Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Hi, according to Avast, I've been infected with "Win32: Trojan-gen (Other)".
Can someone please tell me where to post the HiJack This log? And feel free
to throw in any advice as well. Thanks.

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

http://forum.aumha.org/viewforum.php?f=30
http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html


--
Regards


Ron Badour, MS MVP for W98
Tips: http://home.satx.rr.com/badour
Knowledge Base Info:
http://support.microsoft.com/default.aspx?pr=kbinfo



"Roger Fink" <fink@*****.net> wrote in message
news:%23NgR1kHqFHA.1024@TK2MSFTNGP09.phx.gbl...
> Hi, according to Avast, I've been infected with "Win32: Trojan-gen
> (Other)".
> Can someone please tell me where to post the HiJack This log? And feel
> free
> to throw in any advice as well. Thanks.
>
>

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Thank you Ron.

Ron Badour wrote:
> http://forum.aumha.org/viewforum.php?f=30
> http://forums.spywareinfo.com/,
> http://castlecops.com/forum67.html
>
>
>
> "Roger Fink" <fink@*****.net> wrote in message
> news:%23NgR1kHqFHA.1024@TK2MSFTNGP09.phx.gbl...
>> Hi, according to Avast, I've been infected with "Win32: Trojan-gen
>> (Other)".
>> Can someone please tell me where to post the HiJack This log? And
>> feel free
>> to throw in any advice as well. Thanks.

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Roger Fink" <fink@*****.net>

| Hi, according to Avast, I've been infected with "Win32: Trojan-gen (Other)".
| Can someone please tell me where to post the HiJack This log? And feel free
| to throw in any advice as well. Thanks.
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

That sounds like a Generic Trojan detection.

Did it flag a particular file ?
If so what is the fully qualified name and path to that file ?

In the mean time, you can do the following which has modules for; McAfee, Sophos and Trend
Micro scanners...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Thank you David. Before Avast caught it (not on the fly, I'm sorry to say) I
ran scans with Spybot and AdAware, which were negative. I then downloaded
and ran T-M SysClean, which I'm familiar with. I then ran HJT and posted the
log to AUMHA forum, and of course I'm hoping they'll respond shortly. So I'd
like to see how that plays out for starters.

Thanks for the newsgroup recommendations. I'll use them for future problems,
and possibly this one as well, depending on how it goes from here.

In answer to your question (I think), the write up in Quarantine says:
Original File Name: Shellexp.exe
Original Folder: C:\WINDOWS\System\
Size of file: 303616


David H. Lipman wrote:
> From: "Roger Fink" <fink@*****.net>
>
>> Hi, according to Avast, I've been infected with "Win32: Trojan-gen
>> (Other)".
>> Can someone please tell me where to post the HiJack This log? And
>> feel free
>> to throw in any advice as well. Thanks.
>>
>
> There are anti virus News Groups specifically for this type of
> discussion.
>
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> That sounds like a Generic Trojan detection.
>
> Did it flag a particular file ?
> If so what is the fully qualified name and path to that file ?
>
> In the mean time, you can do the following which has modules for;
> McAfee, Sophos and Trend Micro scanners...
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
> Interpreter { http://kixtart.org Kixtart is CareWare } three batch
> files, five Kixtart scripts, one Link (.LNK) file, a PDF instruction
> file and two utilities; UNZIP.EXE and WGET.EXE. It will simplify the
> process of using; Sophos, Trend and McAfee Anti Virus Command Line
> Scanners to remove viruses, Trojans and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
> C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed
> in Normal Mode. This way all the components can be downloaded from
> each AV vendor’s web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the
> PC.
>
> You can choose to go to each menu item and just download the needed
> files or you can download the files and perform a scan in Normal
> Mode. Once you have downloaded the files needed for each scanner you
> want to use, you should reboot the PC into Safe Mode [F8 key during
> boot] and re-run the menu again and choose which scanner you want to
> run in Safe Mode. It is suggested to run the scanners in both Safe
> Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder
> C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow
> WGET.EXE to go through your FireWall to allow it to download the
> needed AV vendor related files.
>
> * * * Please report back your results * * *

