AVG detected a Trojan horse Generic11.AVBS , advice/help needed

Status
Not open for further replies.
Santuzzo

Santuzzo

Daemon Poster
Messages
675
Location
Amsterdam, The Netherlands
Hi,

today my AVG free scheduled virus scan detected a virus infection, a trojan horse called Generic11.AVBS.

The strange thing is, it was located in a file of a software I just installed a week ago (it was a new bought software synthesizer for music), and I had run a complete scan already yesterday, and after yesterday I had not changed anything about that software. But yesterday the scane results did not detect any viruses, but today the scan detected above mentioned trojan horse.
AVG isolated and removed the file form its folder and put it into the AVG virus vault.
I searched the internet for this particular trojan (Generic11.AVBS), but did not find anything, so I thought maybe AVG just made a mistake. I resotred the file and had it put back into its folder, and scanned that folder again, but it was detected as the same trojan horse again.

Right now I am running a PANDA active online scan, to get another opinion, and the scan is not through yet (still scanning partition C, AVG detected the trojan in D), but it already stated 2 infected files which must be in C somewhere, but AVG hadn't found anything there.

Thuis is confusing. Should I get another anti-virus software?
And what can I do about the Trojan it detected? Right now it's still in its folder where I had AVG restore it.

Any advice help would be very much appreciated.

Thanks,
Lars

PS: what other online virus scanner(s) would you recommend?


Update: I tried the Trend-Micro online scanner, and it did not detect anything. I pointed it directly on the specific folder where the fiels is that ACG detects as a Trojan, but Trend-Micro House-Call says there is no threat.

I stopped the Panda active sanc, BTW< becasue it was taking very long. I will start it later when I am done working on the PC.


All of this is very confusing...one scanner says it's a virus, another says it's not...who should I trust?
 
OK, I just downloaded Trend Micro's Hijackthis and made a log file. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:49:19, on 11.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Programme\Marvell\raid\svc\mvraidsvc.exe
C:\Programme\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\TurboV\TurboV.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\ASUS\EPU-6 Engine\SixEngine.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Programs\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\V0270Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Marvell\raid\tray\zRaidTray.exe
D:\Programs\Open Office\OpenOffice.org 3\program\soffice.exe
D:\Programs\Open Office\OpenOffice.org 3\program\soffice.bin
C:\Programme\Digital Timepiece\DigitalTimepiece.exe
C:\Dokumente und Einstellungen\Lars\Desktop\Weird Metronome.exe
c:\programme\gemeinsame dateien\installshield\updateservice\isuspm.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\agent.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
D:\Programs\bb\bbw.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Programs\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Programs\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KeyBoard] C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Six Engine] "C:\Programme\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Programs\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = D:\Programs\Open Office\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: MarvellTrayStartup.lnk = C:\Programme\Marvell\raid\tray\RaidTray.bat
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://D:\Programs\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.line6.net
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15107/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Programme\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Programme\Marvell\raid\svc\mvraidsvc.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Programme\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Programme\Marvell\raid\Apache2\bin\httpd.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8765 bytes


EDIT: and, sorry, my PC has Windows XP pro in German.
 
Now can you run combofix and then malwarebytes and post their logs as well? They can be found in my guide below
 
Osiris said:
Now can you run combofix and then malwarebytes and post their logs as well? They can be found in my guide below
Click to expand...

Hi. Thanks!

I tried to run combofix, but it said I had to turn off AVG for combofix to run. The problem is, inside the AVG user interface there is nowhere the option to turn it off.
Do you know how I can turn it off for combofix to run?
Do I just have to stop the auto-run of AVG with startup?
 
You can disable it from mscongig>startup and you can also stop the services under services.msc

Then reboot and it should be disabled. Ive ran Combofix with my AV running and didnt have any issues. I'm not saying it cant happen but this is from my own experience.
 
Status
Not open for further replies.

Similar threads

P
ComboFix Replacement
Replies
5
Views
659
PC_Cone
P
B
i keep getting an alert from AVG every minute or so. super annoying!
2
Replies
18
Views
2K
alyssa.robert235
A
O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
1K
once2023
O
Trotter
Files missing from drive in external enclosure
2
Replies
18
Views
2K
PP Mguire
PP Mguire
P
Python initial setup
Replies
0
Views
523
Paul Kinyanjui
P
Back
Top Bottom