Twain.exe and hiberfil.sys infected

Viruses and worms
1

Greetings,

Forum newbie and not much more than computer novice here so feel free to spell stuff out for me :slight_smile:

Ran AV 4.8 and received the following 2 reports:

  1. C:\Documents and Settings\HP_Owner\Application Data\Twain\Twain.exe is infected by WIN32:Trojan-gen [other]

Action: I pressed “2” to delete all and the following error came up:

  1. C:\hiberfil.sys is infected by WIN32:Lineage-197[Trj]

Action: I pressed “2” again to delete and received: Error 0xC0000043 (file cannot be opened because share access flags are incompatible) Repair attempt = error 42060 (file not repaired)

I did some research after this and found advice to NOT delete because then it’s not possible to undo any changes if the system is not working properly anymore, especially if you don’t really know what you are doing (DOH! ::))

At that point I registered for this forum to ask people who know way more than I do.

Thanks for your assistance.

2

How is your computer hard disk partitioned?

3

Um… newbie here so…

Running XP so there is at least one. ;D
Other than that I don’t know. Can you direct me to find out? Thanks.

4

SuperAntiSpyware should remove twain.exe. It is detected as Trojan.Agent/Gen-TwainFake.Process.

Download the Free Version.

5

Twain looks legit in that location.

http://en.wikipedia.org/wiki/TWAIN

6

In My Computer, what do you see? How many drives, and what are the names? C:, D: etc.

Hyberfil.sys is the hibernation file where memory is dumped to disk during hibernation. It is not usually scanned unless you’re scanning from a separate partition, when it frequently generates false positives.

7

Have C:/, D: recovery, E: is CD drive, F: thru I: are removable disks (Have USB ports, memory stick, etc. Machine is HP Pavilion a1101n)

8

I thought hyberfil.sys was excluded scanning from the same partition: I don’t know why you’re seeing that detection.

As I said before it’s just a memory dump, so you should ignore it. If it’s not a false positive, the virus is not active in the hyberfile.sys file but it will be active elsewhere.

If you have deleted twain.exe, you’ll probably find your scanner doesn’t work: this is why it’s always best to send detected files to the Chest (quarantine) where they can do no harm but can be restored if they turn out to be a false positive.

I’d recommend you try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Then try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware

Download, install and update the programs.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

9

Sorry, FWF. I shouldn’t know better. According ThreatExpert, 96% of this filename was found to be a threat. About 4% of this filename was considered safe. I’m must be confusing a legitimate file for a malicious file.

@BowlMe900, you have to reinstall your HP scanner/printer all over again.