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Roger Fink" <fink@*****.net>

| Thank you David. Before Avast caught it (not on the fly, I'm sorry to say) I
| ran scans with Spybot and AdAware, which were negative. I then downloaded
| and ran T-M SysClean, which I'm familiar with. I then ran HJT and posted the
| log to AUMHA forum, and of course I'm hoping they'll respond shortly. So I'd
| like to see how that plays out for starters.
|
| Thanks for the newsgroup recommendations. I'll use them for future problems,
| and possibly this one as well, depending on how it goes from here.
|
| In answer to your question (I think), the write up in Quarantine says:
| Original File Name: Shellexp.exe
| Original Folder: C:\WINDOWS\System\
| Size of file: 303616
|

SpyBot and Ad-aware are for malware but for the non-viral malware category. The anti virus
software covers Trojans better than the non-viral malware applications (even though Trojans
are not true viruses, they are in a cross-over gategory).

Like I said, it was a generic detection based upon the Avast name. To get more information,
please submit a sample of "Shellexp.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all paricipating vendors.

When you get the report, please post back the exact reults.

From those results other vendor's virus encyclopedias can be examined for more information
on this infector. Avast does not keep a good encyclopedia. You will also find there is no
standardization in the naming convention of infectors between AV vendors. For example, the
following infector names are for the same infector.

W32/Chode-F -- Sophos
W32/Kelvir.worm.ev -- McAfee
Win32:VBbot -- Avast
Backdoor.Tixanbot -- Symantec

I am glad you are familiar with Tend Micro's Sysclean utility. It is a good Broad-spectrum
removal tool. It is also incorporated in my Multi AV Scanning tool I posted about and it
automates the process of downloading the needed files and running the uitility. The utility
does likewise for the Sophos and McAfee Command Line scanners. It makes using these "On
Demand" scanners easy to use and it is a excellent verification/removal tool.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

David H. Lipman wrote:
> From: "Roger Fink" <fink@*****.net>
>
>> Thank you David. Before Avast caught it (not on the fly, I'm sorry
>> to say) I
>> ran scans with Spybot and AdAware, which were negative. I then
>> downloaded
>> and ran T-M SysClean, which I'm familiar with. I then ran HJT and
>> posted the
>> log to AUMHA forum, and of course I'm hoping they'll respond
>> shortly. So I'd
>> like to see how that plays out for starters.
>>
>> Thanks for the newsgroup recommendations. I'll use them for future
>> problems,
>> and possibly this one as well, depending on how it goes from here.
>>
>> In answer to your question (I think), the write up in Quarantine
>> says:
>> Original File Name: Shellexp.exe
>> Original Folder: C:\WINDOWS\System\
>> Size of file: 303616
>>
>
> SpyBot and Ad-aware are for malware but for the non-viral malware
> category. The anti virus software covers Trojans better than the
> non-viral malware applications (even though Trojans are not true
> viruses, they are in a cross-over gategory).
>
> Like I said, it was a generic detection based upon the Avast name.
> To get more information, please submit a sample of "Shellexp.exe" to
> Virus Total -- http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In
> addition, unless told otherwise, Virus Total will provide the sample
> to all paricipating vendors.
>
> When you get the report, please post back the exact reults.
>
> From those results other vendor's virus encyclopedias can be examined
> for more information on this infector. Avast does not keep a good
> encyclopedia. You will also find there is no standardization in the
> naming convention of infectors between AV vendors. For example, the
> following infector names are for the same infector.
>
> W32/Chode-F -- Sophos
> W32/Kelvir.worm.ev -- McAfee
> Win32:VBbot -- Avast
> Backdoor.Tixanbot -- Symantec
>
> I am glad you are familiar with Tend Micro's Sysclean utility. It is
> a good Broad-spectrum removal tool. It is also incorporated in my
> Multi AV Scanning tool I posted about and it automates the process of
> downloading the needed files and running the uitility. The utility
> does likewise for the Sophos and McAfee Command Line scanners. It
> makes using these "On Demand" scanners easy to use and it is a
> excellent verification/removal tool.

David - Avast makes it easy to email a file from quarantine - but only to
them (which I just did). As I read their info, the only way I can send the
file to an outside party, like Virus Total, would be to restore it to its
original location in Windows\System (to create an email attachment). To the
uninitiated that doesn't seem like a smart thing to do, but if you don't
think it creates any additional hazard I'll do it. I assume that if I were
to do this, I just send it back into quarantine after I'm done.

