Win32:Trojan-gen {other} detected By Avast Free

[*peter79*]

Win32:Trojan-gen {Other} has just been detected in 5 files on my system by Avast Free. The 5 files have now been moved into the Avast Virus Chest. Is my system clean again now since the infected files have been moved into the Virus Chest?

By the way, CCleaner doesn't detect them and I haven't scanned with any other tools yet.

Thanks - Peter

Some system details, in case you need them:
Dell Inspiron 6000
Windows XP
A/V: Avast 4.8 Free
Firewall: Comodo Pro Free

[DavidR]

What are the infected file names, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Leave then in the chest where they can do no harm whilst investigating.

Are these files for programs that have been on your system for some time ?

[Lisandro]

By the way, CCleaner doesn't detect them

Why would it detect? Are they temporary files to be cleaned? CCleaner is just a file junk remover, not an antivirus.

and I haven't scanned with any other tools yet.

Why don't you try SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans? If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

[*peter79*]

Hello guys, thanks very much for your replies:

The files in the Virus Chest are listed differently under 2 tabs (any idea why?):

In the Infected Files tab, the files/locations listed are:
1. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Peter\Local Settings\Temp\VEe11.tmp" file.
2. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe" file.
3. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\VideoEgg\updater.exe" file.
4. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{EA12BF49-370A-4FDD-B73B-85EB3E328EC9}\RP30\A0007683.exe" file.
5. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{EA12BF49-370A-4FDD-B73B-85EB3E328EC9}\RP30\A0007684.exe" file. 

While in the System Files tab, the files/locations listed are:
1. Name: kernel32.dll. Original location: C:/Windows/system32
2. Name: kernel32.dll. Original location: C:/Windows/system32
3. Name: winsock.dll. Original location: C:/Windows/system32
4. Name: wsock.dll. Original location: C:/Windows/system32
5. Name: wsock.dll. Original location: C:/Windows/system32

I deleted the files in the Infected Files tab...I hope this was the right thing to do. Should I just delete the files in the System Files tab too? Will the affected programs still work ok now?

I just reinstalled my Windows O/S last week so all the programs have only been on my system for a few days.

I will go ahead and install MBAM now and scan again.

Any other advice guys? Thanks for your help.

[DavidR]

First:
If you use the forum search for jusched.exe you will find a similar issue, an out of date JAVA version where the jusched.exe update process is detected, whilst this might be a false positive, it indicates you have an old version of JAVA installed which could leave your system vulnerable.

Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 6 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

Second:
There is no rush to delete anything from the chest (so you should have left them alone or first sought advice), a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Third:
The System Files section of the chest contains back-up copies of importans system files, leave them alone. Where there is more than one copy of a file it is because there are different versions, e.g. after say windows update it might change the existing file, so another copy is taken.

Finally:
Of the files listed, I believe item 1, 4 & 5 appear good detections and also wouldn't have any real impact from being moved/deleted. However item 2 & 3 would need further investigation, but that is out the window as you no longer have the files. Item 2 I have covered in the 'First:' section and I feel that item 2 might also have been a false positive detection.

As I said in my first reply: "Leave then in the chest where they can do no harm whilst investigating." Now you know why it isn't wise to act in haste.

[*peter79*]

David,

Thanks again for your reply 

I am running JDK6 update 5, so have just installed update 6 now.

I agree, I should have waited before deleting those files...hopefully it won't have any serious impact on their associated programs.

MBAM found and removed 570 infected files. If it will help, I can post the log file here.

Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder? 

Thanks!

[Lisandro]

MBAM found and removed 570 infected files.

Wow... quite some. I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM (again) or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder? 

No, they're there for backup purposes. You can keep them there if your own files (into System32 folder) are clean.

[DavidR]

I am running JDK6 update 5, so have just installed update 6 now.
<snip>
MBAM found and removed 570 infected files. If it will help, I can post the log file here.

Also, I scanned the system files in the Virus Chest and the result says "no virus". What action should I take with these files now? Move them back into the the Windows/System32 folder? 

As I said in my reply, leave well alone:

Third:
The System Files section of the chest contains back-up copies of important system files, leave them alone. Where there is more than one copy of a file it is because there are different versions, e.g. after say windows update it might change the existing file, so another copy is taken.

You can post the MBAM log if you wish, though I'm unfamiliar with its use, though the figure of 570 Infected files seems excessively high, if these are truly infected files I would have expected your system to have ground to a halt.

I would also have expected comodo firewall to have been having a whinge about outbound connection attempts, etc.

