Hi everyone, I was just running a scan after I got some odd php errors from some forums (though I think this was unrelated) and Avast indicated that aaudstum.sys in the temp folder of my my Documents and Settings folder was a virus under the title of Win32:Trojen-gen {other}. Does anyone know of a virus with such a file and if it is a virus is there any danger my system is compromised, or is it possibly a false positive?
I can’t think of any way in which a virus could have got there, I’m pretty thorough in scanning all emails, all downloaded files etc. Running a Spyware scan using Spybot -Search and Destroy didn’t raise any issues prior to the virus scan and Avast has never indicated anything before with the webscanner or anything (plus memory scan at runtime seems to indicate there’s nothing malicious in memory or startup.) Checking msconfig doesn’t seem to indicate anything suspicious (bar ctfmon which seems to have turned itself back on after I turned it off, though it seemed to have done that for a good while, ever since I did a reformat and reinstall some weeks ago.)
Thanks for your help.
Edit: Thought I should add: Using Windows XP Service Pack 2, almost up to date with every critical patch (though checking just now reveals 1 update for Windows Genuine Vantage and 1 update for .Net 1.1)
Spybot's quality has fallen in recent months and for quite some time has
NOT been in the top "tier" of "Trustworthy" products per antiSPYWARE
Expert Eric Howes at his
www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy .
Much better would be to use the Good & FREE "AVG Antispyware" from
www.ewido.net and/or the FREE ver of "SUPERantispyware" from
www.superantispyware.com . At a minimum could use these programs
as a "2nd Opinion" !?
I have also used Spybot in conjunction with Lavasoft’s Ad-Adware in the past, though a quick smart scan reveals nothing (though not a full proper scan.) I shall look into your recommendations.
For the virustotal scan, is it possible to upload the file without having to remove it from the Chest section of Avast?
Like Frank said, it’s not possible… if it does not work this way, file will not be encrypted and the infection could spread.
All files into Chest are protected (encrypted) and cannot get out of there without manual instructions (restoring).
For the virustotal scan, is it possible to upload the file without having to remove it from the Chest section of Avast?
No it isn’t possible, the avast chest is a protected area.
You will need to right click on the file in the chest and select extract (not restore), now choose a folder not the same as the original location, you should be able to upload.
When the uploads and checks are complete, delete the file, don’t worry there is still a copy in the chest.
Not to worry, i just took care restoring it to it’s original location so i remembered where it was and put it straight back in the chest afterwards.
After scanning it at Virustotal the results were:
AntiVir 7.3.1.38 03.02.2007 no virus found
Authentium 4.93.8 03.02.2007 is a security risk or a “backdoor” program
Avast 4.7.936.0 03.03.2007 Win32:Trojan-gen. {Other}
AVG 7.5.0.447 03.03.2007 no virus found
BitDefender 7.2 03.03.2007 no virus found
CAT-QuickHeal 9.00 03.02.2007 no virus found
ClamAV devel-20060426 03.03.2007 no virus found
DrWeb 4.33 03.03.2007 no virus found
eSafe 7.0.14.0 02.28.2007 no virus found
eTrust-Vet 30.6.3449 03.03.2007 no virus found
Ewido 4.0 03.03.2007 no virus found
FileAdvisor 1 03.03.2007 no virus found
Fortinet 2.85.0.0 03.03.2007 PossibleThreat!03178
F-Prot 4.3.1.45 03.03.2007 W32/Malware!1df3
F-Secure 6.70.13030.0 03.03.2007 no virus found
Ikarus T3.1.1.3 03.03.2007 no virus found
Kaspersky 4.0.2.24 03.03.2007 no virus found
McAfee 4975 03.02.2007 no virus found
Microsoft 1.2204 03.03.2007 no virus found
NOD32v2 2093 03.03.2007 no virus found
Norman 5.80.02 03.02.2007 no virus found
Panda 9.0.0.4 03.03.2007 no virus found
Prevx1 V2 03.03.2007 no virus found
Sophos 4.14.0 03.03.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 Backdoor.Genlot.DX
Symantec 10 03.03.2007 no virus found
TheHacker 6.1.6.067 03.01.2007 no virus found
UNA 1.83 03.02.2007 no virus found
VBA32 3.11.2 03.03.2007 no virus found
VirusBuster 4.3.19:9 03.03.2007 no virus found
(Sorry about the bad formatting, wasn’t sure how to copy the results across.)
