go to the top of the Viruses and Worms forum, were you saw this thread, at the top of the list of threads (opposite the Page numbering) is a button, ‘New Topic’ that is the one you want.

I ran and purchased PC Doctor…The trojan is still there…How do you do a avast blue screen reboot??? Does any one have any more sugestions???Please help…thanks

Hi Mustang Man,

Apologies for confusion. Here are instructions for a boot time scan:

Right click the avast! globe and select Start avast! Antivirus.

avast! will do a memory scan: if it finds the worm in memory, it will prompt you to do a boot time scan: accept this and reboot.

If avast! doesn’t find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)

The boot time scan happens at an early stage of Windows loading and has a simple blue screen. (Cordless mice don’t work at this stage, so you might need to find an old corded keyboard if this applies.) The safest option is always ‘move’ because you can recover the file if it is a false positive.)

Be sure to download and run the anti-Trojan programs I mentioned before, too.

Here is the result of my HJT log analyzer:
General data

You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

=========================================================================
L Legitimate items. Do not fix/remove these.
X Definatly bad ones. Fix/remove them.
? Unknow things. If you have information about them, let us know.
U Users choice. These items are not needed for a system to work properly.
We suggest to fixed/remove them. But the choice is yours.
M Check this item manualy in strings.dat.
This can be caused by a known issue.
(See readme.txt > known issues > nr.1)

L c:\windows\system32\smss.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\winlogon.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\services.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\lsass.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\svchost.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\svchost.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\explorer.exe
Windows Program Manager or Windows Explorer which handles the Windows Graphical Shell

L c:\windows\system32\spoolsv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\alwil software\avast4\aswupdsv.exe
Avast’s anti-virus update service

L c:\program files\alwil software\avast4\ashserv.exe
Avast’s anti-virus main module

L c:\windows\system32\drivers\cdantsrv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\dvdramsv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\analog devices\soundmax\smagent.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\alwil software\avast4\ashmaisv.exe
Avast’s anti-virus mail protection service

L c:\program files\alwil software\avast4\ashwebsv.exe
Avast’s anti-virus webshield

L c:\windows\system32\ezsp_px.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\windows\system32\tpwrtray.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\apoint2k\apoint.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\progra~1\alwils~1\avast4\ashdisp.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\microsoft antispyware\gcasserv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\apoint2k\apntex.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\microsoft antispyware\gcasdtserv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\yahoo!\messenger\ymsgr_tray.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L c:\program files\internet explorer\iexplore.exe
Microsoft Internet Explorer - browser

L c:\program files\internet explorer\iexplore.exe
Microsoft Internet Explorer - browser

L c:\program files\common files\real\update_ob\realsched.exe
Real Player update checker

L o2 - bho: (no name) - {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - (no file)
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o3 - toolbar: yahoo! toolbar - {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o4 - hklm..\run: [ezshieldprotector for px] c:\windows\system32\ezsp_px.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o4 - hklm..\run: [avast!] c:\progra~1\alwils~1\avast4\ashdisp.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

U o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
Unknown. If you have information → mail it to hjtbeta@yahoo.com

U o4 - hklm..\run: [gcasserv] “c:\program files\microsoft antispyware\gcasserv.exe”
Unknown. If you have information → mail it to hjtbeta@yahoo.com

X o4 - hkcu..\run: [weather] c:\progra~1\aws\weathe~1\weather.exe 1
Part of AWS Weather application (malware)

U o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
Loads MSN messenger in the background when Windows starts

L o4 - hkcu..\run: [yahoo! pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o9 - extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - c:\windows\system32\msjava.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o9 - extra ‘tools’ menuitem: sun java console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - c:\windows\system32\msjava.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o9 - extra button: messenger - {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o9 - extra ‘tools’ menuitem: yahoo! messenger - {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o12 - plugin for .mpeg: c:\program files\internet explorer\plugins\npqtplugin3.dll
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o16 - dpf: {17492023-c23a-453e-a040-c7c580bbf700} (windows genuine advantage validation tool) - http://go.microsoft.com/fwlink/?linkid=39204&clcid=0x409
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o23 - service: avast! iavs4 control service (aswupdsv) - unknown owner - c:\program files\alwil software\avast4\aswupdsv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o23 - service: avast! antivirus - unknown owner - c:\program files\alwil software\avast4\ashserv.exe
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing)
Unknown. If you have information → mail it to hjtbeta@yahoo.com

L o23 - service: avast! web scanner - unknown owner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing)
Unknown. If you have information → mail it to hjtbeta@yahoo.com


HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

Well, I think it’s gone!!!I performed a AVAST Blue screen boot and removed the trojan that was in files…Re-ran avast and moved the remainder to the chest…Now it doesn’t see any trojans…Thanks for all the help… :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile:

Well now I’m confused…Avast doesn’t see the trojan any more but when I run Ewido it sees C:Windows\temp~961208.tmp and ~961804.tmp…What does this mean???/ ??? ??? ??? ??? ??? ??? ???

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

It will be good if you delete your temporary files, Internet cache and disable System Restore.
Scan and then enable System Restore again.