So perhaps your log might reveal the true facts.

[*peter79*]

Thanks again for your replies guys.

The recommended scans will take some time, so in the meantime I have attached the MBAM log (its too big to paste directly here - exceeds character limit). All the infected files that MBAM found are associated with Adware.VideoEgg, which is related to virus number 3 that was originally detected by Avast:
"3. Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\VideoEgg\updater.exe" file."

Will post back later with the results of the other scans.

6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

- should I post the hijackthis or runscanner logs on another forum then?

Thanks for your help.

[*peter79*]

Also guys, how do I run the avast! antirootkit? I tried Trend Micro RootkitBuster but I get an error saying "Unable to initialize API. Verify you are logged on as an admin and try again". Strange, coz my user account is set to admin level. 

[DavidR]

The avast anti-rootkit module is an integral part not stand alone, it runs 8 minutes after boot so it will have run. It also runs as part of the Standard and Thorough on-demand scans. So without knowing it you will have already used it.

The link Tech gave is for the beta version of the avast stand alone anti-rootkit which hasn't been released as a regular version, you would have to first download it and just run it.

I had a quick look at your log and it is basically saying everything to do with videoegg is adware.videoegg. Adware is a lessor issue and within that there are degrees of seriousness, some just gather data and report on your browsing habits to marketing companies. So I suggest you do a google search on videoegg and see what is returned relating to its classification as adware.

http://www.google.co.uk/search?q=videoegg+adware
This search shows it is an Ad Network, so it is most likely gathering marketing data from your browsing habits and that is possibly why it is classed as adware.

Other than those videoegg related detections, tere is only one other:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Which has been dealt with, so I don't believe you have anything else to worry to much about.

[*peter79*]

Thanks again for your previous replies. I have carried out all the latest scans and here are the results:

- Avast boot time scan with archive scanning: nothing detected
- MBAM: nothing detected
- Avast Antirootkit: 4897 hidden items found (possibly harmless). I would attach the log but it exceeds the file size limit. All items are Registry items formatted as follows: [HKEY_LOCAL_MACHINE\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy[POLICY NUMBER IS HERE]]. These are all Comodo Firewall records, and most of them seem to be recording whether I have allowed or blocked a registry edit.
- Secunia Software Inspector: scanned and updated necessary files, but the following still show as old versions:
Sun Java IRE: Secunia says I should uninstall the older versions, even though I only have the latest version installed (v6.0.60.2).
Macromedia Flash Player: Again it says I should uninstall the older versions, even though only have the latest version of Adobe Flash Player installed (v9.0.124.0)
- HijackThis log: please see attached log

Q1) 4897 hidden items found by Avast Antirootkit: are these a security threat? 
Q2) Secunia Software Inspector: any need to carry out further action on Sun Java IRE or Macromedia Flash Player?
Q3) HijackThis log: I haven't gone through HijackThis logs before, so could you please help me to check it?
Q3) Anything else I need to do to ensure my system is free of all nasties.

Thanks very much for your help! Really appreciate your time and assistance. 

[DavidR]

Re avast anti-rootkit results - I don't use comodo so I have little knowledge of its HIPS function if that a) would be hidden and b) the number seems excessive.

Also is this with the beta build of the standalone version ?
The reason I ask is this, as same hidden items, I would have thought have been reported in the normal rootkit scan integrated into the avast on boot.

If Secunia says you have an old versions, I would say it is pretty certain you have it somewhere, expand the notification (the plus sign) it should give the location it is in. Your HJT log shows you have that (C:\Program Files\Java\jre1.6.0_06) but doesn't show and older version, so you need to check the location given by secunia and also check add remove programs.

Do you know what this is, I don't.
C:\ruby\bin\ruby.exe

Other than that I don't see anything obvious in your HJT log.

[*peter79*]

David,

The avast anti-rootkit results are from the beta standalone version. You mentioned that the anti-rootkit also runs automatically within avast 4.8, so I wonder why the beta version is picking up all these hidden files while the main avast scan isn't. Would you recommend I take any other action for this?

I will run Secunia again and see if I can root out those old Java versions so.

C:\ruby\bin\ruby.exe is used for the Ruby programming language - its safe.

Thanks so much for your help.

[DavidR]

I guess that could be down to it being beta (but comodo may have a hand in the cookie jar so to speak fo it to find HIPS stuff), you can check the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log. Using notepad and you will see the results of the log from the scan done 8 minutes after boot. At the bottom of the log are the scan summary.

Scan finished: 09 June 2008 12:21
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0