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Roger Fink" <fink@*****.net>


|
| David - Avast makes it easy to email a file from quarantine - but only to
| them (which I just did). As I read their info, the only way I can send the
| file to an outside party, like Virus Total, would be to restore it to its
| original location in Windows\System (to create an email attachment). To the
| uninitiated that doesn't seem like a smart thing to do, but if you don't
| think it creates any additional hazard I'll do it. I assume that if I were
| to do this, I just send it back into quarantine after I'm done.
|

It might be best to leave it as-is.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Wed, 24 Aug 2005 02:58:40 -0400, "Roger Fink" <fink@*****.net>
wrote:

>Hi, according to Avast, I've been infected with "Win32: Trojan-gen (Other)".
>Can someone please tell me where to post the HiJack This log? And feel free
>to throw in any advice as well. Thanks.
>
TUTORIALS/HELP FILES:
<http://www.bleepingcomputer.com/forums/index.php?showtutorial=42>
<http://www.aumha.org/a/hjttutor.htm>

DO IT YOURSELF:
<http://www.help2go.com/modules.php?name=HJTDetective>
<http://www.hijackthis.de/en>
<http://hjt.iamnotageek.com/>

GET EXPERT HELP:
*NOTE: Registration is REQUIRED before posting a log*
*NOTE: Web sites NOT listed in any particular order*
<http://aumha.net/viewforum.php?f=30>
<http://www.bleepingcomputer.com/forums/forum22.html>
<http://www.dslreports.com/forum/security>
<http://castlecops.com/forum67.html>
<http://www.wilderssecurity.com/forumdisplay.php?f=24>
<http://www.cybertechhelp.com/forums/forumdisplay.php?f=25>
<http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html>
<http://gladiator-antivirus.com/forum/index.php?showforum=170>
<http://forum.iamnotageek.com/f-130.html>
<http://forums.maddoktor2.com/index.php?showforum=17>
<http://www.spywarewarrior.com/viewforum.php?f=5>
<http://forums.spywareinfo.com/index.php?showforum=18>
<http://forums.techguy.org/f54-s.html>
<http://forums.tomcoyote.org/index.php?showforum=27>
<http://forums.subratam.org/index.php?showforum=7>
<http://boards.cexx.org/viewforum.php?f=1>
<http://www.malwarebytes.biz/forums/index.php?showforum=5>

--
dak
My SpywareBlaster Custom Blocking List:
<http://customblockinglist.cjb.net/>

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "dak" <postmaster@[127.0.0.1]>

| On Wed, 24 Aug 2005 02:58:40 -0400, "Roger Fink" <fink@*****.net>
| wrote:
|
>> Hi, according to Avast, I've been infected with "Win32: Trojan-gen (Other)".
>> Can someone please tell me where to post the HiJack This log? And feel free
>> to throw in any advice as well. Thanks.
>>
| TUTORIALS/HELP FILES:
| <http://www.bleepingcomputer.com/forums/index.php?showtutorial=42>
| <http://www.aumha.org/a/hjttutor.htm>
|
| DO IT YOURSELF:
| <http://www.help2go.com/modules.php?name=HJTDetective>
| <http://www.hijackthis.de/en>
| <http://hjt.iamnotageek.com/>
|
| GET EXPERT HELP:
| *NOTE: Registration is REQUIRED before posting a log*
| *NOTE: Web sites NOT listed in any particular order*
| <http://aumha.net/viewforum.php?f=30>
| <http://www.bleepingcomputer.com/forums/forum22.html>
| <http://www.dslreports.com/forum/security>
| <http://castlecops.com/forum67.html>
| <http://www.wilderssecurity.com/forumdisplay.php?f=24>
| <http://www.cybertechhelp.com/forums/forumdisplay.php?f=25>
| <http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html>
| <http://gladiator-antivirus.com/forum/index.php?showforum=170>
| <http://forum.iamnotageek.com/f-130.html>
| <http://forums.maddoktor2.com/index.php?showforum=17>
| <http://www.spywarewarrior.com/viewforum.php?f=5>
| <http://forums.spywareinfo.com/index.php?showforum=18>
| <http://forums.techguy.org/f54-s.html>
| <http://forums.tomcoyote.org/index.php?showforum=27>
| <http://forums.subratam.org/index.php?showforum=7>
| <http://boards.cexx.org/viewforum.php?f=1>
| <http://www.malwarebytes.biz/forums/index.php?showforum=5>
|
| --
| dak
| My SpywareBlaster Custom Blocking List:
| <http://customblockinglist.cjb.net/>


Hmmm.... Looks like that was taken directly from the; alt.privacy.spyware FAQ.

