Win32:Trojan-gen. {VC}

This is the authomate report email that I send to Avast! after an Virus alarm:

:CHEST_ANALYZE:<<

Virus name: Win32:Trojan-gen. {VC}
Original file location: D:\System Volume Information_restore{AD71EC8C-0640-4AE4-9FA9-B58760B5AB2C}\RP80\A0038467.EXE
Computer name: HARUN
Transfer time: 25.03.2005 15:53:16
Modification time: 20.08.2003 23:45:08
Total size: 45056
Comment: This Virus was founds a few seconds after the installation of “Burn4Free” freeware software. Microsoft AntySpyware Beta founds also a spyware toolbar.

File ID: 6
Category: 1

OS:
Microsoft Windows XP Professional (Build 2600) Service Pack 2
This Virus was found a few seconds after installation of “Burn4Free” freeware software. Microsft AntySpyware Beta found also a spyware toolbar.

MY COMMENT: now I see many people had this problem today… I think it’s very strange 'cause this malware is an “ancient” kind of virus… if I remember well, the origin was in far 2001-2.

Can someone say me more?

Thanks to all.

Marco :wink:

Marco, do you have any problem with it? I mean, removing, cleaning your system?
If you disable System Restore and enable it again it should be deleted.

Dear, Technician, I don’t know what’s happen… I try and try, but it’s impossible deactivate the System Restore on Drive D:/; the other Drive C./ don’t has problems.

I try and try, but it's impossible deactivate the System Restore on Drive D:/; the other Drive C./ don't has problems.

How do you mean, is there an error message you get or something?

MY COMMENT: now I see many people had this problem today... I think it's very strange 'cause this malware is an "ancient" kind of virus... if I remember well, the origin was in far 2001-2.

Avast gives Spyware/Adware the name Win32:Trojan.gen as its a Virus scanner rather then a Spyware/Adware remover, it does add some Spyware/Adware to its detections though.

Anyway, to sort out your problem scedual a boot time scan with avast, set to scan within archives (Open avast > Menu (top left hand corner) > Boot time scan).

If that doesn’t help, post a hijackthis log here: http://members.home.nl/edeijl/download/hijackthis.exe

–lee

Dear Friends who wrote to me for help,
after the good instructions that I received by you and by some Avast! Forum-Friends, I launched the deep booting scan.

AVAST RESULTS:

FIRST RESULT - found a new folder in the Programs directory, named “EbatesMoeMoneyMaker” (this is the list in Registry Viewer of Alarms: 25/03/2005 12.10.41 SYSTEM 1660 Sign of “Win32:Trojan-gen. [VC]” has been found in “D:\Programmi\EbatesMoeMoneyMaker\ EbatesMoeMoneyMaker.exe” file9.

SECOND RESULT - 25/03/2005 15.32.05 SISTEM 1660 Sign of “Win32:Trojan-gen. [VC]” has been found in "D:\System Volume Information_restore…(here a long string of numbers and letters)…

MICROSOFT ANTISPYWARE BETA 1 RESULTS:

Total Time: 14 mins 24 secs

Detected Threats

TopMoxie Adware more information…
Details: TopMoxie displays pop-up advertisements when you visit particular Web sites.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.

eBates Moe MoneyMaker Adware more information…
Details: ebates Moe MoneyMaker displays pop-up advertisements and disables programs, including pop-up blockers that might interfere with its operation.
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user’s habits are tracked and sent back to a server for analysis without your consent or knowledge.

Detected Spyware Cookies
No spyware cookies were found during this scan.

all 2 malwares placed in the same folder of First Result of Avast!'s scanning.

The strange thing is this: I was online but not in navigation, my activity of the moment was installing the BURN4FREE
software from a CD-ROM found with the Computer Week Magazine.

Thank you all!!! Long Live Avast! Forum Community.

Marco. :slight_smile:

This could be the problem… the ‘free’ of the software could be the ‘spyware’ inside of it. I’m not sure.
It will be good if you make a full avast scanning and also if you download and run HijackThis and then post the log output here (http://www.merijn.org).

Post Scriptum: scanning with Hijack This software don’t give me results: I tried it. :slight_smile:

Post Scriptum: scanning with Hijack This software don't give me results: I tried it. :-)

Im not sure what you mean by this ???

-lee

Dear Lee,
my post was in response of Techical’s suggestion :slight_smile:

Hi,

I found this post using google, so i hope im in the right spot :slight_smile:

I got the following warning from Avast 4.6 today from the resident scanner, when a Ad-Aware scan apparently accessed an infected file:
29-03-2005 22:53:06 1112129586 SYSTEM 204 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\system32\killapps.exe” file.

