win32:trojan-gen

Hello. A friend of mine is with Avast pro (demo period).It finds malware win32:trojan_gen, the file is deleted, but then it is found again, in the same place. What to do?

im sorry but i forgot to send results afte hijackthis scan :
Logfile of HijackThis v1.99.1
Scan saved at 8:37:38 PM, on 2/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\winsysban8.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\update32.exe
C:\WINDOWS\System32\explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\dasr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
E:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.legal18teen.com/join/index.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM..\Run: [ethernet] msftp.exe
O4 - HKLM..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM..\Run: [Logitech] Logitech.exe
O4 - HKLM..\Run: [Service] svsvhost.exe
O4 - HKLM..\Run: [aol aim] aim.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Windows update adbpro] update32.exe
O4 - HKLM..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows DLL Loader] C:\WINDOWS\RUNDLL16.EXE
O4 - HKLM..\RunServices: [ethernet] msftp.exe
O4 - HKLM..\RunServices: [Logitech] Logitech.exe
O4 - HKLM..\RunServices: [Service] svsvhost.exe
O4 - HKLM..\RunServices: [aol aim] aim.exe
O4 - HKLM..\RunServices: [Windows update adbpro] update32.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139804128218
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Hi groti,

I can see from the log file that the computer is infected by several different items of malware.

My advice would be to try Trend Micro Sysclean:

If you are not a Trend Micro customer please download the following file.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

Followed by a boot time scan with avast! (right click on the scanner screen and select ‘schedule a boot time scan’- set the default action to move to chest if you have a cordless keyboard because it won’t work during the scan.)

After that, download, install, update and scan with the following programs, preferably in safe mode (tap F8 while booting.)

Ewido http://www.ewido.net/en/ (Requires Win2000/XP)

And/or a-Squared http://www.emsisoft.com/en/

Ad-Aware http://www.majorgeeks.com/download506.html

Spybot Search & Destroy http://www.safer-networking.org/

Post another HijackThis! log when you’ve finished so we can check you’re clean.

Good luck!

It keeps getting found because I believe you may have a rootkit virus that keeps getting regenerated.

In order to help fully we need more information…

  • What OS are you using? is it up to date?
  • What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
  • What was the virus name, what was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?

You need to visit windows update and update your OS, once you do this you can also update IE6 to SP2, both of these actions will close a number of security vulnerabilities and make your system a little more secure.

You don’t have a firewall and you have a number of Nasty entries from an on-line analysis of your log http://hijackthis.de/logfiles/f834c3754089ff8b51c59b0fef6a1478.html. Your system is seriously compromised.

Worst of all it would appear that you have a rootkit virus which is extremely difficult to remove.
C:\WINDOWS\System32\update32.exe Check with an antivirus scanner
Check the links in this thread http://forum.avast.com/index.php?topic=16982.0

Also other nasties
C:\Program Files\Network Monitor\netmon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Trend Micro Sysclean claims to be able to remove these pseudo-rootkits running as services. A practical trial would be good. Run Sysclean and see if the entries are still there.

Thanks everyone for the help,but my friend (a girl) just gave up and decided to reinstall the win :o women ::slight_smile: sorry for bothering

No problem. Probably the best thing with rootkits, anyway. Make sure you friend has Windows firewall running and visits the MS update site before doing anything else. A reinstalled OS will have many vulnerabilities, even one from a new computer.


Also, tell her to stay away from certain types of sites [R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = (XXX)] if she wants that computer to stay clean. :wink:


This is probably the best option, as I said the system was seriously compromised.

Get a firewall an save it CD so it can be installed once you do the deed or within minutes of connection you will be infected again.

If you have someone with a broadband connection see if they can download the complete XP SP2 update and save it to CD. Once you have reinstalled windows install SP2 bofore getting the rest of the windows and IE updates.

Good Luck, welcome to the forums.