Win32:Trojan-gen (other).

[arcbuilder]

Hi,

I am very new to this and not an expert in software (not even a novice) so forgive the possible lack of information. More can be posted as necessary.

I keep getting a notice from avast! during a thorough scan saying that a file has Win32:Trojan-gen (other). I remove to the chest as advised. Each time I re-run the scan I get the same message but for a different file. Each time I remove to the chest as advised.
I get this message consistantly when the scan is at 94% completion and it only notifies me of 1 file each time.

In work now so don't have the full details with me as I am half afraid to go onto the internet at home since I've picked up this virus. Is it safe to use my laptop whilst getting this message, i.e. go online, hook up a media player (Archos 705), etc??

I only dowloaded avast! 3 days ago so any advice/tips on what I should do would be much appreciated.

Thanks.

[FreewheelinFrank]

Hi arcbuilder,

What is the name and location of the file detected? (You can find this information from the avast! log.)

Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try the usual free adware/spyware scanners.

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
Malwarebytes' Anti-Malware

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

[arcbuilder]

Thanks for this. I will get the name/location of the file detected and post. Will also try the links you have added.

Without knowing too much about the potential/limitations of this virus, is it o.k. to continue using the laptop to transfer files to a media player? Or should all activity be stopped until the virus is removed?

Apologies if this is a stupid question.

Regards.

[FreewheelinFrank]

Well it's possible that an infected computer might infect a connected media player, but without knowing the details of the infection, it's hard to know for sure. If you were to connect that media player to another computer, there would be a chance of passing the infection on.

[arcbuilder]

I've run a boot time scan and these are the results;

File C:\Documents and Settings\K\Local Settings\Temp\orz.exe\[Embedded#02270]\[Embedded#11070] is infected by Win32:Trojan-gen {Other}, Moved to chest

File C:\Documents and Settings\K\Local Settings\Temporary Internet Files\Content.IE5\U4JMXPOC\ms[2].exe\[Embedded#02270]\[Embedded#11070] is infected by Win32:Trojan-gen {Other}, Moved to chest

File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP142\A0041922.exe is infected by Win32:Trojan-gen {Other}, Moved to chest

File C:\WINDOWS\svchost.exe is infected by Win32:Trojan-gen {Other}, Moved to chest

File C:\WINDOWS\system32\atlcom655_84.dll\[Embedded#11070] is infected by Win32:Trojan-gen {Other}, Moved to chest

Number of searched folders: 8332
Number of tested files: 455805
Number of infected files: 5

Since I've done this I haven't received the avast! virus warning. (When I logged on this evening I received it over a dozen times.)
Nevertheless, I'm still going to follow your recommendation and download the scanners you listed.

Any information on what these files being infected means would be appreciated.

[FreewheelinFrank]

It may be this:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-052714-3021-99&tabid=2

When viewed with Flash Player, the Trojan redirects the user to the following URL, which links to a malicious SWF file:
[http://]www.play0nlnie.com/pcd/topics/ff11us/2008031[REMOVED]/[FLASH VERSION STRING][BROWSER].swf

Note: The above URL includes one of the following strings depending on the browser being used:

    * ie (in the case of Internet Explorer)
    * ff (in the case of Firefox)


When viewed with Flash Player, the above SWF file exploits the Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695).

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

[arcbuilder]

I ran the boot time scan and after the infected files were moved to the chest I didn't recieve any more warning threats. I also downloaded and ran the antispyware. This identifed a number of threats and removed them all. Most of these threats were linked to firefox which is in the quote you attached from the symantec site.

Following this, to be on the safe side, I ran the avast! thorough scan again and received another warning screen. The file and location are
A0042075.EXE
C:/System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP142 WIN32:Trojan-gen (other).

I'm not sure where to go next. Is it a case of repeating the above until everything is caught and removed?

[FreewheelinFrank]

To clean System Restore:

Create a clean restore point then delete all previous infected restore points

[arcbuilder]

I'm pretty sure that I only picked this virus up over the weekend. Would restoring to a date early last week be as/more effective than creating a new restore point (not 100% confident I've killed the virus) and deleting previous ones?

[FreewheelinFrank]

You could try that. There never seems to be any guarantee with System Restore that it'll do exactly what you expect. Maybe someone else can advise...

[Lisandro]

I'll try to restore and then run the general cleaning procedure:

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Immunize your system with SpywareBlaster or Windows Advanced Care.
7. Check if you have insecure applications with Secunia Software Inspector.

[arcbuilder]

Following your sequence. Was unable to restore to an earlier date as 'there were no changes made'.
Scans are still picking up viruses.

At the hijack this step. File attached.

[Lisandro]

At the hijack this step. File attached.

Hope some expert could help...
Did you follow the other steps, specially the third one?

[arcbuilder]

Yes, I've performed the 3rd step and items were removed to quarantine.

Still need to perform steps 5 and 6.

[FreewheelinFrank]

C:\Documents and Settings\K\Local Settings\Temporary Internet Files\Content.IE5\FXP1W50S\aswar[1].exe
C:\WINDOWS\system32\cssdll32.dll
C:\Program Files\TuneClone\TuneClone.exe

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis. Post the results here.

You seem to have McAfee, Symantec and avast! installed, which will cause problems.

Do a clean install of avast! Uninstall avast!, run the McAfee and Symantec removal tools and reinstall avast!

http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039