OSCust.exe win32:Trojan-gen (other)

[Tarq57]

Hi, I couldn't get to the forum for a bit. (micky77 is very knowledgeable about malware.)
Lost at standard shield: Here's a step by step.

- left click the system tray icon (Avast)
- from the gui that opens, select "standard shield", then clcik on "customize", go to the "advanced" tab.
-Select "add", type the path in to be excluded, if you follow micky's suggestion it will be C:\Suspect.
-Move the file from the chest to that folder.
-Open www.virustotal.org , select upload a file, upload the file from this folder. Once analysis is complete, (it will take a minute or 5) copy the address url, post it back here.
-You may well have to disable NIS while carrying out these actions. (I still think you should uninstall it, run the removal tool, repair Avast, and then check the Vista firewall is on. That can be done any time, but if it were me, I'd do it sooner rather than later. Prevent interference.)

[dema]

Hi, I couldn't get to the forum for a bit. (micky77 is very knowledgeable about malware.)
Lost at standard shield: Here's a step by step.

- left click the system tray icon (Avast)
- from the gui that opens, select "standard shield", then clcik on "customize", go to the "advanced" tab.
-Select "add", type the path in to be excluded, if you follow micky's suggestion it will be C:\Suspect.
-Move the file from the chest to that folder.
-Open www.virustotal.org , select upload a file, upload the file from this folder. Once analysis is complete, (it will take a minute or 5) copy the address url, post it back here.
-You may well have to disable NIS while carrying out these actions. (I still think you should uninstall it, run the removal tool, repair Avast, and then check the Vista firewall is on. That can be done any time, but if it were me, I'd do it sooner rather than later. Prevent interference.)

Ok the step by step really helped thankyou, but how do I move the infected file from the Chest to that folder?

[Tarq57]

Open the chest from the main Avast gui (right click tray icon, select "start avast", wait for the memory test to complete, then select the chest.)
From the chest, right-click the file concerned, and from the options, select "extract". An explorer window will open, inviting you to browse to the folder to extract the file to. Select the folder you've created for this purpose.
Should then be all good to go.
(Sorry about the delay replying, had to go to work.)

[dema]

Ok here you go, no idea what results its going to give; http://www.virustotal.com/analisis/29d7e43b5d295921b3710558c07f2384bf17e28012018d5c9a8f12f6bfb23872-1250365797
If that files corrupted do I delete the suspect file I created and stored it in?

[micky77]

Funny one , this one. Did it say ' this file already analyzed ? If so, tick, re-analyze. What the results means, are 16/41 say this file is bad. So if it was on my pc, I would want rid. My personal thoughts are, this file is 'suspicious'. The only good thing I can say, is, if you check the MD5 number,and google, another scanner, a year ago, found 6/36 including the well respected Avira, however they do not now detect it,so they, must of examined it, thought it was a FP, and  harmless, on the other hand the number has risen
http://virscan.org/report/39e10d4972b08ca2af4dbd897aa80a37.html
http://www.virustotal.com/analisis/29d7e43b5d295921b3710558c07f2384bf17e28012018d5c9a8f12f6bfb23872-1250365797
Try the re-analyze option
 As long as the file is gone, I would not worry too much

[dema]

It only took 5 seconds to scan the file which was kinda wierd but it didnt say it was already analyzed. So should I go ahead and delete it from the chest? What would I do about the constant Default Block UPnP Discovery" Stealthed (###.###.#.#, Port ssdp(####)) if they continue to show up?

[YoKenny]

Why is dema running Norton complaining about avast! discovering a Trojan-gen he askes retorically. 

UPnP should be disabled anyway:
http://www.grc.com/unpnp/unpnp.htm

[dema]

Why is dema running Norton complaining about avast! discovering a Trojan-gen he askes retorically. 

UPnP should be disabled anyway:
http://www.grc.com/unpnp/unpnp.htm

Thanks for the Info, was waiting to see if this was a false positive before I did anything.

[dema]

Hi dema,
One of your problems is that you have two AV's installed (plus possibly one rogue program.)
You will need to uninstall one of them, either Norton or Avast, for the computer to operate satisfactorily.
The presence of two AV's usually (ironically) creates a less secure environment, rather than providing extra security, plus places an extra load on system resources as both are operating, attempting to scan each others files at the same time etc.

My suggestion is to uninstall Norton internet security, run the Norton Removal Tool, repair Avast via the control panel "add/remove programs", and then update MalwareBytes, and run a full scan in normal mode.

If you were to choose to uninstall Avast, the removal tool for same can be found here.
Most users I know of find Avast preferable to Norton products, but to be fair, I have read of some happy user experiences with NIS2009.
Your choice.

