Avast WEBforum
Other => Viruses and worms => Topic started by: *peter79* on June 08, 2008, 06:33:39 AM
-
Win32:Trojan-gen {Other} has just been detected in 5 files on my system by Avast Free. The 5 files have now been moved into the Avast Virus Chest. Is my system clean again now since the infected files have been moved into the Virus Chest?
By the way, CCleaner doesn't detect them and I haven't scanned with any other tools yet.
Thanks - Peter
Some system details, in case you need them:
Dell Inspiron 6000
Windows XP
A/V: Avast 4.8 Free
Firewall: Comodo Pro Free
-
What are the infected file names, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
Leave then in the chest where they can do no harm whilst investigating.
Are these files for programs that have been on your system for some time ?
-
By the way, CCleaner doesn't detect them
Why would it detect? Are they temporary files to be cleaned? CCleaner is just a file junk remover, not an antivirus.
and I haven't scanned with any other tools yet.
Why don't you try SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans? If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
-
Hello guys, thanks very much for your replies:
The files in the Virus Chest are listed differently under 2 tabs (any idea why?):
In the Infected Files tab, the files/locations listed are:
1. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Peter\Local Settings\Temp\VEe11.tmp" file.
2. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe" file.
3. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\VideoEgg\updater.exe" file.
4. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{EA12BF49-370A-4FDD-B73B-85EB3E328EC9}\RP30\A0007683.exe" file.
5. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{EA12BF49-370A-4FDD-B73B-85EB3E328EC9}\RP30\A0007684.exe" file.
While in the System Files tab, the files/locations listed are:
1. Name: kernel32.dll. Original location: C:/Windows/system32
2. Name: kernel32.dll. Original location: C:/Windows/system32
3. Name: winsock.dll. Original location: C:/Windows/system32
4. Name: wsock.dll. Original location: C:/Windows/system32
5. Name: wsock.dll. Original location: C:/Windows/system32
I deleted the files in the Infected Files tab...I hope this was the right thing to do. Should I just delete the files in the System Files tab too? Will the affected programs still work ok now?
I just reinstalled my Windows O/S last week so all the programs have only been on my system for a few days.
I will go ahead and install MBAM now and scan again.
Any other advice guys? Thanks for your help.
-
First:
If you use the forum search for jusched.exe you will find a similar issue, an out of date JAVA version where the jusched.exe update process is detected, whilst this might be a false positive, it indicates you have an old version of JAVA installed which could leave your system vulnerable.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 6 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
Second:
There is no rush to delete anything from the chest (so you should have left them alone or first sought advice), a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Third:
The System Files section of the chest contains back-up copies of importans system files, leave them alone. Where there is more than one copy of a file it is because there are different versions, e.g. after say windows update it might change the existing file, so another copy is taken.
Finally:
Of the files listed, I believe item 1, 4 & 5 appear good detections and also wouldn't have any real impact from being moved/deleted. However item 2 & 3 would need further investigation, but that is out the window as you no longer have the files. Item 2 I have covered in the 'First:' section and I feel that item 2 might also have been a false positive detection.
As I said in my first reply: "Leave then in the chest where they can do no harm whilst investigating." Now you know why it isn't wise to act in haste.
-
David,
Thanks again for your reply :)
I am running JDK6 update 5, so have just installed update 6 now.
I agree, I should have waited before deleting those files...hopefully it won't have any serious impact on their associated programs.
MBAM found and removed 570 infected files. If it will help, I can post the log file here.
Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder?
Thanks!
-
MBAM found and removed 570 infected files.
Wow... quite some. I suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) (again) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder?
No, they're there for backup purposes. You can keep them there if your own files (into System32 folder) are clean.
-
I am running JDK6 update 5, so have just installed update 6 now.
<snip>
MBAM found and removed 570 infected files. If it will help, I can post the log file here.
Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder?
As I said in my reply, leave well alone:
Third:
The System Files section of the chest contains back-up copies of important system files, leave them alone. Where there is more than one copy of a file it is because there are different versions, e.g. after say windows update it might change the existing file, so another copy is taken.
You can post the MBAM log if you wish, though I'm unfamiliar with its use, though the figure of 570 Infected files seems excessively high, if these are truly infected files I would have expected your system to have ground to a halt.
