infected by Win32Adware.gen

Yesterday, one of my father’s computers got infected by malware. As I understand, it was called Win32Adware.gen according to Avast.

These files has also been affected:

An application called TRdww doesn’t shut down automaticly when restarting the pc.

Also, a popup appear every time windows starts (when not in safe mode), saying that the computer is infected and wants to start a scan. Not sure what it is, but surely fake I guess…

We are using windows xp (sp 1). Avast is up-to-date. We have a hardware firewall in our netgear router. Ad-aware (up-to-date) has been used for scanning for malware.

I read one other thread on this forum with a similar issue, and I followed the advice to turn off the System Restore feature. After many restarts, the most recents in safe mode, Avast isn’t finding as many infected files as before.

That’s about it. Any ideas of what i should try?

Now, I’ve also tried to install CBO. It immediately found a malware in the following file:
C:\windows\system32\braviax.exe DLDR-ZLOB.PK

Avast found the same files again
C:\windows\system32\univrs.exe (sometimes also called univrs32.dat Win32:Tibs-ADO)

But, since then nothing is detected! I’ve restarted several times. Now Avast is making a complete scan of c:.

Problem hopefully solved?

Hi Andervaeld,

First of all I would get SP2 on this computer ASAP. A couple of years ago I setup a computer with only SP1 (unknowningly) and it was instantly infected. Three days later I had all the computers in my office network cleaned up (the first machine nailed them all). I am sure you will get lots of advice here. I would start with the latest version of Spybot. I have good luck with that as a first step to eliminate malware. There are lots of (reputable) online scanners. Some off the top of my head are Nod32, HouseCall, McAfee. Should you run the “scan” that is offered when the computer starts up?..HELL NO! As malware is found write down the details on a piece of paper so that you can make sure it is really gone later. Once the computer is cleaned up I would recommend Comodo’s firewall 3.0 (but only AFTER it is cleaned up–the Clean PC mode in CFP 3 assumes the stuff running on your computer is already safe, best to make sure it is).
Anyway, start with Spybot, and one of the (reputable) online scanners, and look for more advice on this thread, as I am sure there will be more arriving.

Good luck (:WAV)

Thanks for your tips grayhair!

The computer seems to be clean, CBO appear to have done a great job. My father will make a complete scan with Avast, Ad-aware and Spybot, and at least one of the online scanners you suggested. We will also install SP2 as soon as we have the time.

The comodo firewall, is it much better than the firewall that comes with SP2? I’m sure it’s more secure, but when it comes to firewalls I’m allways worried that it asks permisson about every application.

Hey Andervaeld,
from my experience I can claim that CFP is not very noisy. You just have too many possibilities to configure it the way you want it: from chatty to mute - anything goes. And it’s always your best bet firewall - IMO. Just make sure to have a clean computer before you install it as it starts in “clean pc mode” by default, which means it assumes that all files that are on your computer upon installation are safe. Well, you can check the files with the built-in malware scanner but that’s certainly not your best bet. Whether it is possible to change from “clean pc mode” into another mode before it assumes any baddies that are already on your system safe - I don’t know.
So, two possibilities come to mind:

  1. Very safe and you can sleep well in the future but time-consuming:
    Wipe your HD. Reinstall Windows. Make sure to immediately update to SP2 and every other security patch. (Better download with a clean comp and install from disc.) Download CFP, avast! and other security software you like with a clean and secured computer, put on a disc or stick and install from there.

  2. Clean your comp from the baddies (if that can be achieved), do as grayhair suggested and maybe also try HijackThis, which is a great programme.
    You can download it here:
    You can automatically analyse your logfiles here:
    You can learn how to analyse your own logfiles here:
    You can post your logfile in their support forums: (I can recommend:
    You post your logfile here and wait for one of the gurus - not me :wink: - to help you identify potential baddies.

Hope you’ll succeed and do not hesitate to ask any questions about CFP (should you install it - and you should ;D ). People here are always happy to help.
Hope this helps.

Hi Anderveald :slight_smile:

IMPORTANT : You must NOT, I repeat NOT install SP2 on a pc that is infected with malware. ONLY install SP2 AFTER your pc is completely cleaned.

And follow Grampa’s advice ( hi old buddy :slight_smile: ) and post a HijackThis log :slight_smile:

Greetz, Red.

Sorry, off-topic:
Hey Red,
I’ve had so much work to do that I can hardly come here and write something. No time at all. Will hopefully change soon. Maybe next month there’ll be a big change - job wise. Maybe it’ll be another 6 months. But then I’ll be back here and spam the forums like only Ganda can do :wink: (sorry mate).
Red, I’m glad you still remember me - I sure remember you.
Hope to be able to post more soon and once again become part of the great “Comodo family” :-*

(Sorry, that there’s nothing on-topic in this post. I promise this won’t happen again. 88)

Hi again!

I will take your advice and make a log from HijackThis. I will try to check them myself, but also post a copy here for you experts to go through, if you have the time.

And, thanks for all help! Simply invaluable.

So, now I’ve made a log with hijack this. According to the analyzer Grampa linked to, I think most looks good. I highlight the ones I’m unsure of.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22:46, on 2008-04-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program\Avast 4\aswUpdSv.exe
C:\Program\Avast 4\ashServ.exe
C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\Avast 4\ashWebSv.exe
C:\Program\Avast 4\ashMaiSv.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Windows Media Player\wmplayer.exe
C:\Program\Mozilla Firefox\firefox.exe
D:\Nerladdat\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM..\Run: [avast!] C:\Program\AVAST4~1\ashDisp.exe
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [TotalRecorderScheduler] “C:\Program\TotalRecorder\TotRecSched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [BOC-425] C:\Program\Comodo\CBOClean\BOC425.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [xrt_Shell] C:\Documents and Settings\ArT\xrt_atkh.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Avast 4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Avast 4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Avast 4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Avast 4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe

End of file - 4474 bytes

I don’t want to scare you - don’t be, I’m far from being an expert. I’ve just googled around a little bit - SO THESE INFORMATION MIGHT BE WRONG !!!
What I found:

O4 - HKCU..\Run: [xrt_Shell] C:\Documents and Settings\ArT\xrt_atkh.exe
Field Value
Name xrt_Shell
Command xrt_*.exe
Status X
Description Added by the Troj/Gozi-Gen TROJAN! Note: Located in %userprofile%\ Note: The * in the filename represents some random characters.
Viewed 391 times since 23 May 2005, 1825 Hours UTC-4.
“Y” - Normally leave to run at start-up
“N” - Not required - typically infrequently used tasks that can be started manually if necessary
“U” - User’s choice - depends whether a user deems it necessary
“X” - Definitely not required - typically viruses, spyware, adware and “resource hogs”
“?” - Unknown

[b] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =[/b]
What to do:
If you recognize the URL at the end as your homepage or search engine, it’s OK. If you don’t, check it and have HijackThis fix it.

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=

Sorry, I cannot comment on them. Looks ok though.

The rest of your files also look o.k.

What you should do:
Upload “xrt_atkh.exe” at Jotti and virustotal:

Hope this helps.

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=

With regards to these two open Hijack This and do a scan only.You can place a check mark next to these to fix,no probs

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

As for this one well, :o If your an Arsenal Fan like Melih its ok.


Topic Locked.

Reason: Out-Dated post.