   Ok I tryed both options you listed, first I deleted the infected file in the chest and uninstalled Avast, I then updated NIS09/Malwarebytes/SUPERantispyware and scanned in both safemode and normal mode with nothing showing up. Afterwards I redownloaded Avast Home Edition, turned on my windows firewall and noticed that one of the exceptions in the options for windows firewall was "Discovery" and this was checked, I then proceeded to reset the defaults which set the only exceptions back to local network.
   I then completely uninstalled my NIS09 and repaired Avast afterwards, which was successful. After uninstalling norton I did a thorough scan with archived files checked and it came up with 16 Listed Lines - Selected Lines 1, no signs of viruses but for these 16 lines it says the following "Unable to Scan Archive? These lines are all under c:\users and are all random numbers/letters after my name. Are these the remnants of the infected file that was the virus? Is it possible its still on my computer? What other steps can I take to make absolutely sure Its removed. Thankyou guys for your previous replys, all of this is new to me considering Ive never had this issue before.

[YoKenny]

Welcome to avast!

When you see  "Unable to Scan Archive" it is files that are compressed and will be scanned when un-compressed so its nothing to worry about.

Read why Vincent Steckler left Symantec and joined avast!:
http://blog.avast.com/2009/07/20/welcome-and-why-i-joined-avast

[dema]

Welcome to avast!

When you see  "Unable to Scan Archive" it is files that are compressed and will be scanned when un-compressed so its nothing to worry about.

Read why Vincent Steckler left Symantec and joined avast!:
http://blog.avast.com/2009/07/20/welcome-and-why-i-joined-avast

   I have the following questions;
1. The 16/41 files that virustotal said were bad from my scan, arent these the compressed files you speak of? (Its very wierd that it would be the exact same number as the corrupted files found in that file), and would it be safe to move these to the chest for now?
2. What exactly is "Discovery" in the windows firewall exceptions (Info - Rule "Default Block UPnP Discovery" Stealthed (###.###.#.#, Port ssdp (####)). Inbound UDP Packet.), is it where the worm/virus was trying to access my computer, and how did it change the options to make it an exception?
3. I found a thread regarding OSCust.exe with a post from a AW represenative stating its used during manufacturing process, http://forums.tentonhammer.com/showthread.php?t=34992 , but this still doesnt explain why I had two txt boxes pop up stating I had malicious software and "my computer" started a scan yet all the scanners Ive used show up clean but Avast finds this file that apparently isnt harmful. I have my doubts but Id like to learn more regarding this and how I can make sure my computers really clear of this threat.
4. Whats the best way to find out I dont have any rootkits installed?

[dema]

  For some reason avast doesnt want to open in safemode, itll start the memory process and give me the instruction box with another tab in the taskbar named avast - simple user interface but it wont open, even after clicking on it repetitively. I tryed repairing it in safemode w/ networking but it still wont open. Its opened before in safemode but wouldnt allow me to access the chest. What could be causing this?

[Tarq57]

The fact that you have 16 "unable to be scanned" files, and there were 16 returns for the virustotal results is pure coincidence. Read nothing into that.
The 16 file unable to be scanned are not necessarily malicious, in fact they probably are not. In the scan report, the pane can be maximized, and the header tabs moved so the filename and path can be read. By looking at the names and paths, it can give a good idea as to what they are.
They should not be moved to the chest.
Go each file, and context-scan (right click) with MBAM.
I actually think the problem you have with a rogue application probably has nothing to do with the OSCust file; it just happened to be detected at about the same time.

If I remember correctly, some Avast functions - like the chest - are not available in safe mode.
In normal mode, update MBAM, and run a full scan again.
Post the scan report.

[dema]

The fact that you have 16 "unable to be scanned" files, and there were 16 returns for the virustotal results is pure coincidence. Read nothing into that.
The 16 file unable to be scanned are not necessarily malicious, in fact they probably are not. In the scan report, the pane can be maximized, and the header tabs moved so the filename and path can be read. By looking at the names and paths, it can give a good idea as to what they are.
They should not be moved to the chest.
Go each file, and context-scan (right click) with MBAM.
I actually think the problem you have with a rogue application probably has nothing to do with the OSCust file; it just happened to be detected at about the same time.

If I remember correctly, some Avast functions - like the chest - are not available in safe mode.
In normal mode, update MBAM, and run a full scan again.
Post the scan report.

  I believe your right that this happened to just show up after the rogue application popping up, heres my MBAM Log and a new Hijackthis Log. MBAM shows nothing as usual, can I assume my computers clean, or is there something still residing somewhere.

The Discovery exception that was checked in my windows firewall has the following def; This feature allows this computer to discover other devices and be discovered by other devices on the network. (Uses Function Discovery Host and Publication Services, UPnP, SSDP, NetBIOS and LLMNR) so I guess this is how the program entered my computer in the first place but the firewall that was active at the time was my NIS09 smart firewall and its settings were to block these which it showed in the log. Im not getting any messages so far using windows firewall about it blocking that connection, its not checked in the exceptions anymore. What if this could be the new vulnerability said in the following thread, http://forum.avast.com/index.php?topic=47903.0, Im using adobe flash player 9 currently on my computer.

[Tarq57]

The log looks clean to my untrained brain.

However, there are a number of "023" (services) entries for which the log states "file missing", a few too many for that to be normal.
I don't actually know the import of that..sometimes when software has been incorrectly removed it can leave such an entry behind, but a lot of yours seem to belong to the OS.
Might pay to wait till someone more expert can analyze that.