I’m not entirely sure how to interpret the results. There seem to be a few virus scanners which identify it as a some kind of malware but the majority of the ones I recognise as being respected (AntiVir, NOD32 and their ilk.) seem to indicate it’s not malware.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.
Thanks for your help everyone. It’s starting to look like it’s a false positive so I’ll leave it in the chest for now and rescan it at a later date to check it again. At least I learnt about the useful AVG Anti Spyware program in the process.
Sorry for the double post, but I just noticed something worrying in that it seems while it didn’t show up under msconfig, it is listed as trying to run on startup when using the Autoruns program from sysinternals. Naturally now it’s not in the right location anymore it won’t work but it made me doubt whether it really is a false positive or not, since I can’t see any reason why a file in the temp folder would need an entry in the registry.
You are correct to query why something in the Temp folder would have a startup entry.
Since there were also a few other AVs that detected this (but none of the ones I would have expected, nod32, bitdefender, kaspersky, etc.), allied to the startup entry I too would be suspicious. The fact that it is in a temp location it shouldn’t be a problem in deleting it anyway.
Hmm, would it be worth using the ‘Email to Avast’ feature for further examination to see if they can determine if it’s an actual virus or not? I’m so confused since the majority of the major antivirus programs don’t pick it up and I can’t think of any way a virus could have got on my system, yet more than one program did detect it and I really can’t comprehend why or how a registry entry for it exists.
Also, if I do send it in for examination do I get feedback so I can get some peace of mind? Naturally I’d be very appreciate of this, I get rather paranoid when it comes to viruses and what they could be up to behind my back. Luckily a full scan using various antispyware programs and avast hasn’t revealed anything else thus far.
I too can’t understand why a file in a temp folder needs a startup entry and to me that is suspicious, especially if I had no knowledge of what it was, what was the full path to the file, perhaps the folder in front of the file might give an indication. Me I regularly clear out the temp folders anyway so it would be gon in a heartbeat, good or bad, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc..
You normally won’t get a reply or any confirmation from avast unless they require more information.
If it is in the chest you can send it from there, right click the file and select email to Alwil software. In the additional information/text window give a brief explanation of the problem and the url to this topic. http://forum.avast.com/index.php?topic=26989.0
IIRC the full path was: C:\Documents and Settings(User Name)\Local Settings\Temp but that doesn’t really reveal much about what put it there unfortunately. If it helps though, the section it was listed under in the Autoruns program was actually the Services section rather than just the startup section.
I’ve since reinstalled CCleaner (used to use it in the past) and had a good clear out of the temp folders so hopefully there’s nothing else lurking about. I’ll send the file from the chest. Cheers for your help.
The path would make even more suspicious if there wasn’t a sub folder in temp to indicate what installed it as most programs sort of conform to that convention.
There were various subfolders but alas I’ve long since cleared them out. However I did note that under the Autoruns program it’s listed as a service on startup rather than a program as such. Whether this means much however I don’t know.
Very bad… if it’s running as a service you need to get clean from this virus.
It will be good if you use WinPatrol to protect you against this kind of infections…
Hmm, I still can’t comprehend how it got there. I can’t really seem to find anything about it at all on google. At brief glance at the file properties from the chest seems to indicate that it was last modified on 01/06/2004 which seems… odd. The closest thing I’ve found to discussion of it was on another spyware forum where somebody took a look at a file by the same name and said it looked like some kind of SCSI driver but I have no idea what that relates to, plus it could be an entirely seperate case. I haven’t restored the file to look at it’s properties yet though (and I’d expect Avast would complain if I tried.) A full scan by both AVG and Avast hasn’t revealed any more files that are suspicious which I find surprising if this is a virus but I am still perplexed by this file.
Edit: Hmm, interesting development. When it talked about SCSi drivers the only storage device apart from hard drives and CD Rom I have is my USB stick. So I tried plugging it in and interestingly Windows no longer automatically mounts the USB stick anymore, or even tries to. Related perhaps?