hi there,
i’m new and (of course) i have a problem: avast 4.1 home edition found a virus named
Win32:Trojan-gen. {UPX!}
in two files located in c:\Windows\
winexec32.exe and
helpw.exe
(hidden or system files)
of course i cant do anything with them, cause i think they’re running processes…
i dont either think it’s safe to delete them.
do you have any suggestions?
i’m running WinXP, SP2 NOT installed.
thank you in advance!
Both are malware. Run a boottime scan and let Avast handle it.
whoa! thanx for the FAST reply! :o
i haven’t had even the time to modify my account…
anyway i have tried the boottime scan but nothing happened – i’ll have another go, then post back the response.
thanx again!
ok, i’ve had the scan.
but when i can choose what to do (delete/move/repair/ignore), if i go for repair i get a “42060” error.
are you really sure i can delete the files? i’d tell by their names that they’re important…
and even if i delete them, how can i delete the registry key entries that have been created?
You are unlikely to be able to repair trojan files as there is nothing to repair (they have just been created). If you are in doubt move them to the avast chest. this will give time to analyse/investigate the problem.
It may be helpfull to ensure that they have not gotten established using the hijackthis program.
A visit to Eddy’s HiJackThis Info and Analysis page, HiJackThis log file analyzer and follow the directions there and get back to us if you need more help…
If you want to try an online scan of your Hijackthis file try here [b]http://hijackthis.de/index.php[/b]
Yes delete them. They are MALWARE(!) They are NOT important at all. Don’t let the location mislead you.
Not every file in x:\windows is part of windows.
If you download a application and choose to install it in \windows\ will that make it a windows file? NO
eh, hehe… you’re right, buddy ;D
anyway i deleted the files and everything’s fine.
i made a hijackthis scan and got this log:
Logfile of HijackThis v1.97.7
Scan saved at 19.17.28, on 26/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\languard.exe
C:\WINDOWS\DigitalSound.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Tin.it
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,winexec32.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM..\Run: [SoundMAX] “C:\Programmi\Analog Devices\SoundMAX\Smax4.exe” /tray
O4 - HKLM..\Run: [COM Services] winexec32.exe
O4 - HKLM..\Run: [mediadriver{5}] winexec32.exe
O4 - HKLM..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ATICCC] “C:\Programmi\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [IntelliPoint] “C:\Programmi\Microsoft IntelliPoint\point32.exe”
O4 - HKLM..\Run: [helpw] “helpw.exe”
O4 - HKLM..\Run: [LanGuard] “C:\WINDOWS\languard.exe”
O4 - HKLM..\Run: [DigiD] “C:\WINDOWS\DigitalSound.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O9 - Extra button: Umail (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgilio.it/free
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.2806944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
i guess i can check and use the fix button on these lines:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,winexec32.exe,
O4 - HKLM..\Run: [COM Services] winexec32.exe
O4 - HKLM..\Run: [mediadriver{5}] winexec32.exe
O4 - HKLM..\Run: [helpw] “helpw.exe”
am i correct?
thanx again
Here is the result of my HijackThis Log Analyzer:
You are using a old version of Hijackthis, please update.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
f2 - reg:system.ini: userinit=c:\windows\system32\userinit.exe,winexec32.exe,
o4 - hklm..\run: [com services] winexec32.exe
o4 - hklm..\run: [mediadriver{5}] winexec32.exe
o4 - hklm..\run: [helpw] “helpw.exe”
o16 - dpf: {166b1bca-3f9c-11cf-8075-444553540000} (shockwave activex control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://download.yahoo.com/dl/installs/yinst0309.cab
o16 - dpf: {54b52e52-8000-4413-bd67-fc7fe24b59f2} (eartpatchx class) - http://www.ea.com/downloads/rtpatch/eartpx.cab
o16 - dpf: {9f1c11aa-197b-4942-ba54-47a8489bb47f} (update class) - http://v4.windowsupdate.microsoft.com/cab/x86/unicode/iuctl.cab?37909.2806944444
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
o4 - hkcu..\run: [yahoo! pager] c:\programmi\yahoo!\messenger\ypager.exe -quiet
o4 - global startup: microsoft office.lnk = c:\programmi\microsoft office\office10\osa.exe
ok thanx for your help Eddy, everything is fine now… i owe you a beer.
Ciao!
Always nice to hear a problem is solved. And about that beer, make it a large one ;D
trojan-gen indicates that it is a generic trojan horse.
avast! can automatically scan your machine before Windows XP (the GUI) boots. do this.
I have used this process to remove a similar trojan on a client’s machine, with full effectiveness. If “repair” does not work (which it didn’t in my case), select “move,” to be on the safe side.
The files you have indicated are not Windows files. Although, if your system has been malformed somehow to rely on them, you will be able to replace them using the command line interface.
Note: this is very unlikely.
Should you need to do this, use “dir helpw.exe /s” to find the location of the files, and use “mv (path)\helpw.exe c:\windows” to replace them. These commands can also be used to find other instances of the files and move them to where they won’t be run.
You should remain off the Internet whilst doing this.
Hope this helps.
Incidentally, I’m very impressed with Avast thus far. Keep up the good work.
-wily