TechSpot

Trojan.gen is bringing me down :-/

By Fuank
Feb 6, 2006
  1. Hi, im new here - don't really speak tech, but here goes

    My Avast antivirus keeps popping up with a message about a file called 'rofl.sys', even though i locate it and delete it. It also calls it Trojan.gen. I tried Trend micro's housecall, but it froze. What can i do? Here is my hijackthislog:

    Hope someone can ease my pain............ :(

    Fuank

    Logfile of HijackThis v1.99.1
    Scan saved at 20:55:24, on 06-02-2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
    C:\Programmer\Alwil Software\Avast4\ashServ.exe
    C:\Programmer\Network Monitor\netmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Programmer\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\Mixer.exe
    C:\Programmer\Winamp\winampa.exe
    C:\Programmer\Logitech\MouseWare\system\em_exec.exe
    C:\Programmer\QuickTime\qttask.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\windows\winsysban5.exe
    C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system\MMAUSBCM.exe
    C:\WUTemp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://omega-search.com/go/panel_search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programmer\TheSearchAccelerator\UCMTSAIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WindowEnhancer] "C:\Programmer\winex\v9\winex.EXE" /H
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [Services] C:\in.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban5.exe
    O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\Frank Steffensen\Skrivebord\Q\Feng\Ny mappe\rol\Ny mappe\rundll32.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [Sy21dsgate Personal Firewall] playboy1.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: GStartup.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmer\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MMAUSBCM.LNK = C:\WINDOWS\system\MMAUSBCM.exe
    O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://80-site.ebrary.com.www.baser.dk/support/plugins/ebraryRdr.cab
    O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00619BD00001} (Sydbanks NetBank) - https://netbank.sydbank.dk/ssydbankibp1900ib100.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by4fd.bay4.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1116524364001
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1D4190C-DB38-4763-B45F-5E5894923610}: NameServer = 212.10.30.252,212.10.10.4
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
    O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\ir82l5lo1.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Programmer\Network Monitor\netmon.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  2. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    w32:trojan.gen removal

    1. Download these programs in their own folders (i.e. on your Desktop or a permanent drive), but do not run them till I ask you to:

    Mwav
    DelDomains
    Ewido (if you have uninstalled it already)
    CCleaner (if you have uninstalled it already)

    2. Boot PC in Safe Mode (tap the F8 key repeatedly at bootup - or click here). Turn off system restore.

    3. Run HijackThis (HJT) again and place a check mark in the box next to the entries listed below if present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pfmbb.dll/sp.html#28129
    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: UserInit=userinit.exe <<<< Only if your PC is NOT running as a server! If so, then do NOT fix it!

    O4 - HKLM\..\Run: [166.tmp] C:\DOCUME~1\User\LOCALS~1\Temp\166.tmp.exe 1 28129
    O4 - HKLM\..\Run: [178.tmp] C:\DOCUME~1\User\LOCALS~1\Temp\178.tmp.exe 0 28129
    O4 - HKLM\..\Run: [178.tmp.exe] C:\DOCUME~1\User\LOCALS~1\Temp\178.tmp.exe 0 28129
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.124.130 (HKLM)

    O16 - DPF: {8D39C44E-F6AC-11D3-8D1E-00104B6DBF8D} -

    Close all browser and explorer windows, and click "Fix checked".

    4. Enable “show all files” (if you don’t know how, click here).

    5. Search & delete the files/folders marked in red if still present:

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe <<<< delete file

    6. Run DelDomains (right-click on DelDomains.inf and chose Install)

    7. Run CCleaner

    8. Run a full scan with:

    Ewido (I know you have run it already, but please run it again)
    Click on scanner. Click on Complete System Scan and the scan will begin.
    While the scan is in progress, you will be prompted to clean files, click OK

    When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    Click Save report. Save the report .txt file to your desktop. Close ewido security

    Mwav.
    Place a check mark in: Memory, Startup folders, drive, Registry, System folders and Services.
    - and a dot in: All local drives og Scan all files. Click on Scan.
    The scanning might take a couple of hours - depending on how much you have installed on your PC.

    Once scanned and items deleted: Click OK. Click Exit - and Exit again if you don’t want to buy the programme.
    NOTE! Do NOT click ”Add to Start-up folders”!

    9. Reboot PC in Normal mode.

    10. Run HJT again and check for any unusual entries. Once virus (rootkit) free. turn on system restore.
     
  3. Fuank

    Fuank TS Rookie Topic Starter

    Reply to Tedster

    Hi

    Thanks a bunch for your help, I think the Trojan.gen or whatever it was, has left my computer. There was a s**t load of unwelcome stuff, most of which i have no idea about what was, but my computer seems to be running at a better speed. Plus, there is no longer a message with rofl.sys.

    Gratefully out of the woods

    Fuank
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...