I would also have expected comodo firewall to have been having a whinge about outbound connection attempts, etc.
So perhaps your log might reveal the true facts.
-
Thanks again for your replies guys.
The recommended scans will take some time, so in the meantime I have attached the MBAM log (its too big to paste directly here - exceeds character limit). All the infected files that MBAM found are associated with Adware.VideoEgg, which is related to virus number 3 that was originally detected by Avast:
"3. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\VideoEgg\updater.exe" file."
Will post back later with the results of the other scans.
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
- should I post the hijackthis or runscanner logs on another forum then?
Thanks for your help.
-
Also guys, how do I run the avast! antirootkit? I tried Trend Micro RootkitBuster but I get an error saying "Unable to initialize API. Verify you are logged on as an admin and try again". Strange, coz my user account is set to admin level. ???
-
The avast anti-rootkit module is an integral part not stand alone, it runs 8 minutes after boot so it will have run. It also runs as part of the Standard and Thorough on-demand scans. So without knowing it you will have already used it.
The link Tech gave is for the beta version of the avast stand alone anti-rootkit which hasn't been released as a regular version, you would have to first download it and just run it.
I had a quick look at your log and it is basically saying everything to do with videoegg is adware.videoegg. Adware is a lessor issue and within that there are degrees of seriousness, some just gather data and report on your browsing habits to marketing companies. So I suggest you do a google search on videoegg and see what is returned relating to its classification as adware.
http://www.google.co.uk/search?q=videoegg+adware (http://www.google.co.uk/search?q=videoegg+adware)
This search shows it is an Ad Network, so it is most likely gathering marketing data from your browsing habits and that is possibly why it is classed as adware.
Other than those videoegg related detections, tere is only one other:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Which has been dealt with, so I don't believe you have anything else to worry to much about.
-
Thanks again for your previous replies. I have carried out all the latest scans and here are the results:
- Avast boot time scan with archive scanning: nothing detected
- MBAM: nothing detected
- Avast Antirootkit: 4897 hidden items found (possibly harmless). I would attach the log but it exceeds the file size limit. All items are Registry items formatted as follows: [HKEY_LOCAL_MACHINE\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy[POLICY NUMBER IS HERE]]. These are all Comodo Firewall records, and most of them seem to be recording whether I have allowed or blocked a registry edit.
- Secunia Software Inspector: scanned and updated necessary files, but the following still show as old versions:
Sun Java IRE: Secunia says I should uninstall the older versions, even though I only have the latest version installed (v6.0.60.2).
Macromedia Flash Player: Again it says I should uninstall the older versions, even though only have the latest version of Adobe Flash Player installed (v9.0.124.0)
- HijackThis log: please see attached log
Q1) 4897 hidden items found by Avast Antirootkit: are these a security threat?
Q2) Secunia Software Inspector: any need to carry out further action on Sun Java IRE or Macromedia Flash Player?
Q3) HijackThis log: I haven't gone through HijackThis logs before, so could you please help me to check it?
Q3) Anything else I need to do to ensure my system is free of all nasties.
Thanks very much for your help! Really appreciate your time and assistance.
-
Re avast anti-rootkit results - I don't use comodo so I have little knowledge of its HIPS function if that a) would be hidden and b) the number seems excessive.
Also is this with the beta build of the standalone version ?
The reason I ask is this, as same hidden items, I would have thought have been reported in the normal rootkit scan integrated into the avast on boot.
If Secunia says you have an old versions, I would say it is pretty certain you have it somewhere, expand the notification (the plus sign) it should give the location it is in. Your HJT log shows you have that (C:\Program Files\Java\jre1.6.0_06) but doesn't show and older version, so you need to check the location given by secunia and also check add remove programs.
Do you know what this is, I don't.
C:\ruby\bin\ruby.exe
Other than that I don't see anything obvious in your HJT log.
-
David,
The avast anti-rootkit results are from the beta standalone version. You mentioned that the anti-rootkit also runs automatically within avast 4.8, so I wonder why the beta version is picking up all these hidden files while the main avast scan isn't. Would you recommend I take any other action for this?
I will run Secunia again and see if I can root out those old Java versions so.
C:\ruby\bin\ruby.exe is used for the Ruby programming language - its safe.
Thanks so much for your help.
