Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.Trojan Gen [RESOLVED]


  • This topic is locked This topic is locked

#1
Stivo01

Stivo01

    New Member

  • Member
  • Pip
  • 3 posts
Hi there at GeeksToGo!


My virus scan software "GData Internet Security 2008" drives me mad with constant alerts about "Win32.TRojan Gen". Infected files occur randomly at my PC, but as soon as I scan them online (Kaspersky, Jotti etc) no Trojan Gen is found. I know that no software is perfect and false alerts can occur but this Trojan.Gen really freaks me out (especially after I have read some postings about its average stealth technique).

Unfortunately neither symantec nor avast nor Gdata have descriptions online wich regfiles or settings are tempered at an infected PC by Trojan Gen. This makes it impossible for me to check my system on my own (newbie alert).

I have enclosed my HijackThis logfile. perhaps somebody can check it for me. Thanks in advance to anybody who helps me!!!!!



Scan saved at 20:53:54, on 04.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe
C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sandboxie\SbieCtrl.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe
C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\G DATA InternetSecurity\GUI\avkis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.c...p...;os=5&src=1
O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity\Webfilter\AVKWebIE.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programme\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity\Webfilter\AVKWebIE.dll
O4 - HKLM\..\Run: [UIUCU] C:\DOKUME~1\Stefan\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GDFirewallTray] C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Programme\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: G DATA Firewall Tray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202884402265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: G DATA Scheduler (AVKService) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe
O23 - Service: AntiVirus Wächter (AVKWCtl) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: G DATA Personal Firewall (GDFwSvc) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9193 bytes

EDIT 08/05/208: Sorrry, this is not a "Bump", but unfortunately there was a typo in my mail adress. My Post was marked with "immediate email notfication" - a no notification was possible, I'm sorry. Now I fixed my mailadress and so I am still looking forward for help

Edited by Stivo01, 05 August 2008 - 03:04 AM.

  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

The Win32.TRojan Gen is actually a heuristic detection (Gen > Generic), so it could be possible that this is indeed a false positive.
Can you tell me what exact files it is detecting as Win32.TRojan Gen?
I can't see anything suspicious in your log btw...
  • 0

#3
Stivo01

Stivo01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

Hi,

The Win32.TRojan Gen is actually a heuristic detection (Gen > Generic), so it could be possible that this is indeed a false positive.
Can you tell me what exact files it is detecting as Win32.TRojan Gen?
I can't see anything suspicious in your log btw...




According to GData the last infected file was "A0062038.exe" in "C:\System Volume Information\_restore{BFFCDFC0-4125-4AD0-A217-9950F2275EBB}\RP183}


By now I'm quite sure, that it is Not a false positive, coz another virus "HackTool.Win32.VB.yl" was detected at my PC as well. I guess it came through a backdoor somewhere at my PC. ....HOOORAY!!!!!!!

It was found in "C:\Windows\System32" at "comdlg32.ocx".

Both files are locked in quarantine by GDATA.



I hope you can help me - Even thinking of a complete :) :) reset of my PC freaks me out!
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This one: C:\Windows\System32" at "comdlg32.ocx". is a false positive. That I am sure. Please unlock and restore this file again, because this file is required to run a lot of tools/programs.
http://windowsxp.mvps.org/comdlg32.htm

According to GData the last infected file was "A0062038.exe" in "C:\System Volume Information\_restore{BFFCDFC0-4125-4AD0-A217-9950F2275EBB}\RP183}

This one was a leftover in your system restore points. Every exe in the system restore points are always marked as a random name.exe, so there's no way to tell here if it was a legitimate file or not.
In anyway, it's deleted.
  • 0

#5
Stivo01

Stivo01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
As suggested I restored the ocx. file. I used jotti's online scanner to test it with more than just my scanner. 19 out of 20 scanners marked the file as "OK". Only CPsecure found the "HackTool.W32.VB.yl" again.


Nevertheless I guess (....I hope......I pray) this means I'm virus free.


This thread can be closed!


Thanks a lot!!!!
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You're most welcome :)
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP