win32 trojan problem

Hi all,

Newbie Avast user with a problem here.

Avast shows win32:trojan-gen (other) warning on file C:\restore\temp\A0248520.CPY

If I try to either repair this or move it to a vault I get an Access Denied warning.

File properties show 0.98MB file created 28 September 2003 and modified 07 January 2001 - so modified before it was created! I’m running an old IBM with Windows ME by the way. (Well it does me :)) Attributes has it ticked as archive file.

However, while Avast flags this file up, neither Spybot Search and Destroy or Trojan Remover report any problem.

So could this simply be a false positive and is there any way to get a definitive answer as to whether the file is infected or not?

I suspect it is because Avast showed no problems last week. And more worryingly, I discovered that my e-mail settings had been altered, so instead of the proper pop and smtp entries it was showing 127.0.01 for both.

Might be due to another problem, but if you’ve been getting trojan warnings it might also be worth checking your e-mail settings…

Anyway, any help or advice regarding this gratefully received. Thanks.

Can you run avast booting Windows in Safe Mode?

Also, I suggest (I know… some of the operations, like 2, for instance, won’t be available in Windows Me).

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

Thanks for the tips Tech. Been working through your list as time, computer problems and unreliable internet connection allow.

Tried both Dr Web and Superantispyware and both showed no infection. Can’t get the antiroot stuff to run on my computer.

Did run Avast (thorough scan) in safe mode though, and for some reason it now shows no infection for the problem file. It does however show a Win 32 Trojan in another C:\restore\temp file, namely A0249633.CPY/A0249633.CPYE (though only with a thorough scan). Have tried to quarantine this, but it won’t go. And again it’s only Avast that flags this up.

Wondering if it might be worth reporting it as false positive to see what that reveals.

When you say clean temporary files, exactly which files/folder do you mean - temporary internet or some other? (I don’t know much about this stuff).

Have tried to attach HiJackThis log as suggested (doesn’t show in preview) so don’t know if anybody can spot something with that because it means nothing to me. ???

Thanks.

Not familiar with ME, looks like these files are copies in system restore.
http://www.bleepingcomputer.com/tutorials/tutorial63.html
You may consider disabling SR, the re-enabling
Use CCleaner to delete temp files ( avoid the yahoo toolbar option )
http://filehippo.com/download_ccleaner/

Also the HJT version you used is ancient


Not only was the HJT version old, it was an incomplete log.

Please download HijackThis from the link below. Do not download HJT to the desktop but instead download it into it’s own folder on the hard drive.

Run the program but do not make any fixes and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted.

OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box.

When you post the log, be sure to include the complete log … header and ending.
Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


Hi guys,

Yes it’s an old version of HJT, but that’s about as complete a log you will get with ME. Me doesn’t have services as we know them like they are in XP. With a newer version, the most you may get is an o20 if a program like SAS is installed and set to run when windows starts.

Most rootkit scanners will not run on 98/ME. Not that there aren’t rootkits out there for these OS’s, most rootkits are designed to infect NT systems and, for the lack of a better word, “incompatible” .

#8 in Tech’s list will not run on ME.

Those are System Restore point detecions. What the actual file is is any one’s guess. The detection could be a FP or a new Avast detection. Since there aren’t any detections anywhere else, that file may very well be redundant. The suggestion to turn off and turn on SR is probably the best solution. I believe a reboot is needed between steps on an ME machine.

The rest of the log looks good.

Thanks for all the info/suggestions guys. :slight_smile:

I know it’s an ancient version of HJT, but it works well with my ancient version of Windows. ;D

Have now disabled and re-enabled SR, run thorough Avast scan and got clear result, so once again, thanks for all the help. :smiley:

Hi

Glad you got it sorted out and you are welcome.

BTW, mine’s older Win98se ;D

You old dog ;D I have much respect for you :slight_smile:

hi
i’m really need help for my problem
i use windows xp
when Win32:Trojan-gen {other} attack my *doc file,
everything with microsoft word (*doc) became size 638 k.bit
when i use avast, it recommendly to move to chest. it succesfull but the original *doc file become missing/hidden
but the file always right there just i cannot find.
can some one help my problem??? Pleaseeeee
p/s sorry, my english language are poor.
thank.

Please, do not post 4 times the same :stuck_out_tongue:
Just make harder the effort of help.
Follow http://forum.avast.com/index.php?topic=3353.0