-
I guess that could be down to it being beta (but comodo may have a hand in the cookie jar so to speak fo it to find HIPS stuff), you can check the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log. Using notepad and you will see the results of the log from the scan done 8 minutes after boot. At the bottom of the log are the scan summary.
Scan finished: 09 June 2008 12:21
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0
-
Hi David,
Here is the overview result from avast 4.8:
Scan finished: 10 June 2008 10:48:01
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0
It also lists more detailed data, which I have attached.
And here is the overview result from the standalone module:
Scan finished: 10 June 2008 02:00:58
Hidden files found: 0
Hidden registry items found: 4897
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0
Just those hidden files showing up...so many of them!
And Secunia is till picking up those old versions of Java IRE and Macromedia Flash:
Sun Java JRE 1.5.x / 5.x 5.0.110.3
Sun Java JRE 1.6.x / 6.x 6.0.0.105
Sun Java JRE 1.6.x / 6.x 6.0.20.6
Sun Java JRE 1.6.x / 6.x 6.0.0.105
Sun Java JRE 1.6.x / 6.x 6.0.60.2 [THIS IS NEWEST VERSION]
Sun Java JRE 1.6.x / 6.x 6.0.60.2 [THIS IS NEWEST VERSION]
Sun Java JRE 1.6.x / 6.x 6.0.60.2 [THIS IS NEWEST VERSION]
Sun Java JRE 1.6.x / 6.x 6.0.10.6
Sun Java JRE 1.6.x / 6.x 6.0.30.5
Sun Java JRE 1.6.x / 6.x 6.0.0.105
Sun Java JRE 1.6.x / 6.x 6.0.60.2
Adobe Flash Player 9.x 9.0.124.0 [THIS IS NEWEST VERSION]
Adobe Flash Player 9.x 9.0.124.0 [THIS IS NEWEST VERSION]
Adobe Flash Player 9.x 9.0.124.0 [THIS IS NEWEST VERSION]
Macromedia Flash Player 6.x 6.0.79.0
Macromedia Flash Player 6.x 6.0.68.0
Macromedia Flash Player 6.x 6.0.68.0
Macromedia Flash Player 6.x 6.0.68.0
Macromedia Flash Player 7.x 7.0.0.264
Don't know why it's showing the new versions three times.
While in Control Panel/Add or Remove Programs, the only Java and Flash Player components showing are:
Java DB 10.3.1.4
Java 6 Update 6
Java SE Development Kit 6
Java SE Development Kit 6 Update 6
Java SE Runtime Environment
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
I also checked in C:\Program Files\Java, and there are folders for the previous versions of Java IRE 1.5.x and 1.6.x, but thats probably quite normal.
-
1. The high number of hidden registry entries is beyond me as to why since most of them are for comodo (I think that was in your previous post), why this should be, but I don't use comodo so have no practical experience of it. However, you can take some comfort in the fact that they are only reported as hidden and belong to a security based application and aren't reported as rootkits.
2. Secunia seems rightly to be reporting old versions of JAVA as you have shown they exist in your systems.
It isn't quite normal, uninstalled old versions should clear the old folders as well, so check add remove programs and see if there are references to the old versions and uninstall them if present. If you can find no add remove entries for old java versions delete the old folders manually.
3. The multiple entries relate to a) different locations (expand the plus sign) b) there are different entries for the different browsers, so it is entirely possible to have two or more entries, you need to check the locations and see why.
4. I somehow doubt that you're a JAVA Developer so don't need the developer versions ?
Java SE Development Kit 6
Java SE Development Kit 6 Update 6
The Java DB 10.3.1.4 relates to java database so I don't know if this is something that you use either ?
The only JAVA entry I have in my add remove programs is.
Java 6 Update 6
I have both of the Flash entries.
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
-
Thanks again for your reply.
1. The high number of hidden registry entries is beyond me as to why since most of them are for comodo (I think that was in your previous post), why this should be, but I don't use comodo so have no practical experience of it. However, you can take some comfort in the fact that they are only reported as hidden and belong to a security based application and aren't reported as rootkits.
I agree, the Comodo files detected by Avast Anti-Rootkit are probably not a serious issue. Nevertheless, I'll do some more checking on this just to be sure.