However, I see no reference to that. It should !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Thu, 25 Aug 2005 09:35:40 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Hmmm.... Looks like that was taken directly from the; alt.privacy.spyware FAQ.
>
>However, I see no reference to that. It should !

No, it shouldn't.
It wasn't taken from the alt.privacy.spyware FAQ. It's in the
alt.privacy.spyware FAQ because I submitted it to "shplink" for
inclusion in the alt.privacy.spyware FAQ. Try this message ID:

<sregd1p5qf15pub9bm0go2qhaqp6c19bi5@4ax.com>

The actual information was compiled from Siljaline's contributions
and my own.
But thanks for asking... Oh, that's right, you didn't... You just
made your assumptions and allegations.... )

--
dak
My SpywareBlaster Custom Blocking List:
<http://customblockinglist.cjb.net/>

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "dak" <postmaster@[127.0.0.1]>

| On Thu, 25 Aug 2005 09:35:40 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
>> Hmmm.... Looks like that was taken directly from the; alt.privacy.spyware FAQ.
>>
>> However, I see no reference to that. It should !
|
| No, it shouldn't.
| It wasn't taken from the alt.privacy.spyware FAQ. It's in the
| alt.privacy.spyware FAQ because I submitted it to "shplink" for
| inclusion in the alt.privacy.spyware FAQ. Try this message ID:
|
| <sregd1p5qf15pub9bm0go2qhaqp6c19bi5@4ax.com>
|
| The actual information was compiled from Siljaline's contributions
| and my own.
| But thanks for asking... Oh, that's right, you didn't... You just
| made your assumptions and allegations.... )
|
| --
| dak
| My SpywareBlaster Custom Blocking List:
| <http://customblockinglist.cjb.net/>

"Looks like that was taken directly from the..." is not an allegation, at best its an
assumption.

Its the "which came first, the chicken or the egg..." type deal. It is the exact text from
the FAQ so I am right in my assumption. The fact that you submitted it shplink is more than
fantastic !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Fri, 26 Aug 2005 09:56:10 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>>> Hmmm.... Looks like that was taken directly from the; alt.privacy.spyware FAQ.
>>>
>>> However, I see no reference to that. It should !
>>
>> No, it shouldn't.
>> It wasn't taken from the alt.privacy.spyware FAQ. It's in the
>> alt.privacy.spyware FAQ because I submitted it to "shplink" for
>> inclusion in the alt.privacy.spyware FAQ. Try this message ID:
>>
>> <sregd1p5qf15pub9bm0go2qhaqp6c19bi5@4ax.com>
>>
>> The actual information was compiled from Siljaline's contributions
>> and my own.
>> But thanks for asking... Oh, that's right, you didn't... You just
>> made your assumptions and allegations.... )
>
>"Looks like that was taken directly from the..." is not an allegation, at best its an
>assumption.
>
You assumed it was taken directly from the alt.privacy.spyware FAQ
and alleged it should have a reference to it.

>Its the "which came first, the chicken or the egg..." type deal.
>
That was solved (for *some*) a long time ago. )

>It is the exact text from the FAQ so I am right in my assumption. The fact that you
>submitted it shplink is more than fantastic !
>
Your assumption is wrong because it is not the exact text from the
FAQ, it's the other way around - the FAQ is the exact text from my
posts and submission. I took nothing from the FAQ, I gave to it.
And now that is solved - everyone knows that I didn't plagerize the
alt.privacy.spyware FAQ, the FAQ didn't plagerize me, nor did I
plagerize myself (much like John Fogarty) and the timeline/record of
events has been set straight. )
Thank you for the kind words about my FAQ submissions, as a
reciprocal your contributions and involvement in several newsgroups
has not gone unnoticed. I, for one, appreciate the voluntary
assistance you have rendered others.

--
dak
My SpywareBlaster Custom Blocking List:
<http://customblockinglist.cjb.net/>