Author Topic: OSCust.exe win32:Trojan-gen (other) (Read 17371 times)

dema · « **on:** August 22, 2009, 12:19:39 AM »

Im sorry guys for some reason it said I double posted and cut all my content.
  My OS - Vista Home x64

   I recently noticed upon following a trusted link in an email to a site Ive visited before two text boxes appeared saying I have Malicious Software / Infections present, after the boxes appeared it opened "My Computer" and started a scan, I proceeded to X out the two text boxes and the scan.. Afterwards I checked my NIS09 History log to see if it caught any activity of the event, the following happens every couple of minutes with 4-5 showing up. Heres what my log says constantly; Info - Rule "Default Block UPnP Discovery" Stealthed (###.###.#.#, Port ssdp (####)). Inbound UDP Packet.
   I proceeded to download updates for my Norton Internet Security 2009, Malwarebytes, SuperAntispyware, Windows Defender and Avast programs. I proceeded to safemode and scanned with the following programs with nothing appearing but cookies on Malwarebytes. I then ran a thorough scan with archived files checked on Avast and it found the following; OSCust.exe , C:\Windows\SysWOW64\OEM\OSCust.exe, win32:Trojan-gen (other). It also showed atleast 13 other files that it said could not be scanned and they all had random #'s.
  Im not sure how to get rid of this threat, I've never run into something thats actually been able to get by Norton before. Also what I noticed is when I go into safemode and open the virus chest it gives me this error, "Initialization of Chest files Action was completed with errors! Program cannot use Chest client:(null). Description: virus chest server is not running. RPC communication failed. Im not really familiar with avast considering I just started using it today

but I guess that means virus chest isnt enabled in safemode? Why wouldnt it be?

mathboyx215 · « **Reply #1 on:** August 22, 2009, 12:21:35 AM »

So what exactly is your problem?

Tarq57 · « **Reply #2 on:** August 22, 2009, 12:29:17 AM »

Hi dema,
One of your problems is that you have two AV's installed (plus possibly one rogue program.)
You will need to uninstall one of them, either Norton or Avast, for the computer to operate satisfactorily.
The presence of two AV's usually (ironically) creates a less secure environment, rather than providing extra security, plus places an extra load on system resources as both are operating, attempting to scan each others files at the same time etc.

My suggestion is to uninstall Norton internet security, run the Norton Removal Tool, repair Avast via the control panel "add/remove programs", and then update MalwareBytes, and run a full scan in normal mode.

If you were to choose to uninstall Avast, the removal tool for same can be found here.
Most users I know of find Avast preferable to Norton products, but to be fair, I have read of some happy user experiences with NIS2009.
Your choice.

dema · « **Reply #3 on:** August 22, 2009, 12:43:28 AM »

Heres my Hijackthis Log;

Tarq57 · « **Reply #4 on:** August 22, 2009, 12:50:04 AM »

You need to install HijackThis on an admin account, and post the complete file in two parts (two separate posts) or use the "additional options" button at the left of the reply window when posting to attach it.
Maybe someone else will have a look at that. (I'm not trained in the use of them).
The log you've posted confirms the use of two AV's.
Uninstall one of them.

dema · « **Reply #5 on:** August 22, 2009, 12:52:43 AM »

Quote from: Tarq57 on August 22, 2009, 12:50:04 AM

You need to install HijackThis on an admin account, and post the complete file in two parts (two separate posts) or use the "additional options" button at the left of the reply window when posting to attach it.
Maybe someone else will have a look at that. (I'm not trained in the use of them).
The log you've posted confirms the use of two AV's.
Uninstall one of them.

Im scared to uninstall NIS09 with all the activity regarding the stealthed connections the firewalls blocking but I would rather use Avast, Im not sure whatever is trying to get into my comp will once I uninstall..Also that is my entire Hijackthis log, my comps fairly new and I ran it as administrator.

Tarq57 · « **Reply #6 on:** August 22, 2009, 01:12:55 AM »

OK, give us a tick. I'll have a look at your log. Someone else might, too. Be 10-15 minutes.

Mr.Agent · « **Reply #7 on:** August 22, 2009, 01:18:41 AM »

Vista Firewall is 2 ways so u dont have to worry to uninstall Norton. I did it 10-15 mins on my customer and its worked so well after uninstall it lol. But Tarq will help you more than me in forum. Because i cant really help very well in a forum but i can still suggest some thing

Mr.Agent

micky77 · « **Reply #8 on:** August 22, 2009, 01:25:44 AM »

Go to virus total, http://www.virustotal.com/ upload OSCust.exe from C:\Windows\SysWOW64\OEM\OSCust.exe ( could be part of aliensoftware )
Copy/paste the log here

dema · « **Reply #9 on:** August 22, 2009, 01:29:44 AM »

Quote from: micky77 on August 22, 2009, 01:25:44 AM

Go to virus total, http://www.virustotal.com/ upload OSCust.exe from C:\Windows\SysWOW64\OEM\OSCust.exe ( could be part of aliensoftware )

Im not sure if it has to do with the alienware software, it's appeared in the History Logs today which it hasnt before. If it was the aliensoftware it would have a install date similiar to the other software, wouldnt it? This just appeared today. Also Mr Agent Im used to using windows firewall with norton antivirus systemworks but this is the first time Ive installed NIS09 on one of my computers because I heard the firewall is better than windows but this is the first time Ive ever had malware on either of my computers for three years.

micky77 · « **Reply #10 on:** August 22, 2009, 01:31:30 AM »

Well upload it anyway, and lets see whats there

dema · « **Reply #11 on:** August 22, 2009, 01:34:59 AM »

Give me one sec.

Mr.Agent · « **Reply #12 on:** August 22, 2009, 01:43:17 AM »

Yeah Norton Firewall is better but its can cause slow down. For sure.

micky77 · « **Reply #13 on:** August 22, 2009, 01:46:12 AM »

I was asking you to navigate to C:\Windows\SysWOW64\OEM\OSCust.exe and load the file from there. If Avast has removed the file,then it will not be there anymore.I have read several threads on this file, that relate to alienware, the file is usually flagged as suspicious, not necessarily malware.

You can export the file from the chest by this method >

Re Uploading to VirusTotal without an alert.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Sorry im off to bed now

dema · « **Reply #14 on:** August 22, 2009, 01:52:26 AM »

Quote from: micky77 on August 22, 2009, 01:46:12 AM

I was asking you to navigate to C:\Windows\SysWOW64\OEM\OSCust.exe and load the file from there. If Avast has removed the file,then it will not be there anymore.I have read several threads on this file, that relate to alienware, the file is usually flagged as suspicious, not necessarily malware.

You can export the file from the chest by this method >

Re Uploading to VirusTotal without an alert.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Sorry im off to bed now

Appreciate the help but you lost me at Standard Shield ;L.