2. Secunia seems rightly to be reporting old versions of JAVA as you have shown they exist in your systems.
It isn't quite normal, uninstalled old versions should clear the old folders as well, so check add remove programs and see if there are references to the old versions and uninstall them if present. If you can find no add remove entries for old java versions delete the old folders manually.
I had already uninstalled the old versions of Java before running Secunia. The problem is that even when you unistall these versions, Java does not remove the old version files & folders from C:\Program Files\Java (these are the files I showed in my previous post).
I found a useful tool called Javara for removing these old Java version files & folders (http://www.softpedia.com/get/System/System-Miscellaneous/JavaRa.shtml).
Javara has successfully removed all 1.5.x files and most 1.6.x files, but Secunia is still picking up old versions of 1.6.x at:
C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe
C:\Program Files\Java\jdk1.6.0\bin\java.exe
It's also picking up the following old Macromedia Flash 6.x and 7.x files, even though I only have the newest version of Adobe Flash installed.
C:\Program Files\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\Flash.ocx
C:\Documents and Settings\Peter\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\Flash.ocx
C:\Program Files\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
C:\Program Files\Macromedia\Dreamweaver MX 2004\Configuration\Plugins\NPSWF32.dll
I will go through these myself anyway and see what the problem is.
3. The multiple entries relate to a) different locations (expand the plus sign) b) there are different entries for the different browsers, so it is entirely possible to have two or more entries, you need to check the locations and see why.
Yes, I checked and the multiple entries do refer to files in different locations, as shown above.
4. I somehow doubt that you're a JAVA Developer so don't need the developer versions ?
Java SE Development Kit 6
Java SE Development Kit 6 Update 6
The Java DB 10.3.1.4 relates to java database so I don't know if this is something that you use either ?
The only JAVA entry I have in my add remove programs is.
Java 6 Update 6
I have both of the Flash entries.
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
You somehow doubted correctly David, I'm not a Java developer. How could you tell? I actually develop using other programming languages and I need the Java Development Kit installed to run these other development tools.
-
Javara has successfully removed all 1.5.x files and most 1.6.x files, but Secunia is still picking up old versions of 1.6.x at:
C:\Program Files\Java\jdk1.6.0\jre\bin\java.exe
C:\Program Files\Java\jdk1.6.0\bin\java.exe
If they are reported as being there you may need to manually remove those folders/files.
It looks like DreamWeaver 2004 comes with its own version of the flash player, which since the program dates from 2004 the version that is bundled with it is out of date and would account for the secunia detection. I don't know if there is an easy way to update only the flash player element within the program without updating the program, e.g. without purchasing a program upgrade.
I don't know if it would be possible to copy current flash player copies of these files replacing the old DW copies (save a copy of the old ones just in case) without causing any integrity isues, perhps something for the DW forums.
You somehow doubted correctly David, I'm not a Java developer. How could you tell?
My guess was based on if you were a JAVA developer you would probably have a legit reason for keeping old versions of JAVA and mentioned it earlier. But you obviously have a need for the JAVA Developer tools for the other applications, just one more thing to keep up to date ;D
-
Hi David, having searched the web, there are many people out there having the same problems...old Java and Flash Player files staying on the system after uninstalling. Adobe provides 2 ways of removing the old files:
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_12727
- One is an automatic uninstaller application, which does not remove any of the old files for me when I run it.
- The other is a manual install, which gives me the following error when I type the command into Start > Run: "LoadLibrary("C:/Program") failed - The specified nodule could not be found."
Best thing so might be to just manually delete these files. Perhaps even delete the whole jdk1.6.0 folder at C:\Program Files\Java\jdk1.6.0. and the DreamWeaver 2004 folders at C:\Program Files\Macromedia\Dreamweaver MX 2004 and
C:\Documents and Settings\Peter\Application Data\Macromedia\Dreamweaver MX 2004.
Thanks for your help.
-
You're welcome.
-
Really appreciate the time you spent helping me with this. I just moved over from AVG to Avast last week and its really great to know there's such a good user support forum in place with lots of useful help. Thank you :)
-
The avast forums are very good for support, avast users helping other avast users, with a reasonable amount of input from the actual developers of avast, a real breath of fresh air. One of the things often forgotten when choosing software, what is the support like ;D
-
Yep, and a good support forum is even more important when it comes to beating those nasty little viruses ;D Thanks!