Win32:Lineage-518 Trojan

This virus has just been detected 3 times in my machine, all 3 I sent to the chest but only two have appeared in there.

Of the 2 that are in there, one was in the CounterSpy folder (which when I scanned again did report as being this trojan) and the other is in my system volume information, restore point. Trouble is, it says the last time it was amended was 18/08/06, and I’ve done many virus scans since that time, so why detect now.

Is this virus majorly harmful? I can’t find any info about it on the web and not sure whether to be really concerned or not. I’m just about to delete both instances from the chest.

Just found out that the one it can’t move into the chest is the same file from the CounterSpy folder but it’s also found it in the windows\downloaded installations folder. How do I remove that?

Did you try avast scanning at boot time?
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

I also suggest:

  1. Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k.

  2. Clean your temporary files. You can use the Windows Advanced Care features for that.

  3. It will be good if you download, install, update and run other trojan remover tools: a-squared and/or Free AVG Antispyware (trojan removers). Some users recommend SUPERantispyware or Spyware Terminator.

  4. Use the immunization of [url=http://SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

Hi thanks for that, I haven’t done a boot time scan which I’ll do now. What’s the difference between running one in windows and doing a boot time scan?

Also would disabling system restore not be a problem in the future if I do need to restore?

What was the infected file name and full location.

There has been an occurrence of unencrypted counterspy signatures being detected, the file name and location will help to confirm or deny that.

Have you got the latest version of counterspy as that may correct the issue ?

New signatures are constantly being added to the VPS so it might simply be that it is now being detected, though the Lineage-518 was added to the VPS on 20.2.2007 - 0715-0.

Files that can’t be scanned or processed because they are in use can be scanned and processed when windows isn’t running.

Once the problem is resolved and your system is clean you can enable system restore, that gives you a clean restore point.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 29 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Excellent, thanks for that.

The exact desryption is:

A0033446.sdb in the system volume information restore folder.
Also sunthreatfilename.sdb in 2 locations (the CounterSpy folder and the system restore folder)

I’ll try getting the new CounterSpy, although I do also have AdAware and Spy-bot installed so I probably don’t need that one as well if I’m honest.

I suggest you Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k and, besides this, that you clean your temporary files. You can use the Windows Advanced Care features for that.

Disabling System Restore will delete the restore points with the infected files.

The A0033446.sdb file is likely to be a back-up of one of the other two when it was moved or deleted and system restore has created a restore point.

Based on the SunThreatFileName.sdb file name I would say it is a possibility that avast is incorrectly detecting this file. So it is essential that you use the multi-engine scanners as previously mentioned.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

psw.lineage.dn is the same trojan as Lineage-518???

I’m trying to figure out why I am having these same issues - have tried all the fixes - am still infected - but expected to pay for this service. Although I’ve made many changes in the last few days - I don’t want to back up my work and possibly infect my Maxtor Hard Drive. I’m pretty sick of dealing with this and taking risks by not having back ups for work I cannot afford to lose.

So what’s the deal?

Hi kentmonkey,

Go here, and use the second cleansing method: http://www.claymania.com/removal-trojan-adware.html

polonus

i am getting the exact same problem as the original poster. I have submitted the offending file to virustotal.com. Only avast reported the file as containing any virus at all (Win32:Lineage-518) although Panda reported it as a ‘suspicious file’. 28 other antivirus products reported ‘no virus found.’

So either avast is the cleverest AV product around or it gave a false positive. Which is more likely?

If it is the same file name, sunthreatfilename.sdb I already answered that in reply #7 above, I felt it is likely to be a false detection and it should be submitted to avast.

Unfortunately we didn’t get any further feed back from kentmonkey (but basically confirmed by your results) or whether he submitted it to avast, that is the only way to ensure it is analysed and hopefully the VPS corrected.

Before submission ensure you have the latest VPS and scan it again.