I deleted the file(actually by accident, i meant to click elsewhere, but hit avasts delete button :wink: After that i ran a full scan with avast which so far has turned up nothing.

What i want to know is what kind of trojan it was. Usually when i see any virus /trojan warnings i hurry up and change my bank codes, but thats a real pain, and i would like to know what the trojan actually did. Is it a keylogger / bank keyfile stealer or something similar? If not, then i can stop worrying.

Thanks a lot for any feedback.

This may well be a false positive, RejZor has posted a thread on the same thing I believe.

Although avast isn’t alone in detecting this, killapps.exe is a part of SoundBlaster. A google search for killapps.exe returns many hits, this is just one of them - Wilders - KillApps exe - Thread

If after investigation you believe it to be a false positive, you may need to get from your SoundBlaster CD and put it back in the correct folder (check the avast log to see the info on the location killapps.exe was when detected).

Thanks for replying. I do have a SoundBlaster Live! Value card, so that could be the issue but it is pretty old, not the Audigy card mentioned in the thread. However else on the wildersecurity forum i also saw a reference to the sb live driver having this file. So o guess there might be no reason to panic then(though it is apparently still a risky file to have lying around as it can be used to shut other programs down). Ill put it back if the sb card stats having problems.

Thanks again.

Yes, if it isn’t required and things work fine without it, just leave it.

There has been a VPS update today which may (or not) overcome the false positive, avast are quick to investigate and fix FPs.

Excellent forum…but for the newbie… can I simply have one resolution to getting rid of of Win32:Trogan-gen. It appears to be lodged in c:\windows\system32\instsrv.exe which I have tried for 3 hours to locate.

My computer came to a screeching halt this morning and I really need to get my resume out today. Please help Deb.

If you follow the instructions on ‘Cleaning’ in my signature, will it help?
If you run a full scan with avast (archive option checked), will it help?
Are you using Windows XP? If you schedule a boot time scanning, will it solve your problem?

I will try the cleaning process again. Yes, I ran a full scan with archives open and I do a boot time scan at 2 AM daily. I am using Windows XP.

Thanks,
Deb

Okay…I cleaned the system, sis another full scan, rebooted and through some holy water on the hard drive (just kidding). And now the Trojan is in the chest. And it is NOW in a Temporay Folder!!! Did I do that??? Of course there are numerous options on what to do next. I believe I should delete it? Yet perhaps it is attached to another program that it is relying on since it is system 32/instsrv.exe.

On a side note: kernel32.dll and winsock.dll and wsock32.dll were also in the chest. Were have I been? They have also been moved to a temporary folder.

Yep…I am still HELPDEB and very grateful. I can restart a person’s heart but this computer stuff is whipping my butt >:(

Have you tried to delete the temporary Internet files?
To do this go to Internet explorer >Tools > Internet options > Delete files > Click delete all offline content (just to be sure) > click ok.
It might take some time to delete them.

After that, disable system restore, reboot, scan and if clean enable system restore again.

Start > Control Panel > System > System restore > Disable > Click Apply
Schedule a boot time scanning
Boot
Enable System Restore again

They’re there for backup purposes… They’re not infected.
Click on the button ‘Infected files’ at left side of the Chest… They’re not there.
They’re on the ‘System files’ … 8)

Is there something new and malicious going around??? A lot of people are getting this warning.

I have the same problem. Avast! Home edition Anti-Virus found:
Win32:Trojan-gen. {VB} (what’s with the different letters VB, VC, etc???) Path: C:\Windows\System32\sysdebug32.exe
When Avast gave alert, I chose to Delete the file. Apparently, from what others have said online, they were unable to delete this file (maybe designated as a System file?). Well if an antivirus program gives an alert with delete as an option, it is possible to be deleted in Avast’s case. Otherwise, safemode is how the file is manually deleted.

After research online, Symantec said sysdebug32.exe was from “Trojan-Adwarehelper” & said to delete the registry key: “Allow” = “[URL]” in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows
(BTW I don’t use IE, I use Mozilla)

When I did a search of the registry, found two occurrences of sysdebug32.exe one being in this key: HKEY_LOCAL_MACHINE\Software\Classes\dtdp (which I deleted both).

I use and scanned with Ad-Aware SE, Spybot Search & Destroy, Microsoft AntiSpyware - all found nothing wrong. Ran another scan with Avast - nothing came up. Ran a boot scan with Avast on both drives and each partition - nothing. WinPatrol is VERY protective and never said anything was wrong. Windows Firewall (always enabled) not a word (what’s new). Did six different online free scans from big anti-virus companies such as Symantec and McAfee, nothing found.

