Win32 trojan-gen

Help, I am using avast home, Microsoft antispy, spy sweeper, They detect the virus but they keep coming back. Running windows XP I need some step by step instruction to clean out these virus for good.

DBFTG

Please give some examples of what keeps coming back, virus name, infected file name and location, example (C:\windows\system32\infected-filename.xxx)?

Things just don’t keep coming back, unpatched exploits, poor security, etc. contribute to there return.

Is your OS fully up to date?
What is your browser, is it up to date?

Advice & Tools for virus/trojan/malware Removal & Prevention

I am also having problems with this…It keeps appearing on start up and cannot be deleted or moved to the virus chest, as it says that the file cannot be found. It appears in
C:\windows\system32\l?gonui.exe

I have tried to find the file but to no avail.
I am using the latest Firefox and Xp pro with service pack 2, and have just got the latest version of avast. I have tried the avast cleanup tool but it does not find anything.

Try a boottime scan. From the avast! main interface, Click the Menu button and then select Schedule Boot-Time Scan…

I have tried that and after the scan finishes it gives me the action prompts…1 through 8 but freezes…

Post anhijackthis log: http://www.merijn.org/files/hijackthis.zip

–lee

I think i nailed the bugger, thanks for the help guys… ;D

If you would like to share, it may help others.

Hello I’m get this darn Win32 trojen-gen {VC} or {other} on my Aunt’s PC. I did the turn off restore thing, the boot scan thing and…it’s driving me nuts. It keeps showing up on Avast. Here’s a copy from the her Avast Log Viewer.

==========================================================
Avast Report

4/20/2005 4:23:27 PM SYSTEM 1324 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\System Volume Information_restore{A774DD25-691E-46C1-8F3D-D46BCC6755BD}\RP5\A0000659.exe” file.

4/20/2005 4:23:44 PM SYSTEM 1324 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\System Volume Information_restore{A774DD25-691E-46C1-8F3D-D46BCC6755BD}\RP5\A0000665.exe” file.

4/20/2005 4:24:00 PM SYSTEM 1324 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\System Volume Information_restore{A774DD25-691E-46C1-8F3D-D46BCC6755BD}\RP5\A0000666.exe” file.

4/20/2005 4:24:07 PM SYSTEM 1324 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\System Volume Information_restore{A774DD25-691E-46C1-8F3D-D46BCC6755BD}\RP5\A0000667.exe” file.

4/26/2005 2:10:27 PM SYSTEM 1208 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\System32\explorer.exe” file.

4/26/2005 2:12:04 PM McKellar 1688 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.

4/26/2005 2:34:03 PM SYSTEM 1212 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.

4/26/2005 2:34:04 PM SYSTEM 1212 An error has occured while attempting to update. Please check the logs.

4/26/2005 2:42:44 PM SYSTEM 1608 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\xevzmlu.exe” file.

4/26/2005 3:49:21 PM SYSTEM 1648 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\iohvqjf.exe” file.

4/26/2005 4:48:05 PM SYSTEM 1664 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\crjnhsq.exe” file.

4/26/2005 5:48:39 PM SYSTEM 1656 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\xgchth.exe” file.

4/26/2005 6:46:28 PM SYSTEM 1656 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\rwijfwyf.exe” file.

4/26/2005 8:17:46 PM SYSTEM 1360 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\ssajdtg.exe” file.

4/26/2005 8:17:47 PM SYSTEM 1360 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\System32\ssajdtg.exe” file.

4/26/2005 8:17:52 PM SYSTEM 1360 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\system32\bfatmm.exe” file.

4/26/2005 8:31:45 PM McKellar 196 Sign of “Win32:Trojan-gen. {VC}” has been found in “c:\windows\system32\ssajdtg.exe” file.

4/26/2005 8:41:43 PM SYSTEM 1700 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINDOWS\system32\ybpa.exe” file.

I just don’t understand all the odd named exe files found in the System32 Windows folder. Thanks for any ideas on this subject.

Christopher

Chrisatrax, disable the System Restore (and enable it again after) to get rid of the infection on folder [b]C:\System Volume Information[/b]

But the others, on [b]C:\WINDOWS\System32[/b] will require a boot time scanning. Can you schedule one?

I used Hijackthis to scan for the file…C:\windows\system32\l?gonui.exe
…Because avast could not locate it. After i found it, I deleted it and ran avast once more just to make sure. However avast found it still hiding in the same file, so i used a boot time scan and voila.

I did turn off the system restore & did a boot scan. Then I did a scan with Avast, all gone. Then later after rebooting a few times it’s all back.

Sorry the restore info is from another day. That one is gone is all the exe files in the system32 folder that are Win32 trojan-gen {VC} & the odd one will be {Other}.

Christopher

So, you’re clean now I suppose 8)

You may have deleted the infected files, and still have a corrupted program… see advice on topic " Win32:adan-025 "

Everything has been updated what I am getting are IE windows open on there own with Ads in them. Here is a HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 6:30:17 PM, on 05/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\ms036813117-53.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SysCheckBop32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32??anregw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\DENNIS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_1.dll
O4 - HKLM..\Run: [Lexmark 2200 Series] “C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe”
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM..\Run: [ms036813117-53] C:\WINDOWS\ms036813117-53.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\mnyexpr.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [Ocwgmlz] C:\WINDOWS\System32??anregw.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/101ef60e7f20c376d806/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109894577718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe