Avast reports 2 Trojans on my PC (BV:Autorun-G [Wrm] & Win32:Trojan-gen {Other}

[Kalpak]

Hi,

I am having this strange problem since 3-4 days. All problems started when I plugged in a pendrive given by a close friend of mine. I am getting warnings from Avast that there is some Trojan/virus on my PC whenever I boot my PC or plugin a pendrive.

I have been through many websites and forums but never got the exact remedy.

Following is the log if Avast.

2/9/2009 9:05:14 PM SYSTEM 1804 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 
2/9/2009 11:47:39 PM Administrator 1180 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
2/9/2009 11:49:10 PM Administrator 1180 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
2/10/2009 10:22:19 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[1].exe" file. 
2/10/2009 10:23:03 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[2].exe" file. 
2/10/2009 10:23:07 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\sound32.exe" file. 
2/11/2009 1:36:35 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[1].exe" file. 
2/11/2009 2:28:36 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[2].exe" file. 
2/11/2009 2:28:44 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[3].exe" file. 
2/11/2009 2:28:48 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\cncai32.exe" file. 
2/11/2009 2:28:51 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\cncai32.exe" file. 
2/11/2009 2:37:46 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\ANR41U7C\nadz[1].exe" file. 
2/11/2009 2:37:52 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\ANR41U7C\nadz[2].exe" file. 
2/11/2009 2:37:55 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\sound32.exe" file. 
2/11/2009 7:11:25 PM SYSTEM 1632 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 
2/11/2009 7:13:43 PM SYSTEM 1632 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 
2/12/2009 12:47:25 AM SYSTEM 1656 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\O09TL1DY\nadz[1].exe" file. 
2/12/2009 12:47:44 AM SYSTEM 1656 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\O09TL1DY\nadz[2].exe" file. 
2/12/2009 12:47:52 AM SYSTEM 1656 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\sound32.exe" file. 
2/12/2009 9:59:51 AM Kalpak Luniya 1600 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\DAJZ2MPK\nadz[1].exe" file. 
2/12/2009 10:00:26 AM Kalpak Luniya 1600 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\DAJZ2MPK\nadz[2].exe" file. 
2/12/2009 10:00:30 AM Kalpak Luniya 1600 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\sound32.exe" file. 
2/12/2009 3:02:25 PM Kalpak Luniya 1680 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 
2/12/2009 3:02:38 PM Kalpak Luniya 1680 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 
2/12/2009 3:02:51 PM Kalpak Luniya 1680 Sign of "BV:AutoRun-G [Wrm]" has been found in "E:\autorun.inf" file. 

=========================================================================================================

I would be very happy to see this problem getting resolved. I request someone to help me out.

regards....

Raj

[Kalpak]

To help with the resolution , I am attaching the report of Trend Micro HijackThis v2.0.2

Please help.

[Spiritsongs]

   Hi :

 I suspect your friend's pen drive is/was "infected" !? To counter that, I
 recommend you use the FREE "Flash Disinfector" with Info available at
 http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs .

 Your HijackThis Log indicates your Java is at least 2 "Versions/Updates"
 behind ; in addition Win XP SP3 Operating System usually uses the 6.0 ( 1.6 )
 Java series, not the "older" 5.0 ( 1.5 ) series, so unless you have been having
 difficulty using the latest version of Java, I recommend you use the FREE
 "JavaRa" program, available from http://raproducts.org .

[Kalpak]

Hi,

I installed Flash_Disinfector.exe and the problem of Autorun Trjan/virus got solved. But I am still getting the message for Win32-Trojan-gen {other}

How do I solve it? In the mean while I will update the java version to the one latest and upload the hijackThis report.

regards....

Raj

[FreewheelinFrank]

What is the name and location of the file detected? (You can find this information in the avast! log.)

[Kalpak]

Hi,

The location in the log is as given below.

2/10/2009 10:22:19 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[1].exe" file. 
2/10/2009 10:23:03 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\6C908QHY\nadz[2].exe" file. 
2/10/2009 10:23:07 AM Kalpak Luniya 1716 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\sound32.exe" file. 
2/11/2009 1:36:35 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[1].exe" file. 
2/11/2009 2:28:36 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[2].exe" file. 
2/11/2009 2:28:44 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\Local Settings\Temporary Internet Files\Content.IE5\KP7Z9G1K\vss2[3].exe" file. 
2/11/2009 2:28:48 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\cncai32.exe" file. 
2/11/2009 2:28:51 PM Kalpak Luniya 1660 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Kalpak Luniya\cncai32.exe" file. 

regards....

Raj

[FreewheelinFrank]

Try deleting your temporary internet files:

http://support.microsoft.com/kb/260897

Or use CCleaner:

http://www.ccleaner.com/

Then try these free adware/spyware scanners. Download, install and update.

SUPERAntiSpyware Free
Malwarebytes' Anti-Malware

When you have finished, check for out-of-date and insecure software and update- this will reduce the risk of similar infections.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

[Kalpak]

Attached is the New HijackThis log

[Kalpak]

Hi,

I have already used CCleaner. But I think I will give other a try.

Thanks for all your help.

regards....

Kalpak

[FreewheelinFrank]

There's probably some active malware that's putting the files back in the temp directory then: you need to run the spyware scans. Nothing obvious in the HijackThis! log.

[Kalpak]

Hi Frank (I guess this is your name),

Thanks a lot. I used Malwarebytes' Anti-Malware and the virus seems to be gone. Avast is not reporting any message now. I hope the system is clear now.

I again thak you for the time and effort you have spent.

regards...

Kalpak

[Kalpak]

Hi,

A last question

I have heard of disabling the autorun using the gpedit.msc. So I opened Computer Configuration >> Administrative Templates >> System >> Turn Off Autoplay and enabled Autoplay for all drives. But still the USB and even the CD are detected when inserted. The PC has been rebooted after the configuration change.

I know this is not the forum, but I though that this info would help others when they plug in the pendrive and get viruses/Trojans like BV: Autorun-G [Wrm]

regards...

Kalpak

[FreewheelinFrank]

Hi Frank (I guess this is your name),

Thanks a lot. I used Malwarebytes' Anti-Malware and the virus seems to be gone. Avast is not reporting any message now. I hope the system is clear now.

I again thak you for the time and effort you have spent.

regards...

Kalpak

It's my "nom de malware". 

Glad I could help.

Don't forget the Secunia scan: this will help prevent future infections.

[FreewheelinFrank]

Hi,

A last question

I have heard of disabling the autorun using the gpedit.msc. So I opened Computer Configuration >> Administrative Templates >> System >> Turn Off Autoplay and enabled Autoplay for all drives. But still the USB and even the CD are detected when inserted. The PC has been rebooted after the configuration change.

I know this is not the forum, but I though that this info would help others when they plug in the pendrive and get viruses/Trojans like BV: Autorun-G [Wrm]

regards...

Kalpak

Here's the best way to disable autorun:

http://support.microsoft.com/kb/953252

[YoKenny]

Note: Gpedit.msc will not run on XP Home edition as it is not available.