The craziest part about this “infection” is I have a PIII 500MHz with maxed-out memory, and although it is well taken care of (reg. defrag, scandisk, Disk Cleanup often, keep the browser caches empty and to a minimum) the poor old thing still bogs down if way too many apps are open, otherwise, it runs like a top! Now if I had a trojan, wouldn’t it typically bog me down? I work on friend’s pcs all the time doing installs along with cleaning out malware and I’ve seen how a pc acts when it’s infected (choke choke). Mine is acting fine - it’s the warnings I’m now getting all of a sudden that is worrisome.

This trojan was found by Avast monitoring while the pc was idle. Every single scan along with monitoring for two years up until now has been clean. I’ve never had a virus since using Avast and have always been protected. This system has been well-maintained and I also run ZoneAlarm Home Firewall. Everything is updated as available and scans are ran often. Also installed SP2 as soon as it was available. Absolutely no problems until this sysdebug32.exe came up out of the blue. This was on 3-27-05. I’ve researched online to find a lot of people asking what this trojan is, but haven’t found a solid answer. If you search for “Win32:Trojan-gen. {VB}”, a lot of different hits come up, but none point exactly to this variation AND match sysdebug32.exe. Plus, the anti-virus companies cause so much confusion because every company wants to give its own unique name to a virus or worm. Why this has not been made universal and stick with only one name is astounding. It is very difficult to pinpoint the origin and solution for a problem when the same worm or virus has a different name on each company’s site. It’s like looking for “Bob” in Chicago!

Today, I run Avast Anti-Virus scan, now it finds a new variation - yippee. “Win32:Trojan-gen {Other}” Path: C:\Program Files\Common Files\mscombtl32.exe

This one gets put into the Avast Chest for isolation and it got reported to Avast (waiting to hear back).

I’ve searched online for mscombtl32.exe and there isn’t one hit anywhere (Microsoft, google, yahoo, askjeeves…).

Also, I’ve been keeping an eye on Task Manager and there isn’t one new service running (BTW, thanks to blackviper.com the XP services are to a minimum). Even checked in msconfig and checked files running in WinPatrol - nothing new running.

So is this a new trojan that is just being discovered by users or are these both “false alarms”? It would be comforting just to be able get a straight answer online, especially if there is no malicious program on the computer. But we’re all looking for needles in the haystacks because anti-virus companies want to name the same virus different from other companies. This problem seriously needs to be addressed. Do you know how many different ways you can search for “Win32:Trojan-gen. {VB}”??? You can take out the “in”, you can replace the colons with periods, it goes on and on but should only have ONE SIMPLE NAME that people can reasonably find.

So if these warnings are true, then it either came from the “Arcade! Classic Arcade” game or from themeworld.com for the Dale Earnhardt “Pass in the Grass” Theme or from my slow dialup connection to the Internet :). Yes, those were scanned and showed “clean” BEFORE they were installed. And Yes, I’ve looked online for the Theme problems possibly being infected, too - nothing. I rarely install anything new and keep my system locked down and settings as high as they go.

Good Luck everybody and hopefully somebody, soon, will be able to let people know what’s going on.

Hi, aglennon.
I’m thinking about your words and the words of all who posted on this forum corner… In my first help-request here, I said “It’s strange the new resuscitation of this kind of Trojan 'cause it was detected for the first time some years ago”… then, 2 day ago, there was the new Avast! iAVS for it… and I’ve seen so many people who write here after this. I ask “Why?” the same as you do. But I see how today we all are very paranoids 'cause the surfing on the web represents a high hazard. I think, at last, maybe various software are so protective that too much type of files are viewed like malware.
Obviously, this is necessary for our protection… but (nonsensically!) we are not in peace-of-mind the same. And I see how some of us don’t found NOTHING visible danger after deep and iterateds scannings. Is a mistery!!! Conclusion: the antivirus software databases and the “heuristic” methods work in the infinite world of the probabilities and is very difficult to find a name or definition to an unknown object. Is the same if (as you say) i’m in search for “Bob” in Chicago and I ask to the people “Have you seen Bob? It’s almost like Jack” :-). Some persons say me “Yes”, others “No” or “Maybe” or “I don’t know”. But Avast! and the other protective softwares MUST say only YES or NOT… and the best thing in this cases is NO. Isn’t it? I think so.

Please, excuse my bad english language: I hope you can understand my ideas. :wink:

See you.