# Infection: win32:spyware-gen [trj]



## ellaphant5 (Aug 12, 2007)

How do I delete the trojan, win32:spyware-gen? My latest scan showed that Avast could not delete 4 trojans located at:

C:/Program Files/Common Files/Wise Installation Wizard/ WIS4574B9B383144COF88634796CC739CEF_2_0_2_1.MSI/Cabs.w1.cab/TopSearch.dll

C:/System Volume Information/_restore{44D881CC-A370-456D-AD37-B98722F97AD4}/RP892/A0197635.MSI/Cabs.w1.cab/TopSearch.dll

C:/System Volume Information/_restore{44D881CC-A370-456D-AD37-B98722F97AD4}/RP892/A0197730.MSI/Cabs.w1.cab/TopSearch.dll

C:/System Volume Information/_restore{44D881CC-A370-456D-AD37-B98722F97AD4}/RP892/A0201616.MSI/Cabs.w1.cab/TopSearch.dll

Also, I noticed Kazaa came up during the virus scan. I uninstalled that program several years ago, which has me questioning whether any of the programs I had uninstalled through control panel-add/remove programs, actually removed all traces of it. Searching for files containing that keyword came up empty. Could anyone explain?

My Hijack Log is below:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:26 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhtt...155.171.79_54611&=&req=1158365516748OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185514332707
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {DF88B6BB-3A73-4443-95A4-23A1568CAC80} - http://www.upiece.co.kr/piece/plugin_new/coxgrd.cab
O16 - DPF: {EACD6BE5-C0EE-4909-9B71-B2807C8A245C} (JukeOn Login Control) - http://dl.jukeon.co.kr/jukeon/jukeon2/2006050201/jukeonax.cab
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


----------



## cybertech (Apr 16, 2002)

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:/Program Files/Common Files/Wise Installation Wizard/ WIS4574B9B383144COF88634796CC739CEF_2_0_2_1.MSI/Cabs.w1.cab/TopSearch.dll
*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Flush your System Restore
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


----------



## ellaphant5 (Aug 12, 2007)

It won't let me move it.

"File/Folder C:\Program Files\Common Files\Wise Installation Wizard\WIS4574B9B383144C0F88634796CC739CEF_2_0_2_1.MSI\Cabs.w1.cab\TopSearch.dll not found."


----------



## cybertech (Apr 16, 2002)

OK, Run your virus scan again.


----------



## ellaphant5 (Aug 12, 2007)

The results show that my computer is still infected with the same trojan, except this time, only in 2 locations - one in "Program Files - Common Files - ..." (as stated before) and the other in "System volume Info ..."


----------



## cybertech (Apr 16, 2002)

system volume is system restore.

Restart in Safe Mode.

To boot up in Safe mode, continuously tap the F8 key while starting your computer. 
You should see a black screen displaying the Windows Advanced Menu Options. 
Using your keyboard's arrow keys, select Safe mode, then hit Enter.

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Now see if you can find the file (TopSearc h.dll) and delete it.


----------



## ellaphant5 (Aug 12, 2007)

Search came up empty. Searching it in safe mode came up empty as well. Virus scan is still showing its present.


----------



## cybertech (Apr 16, 2002)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the Additional scans sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


Click on the orange *Post a Reply!* button 
scroll down to Manage Attachments 
Click in the box that says Upload File from your Computer
Click the Browse... button and find the file then click open
Click the Upload button
Wait until you see *Current Attachment *and your file name
Click on Close this window
Then submit the reply.


----------



## ellaphant5 (Aug 12, 2007)

Attached


----------



## cybertech (Apr 16, 2002)

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the *Run Fix* button.


> [Kill Explorer]
> [Registry - All]
> < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
> YN -> {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_02 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
> ...


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the *Ok* button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.


----------



## ellaphant5 (Aug 12, 2007)

Attached


----------



## cybertech (Apr 16, 2002)

Found this information about Topsearch. Seems you can get rid of it by uninstalling your P2P applications.

http://www.altnet.com/support/bottomright.asp?c=1&c2=40&fn=1


----------



## ellaphant5 (Aug 12, 2007)

Should I try downloading Kazaa and use "your uninstaller" to uninstall? Kazaa Be Gone did not delete all traces of Kazaa. If not, would you agree there's no harm in leaving it? 

As for deleting all tihngs associated with OTMOveIt and WnPFind3u, how would I do that since it cannot be uninstalled by add/remove programs?


----------



## cybertech (Apr 16, 2002)

No, I would not suggest downloading Kazaa.

OTMoveit creates a folder on the c:\ drive.

Delete WinPFind3U.exe from your desktop.


----------

