I did a virus check with Avast last night and it came up saying I had ‘Win32: Spyware-gen [TRJ]’ and ‘Win32: Inservice-DH [TRJ]’ on some files. I’ve now moved these to the chest. However, I’m not entirely sure if I need to do anything else to these? Are they safe where they are? I googled the ‘Win32: Spyware-gen [TRJ]’ and got some results saying that the trojan re-appears on different files once it’s been moved to the chest. Further to this there are several other trojans in the chest - ones that I put there some time ago. Can I do anything with these? Is it safe to leave them there?
Also, the scan picked up a few files it says it is “Unable to Scan: Archive is Password Protected” and “'Unable to Scan: CHM Archive is Corrupted”. I am unable to move or delete or repair these files, even in safe mode. Are they likely to be harmful?
I’ve carried out spyware checks using lava soft, superantispyware, avg anti spyware, spyware blaster, and spyware doctor. I’ve either deleted or quarentined everything that was flagged up. I’ve also run CCleaner and Spybot Search and Destroy (although I didn’t remove anything from S&D as I don’t know what I’m doing).
I’ve pasted my hijack this results below and would be grateful if you could give me some advice on what you think I should do next. I’m currently updating Avast’s VRDB but it’s taking hours…I’m not even sure it will tell me when it’s finished or what I should do when it’s finished.
Any help would be greatly appreciated.
Matt
Logfile of HijackThis v1.99.1
Scan saved at 11:55:24, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
problem is i’m still not sure what to delete/remove or whatnot. the first two 'possibly nasty’s it flags up are both in the avast program files…i’m a bit wary of playing around with these without knowing what i’m doing. i think the third ‘possibly nasty’ is avast too. any ideas?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
These give is a little more scope with finding information on the file name and possibly other removal information on associated registry entries, files, etc. The malware name isn’t so helpful on its own.
Those ‘possibly’ nasty means you need to do some research and in the case of the avast files there is no problem with those as you have installed avast into the D:\ partition ?
It is basically pointing out that it differs from the default location is C:\Program Files\Alwil Software\Avast4 and as such could be something trying to pass itself off as avast and ‘possibly nasty.’
ah yeah that makes sense about the avast ‘possibly’ ones. thanks.
here is my log file, alog with dates (latest ones first):
16/04/2007 12:17:55 Matt Wilko 3100 Sign of “Win32:Inservice-DH [Trj]” has been found in “C:\Documents and Settings\Matt Wilko\Local Settings\Application Data\Mozilla\Firefox\Profiles\hgga03l0.default\Cache_CACHE_003_” file.
15/04/2007 23:11:42 Matt Wilko 244 Sign of “Win32:Inservice-DH [Trj]” has been found in “C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\65tb6yb8.zip” file.
15/04/2007 22:12:43 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSINST.EXE” file.
15/04/2007 21:52:46 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSUNINST.EXE” file.
15/04/2007 21:14:10 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\Applications\PKZip V2.7\PK270WSP.EXE\TSINST.EXE” file.
15/04/2007 21:13:26 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE” file.
25/10/2006 23:33:10 SYSTEM 720 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\KsUser.dll (C:\WINDOWS\system32\KsUser.dll) returning error, 0000A474.
23/10/2006 23:59:16 SYSTEM 256 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
02/09/2006 22:57:16 SYSTEM 252 aswServ::AavmStart ERROR…
11/08/2006 10:17:20 Matt Wilko 2380 Function setifaceUpdateFiles() has failed. Return code is 0x20000011, dwRes is 20000011.
15/07/2006 14:48:35 Matt Wilko 1792 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
28/04/2006 01:54:29 SYSTEM 1756 An error has occured while attempting to update. Please check the logs.
28/04/2006 01:54:27 SYSTEM 1756 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
26/03/2006 16:40:02 Matt Wilko 1224 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
26/03/2006 15:03:08 Matt Wilko 2396 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
05/03/2006 21:36:57 Matt Wilko 1752 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034239.exe” file.
05/03/2006 18:39:43 Matt Wilko 1752 Sign of “Win32:Trojano-3295 [Trj]” has been found in “C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\b24yvwhj.exe[Yoda]” file.
03/03/2006 17:36:56 SYSTEM 1760 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034238.exe” file.
03/03/2006 12:05:58 SYSTEM 1756 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
03/03/2006 12:05:58 SYSTEM 1756 An error has occured while attempting to update. Please check the logs.
03/03/2006 06:28:48 SYSTEM 1756 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034238.exe” file.
03/03/2006 00:19:41 Matt Wilko 676 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Program Files\DivX Codec 3.11\DivX Codec\uninstall.exe” file.
03/03/2006 00:09:55 Matt Wilko 676 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Applications\Div X\DivX-3.11-Installer.exe” file.
02/03/2006 22:17:40 Matt Wilko 408 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Applications\Div X\DivX-3.11-Installer.exe” file.
23/02/2006 00:16:06 Matt Wilko 1752 Sign of “MS06-001 WMF Exploit” has been found in “C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\k6v07c6o.wmf” file.
16/02/2006 22:28:54 Matt Wilko 3232 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
The x:\System Volume Information folder (x being the drive leter) is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
The ones relating to codecs, are one of the common areas for trojan infection especially if you did a search for free codecs, however, there have been some strange detections of uninstall files so I would check these out. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
The others appear to be good detections based on their location and file names, but you can check them out if you wish.
Well all the avast entries in the HJT logfile are fine, this is one of the undocumented HJT hick-ups. I also checked up on fdcatch.dll and wltrysvc.exe; no problems there either. As far as I can see the log is clean, just get the latest version of Sun Java, if you haven’t that already. Just curious what the others will recommend or if something was overlooked…
polonus
PS Wilko here is a boy’s name from the Groningen province? Where yours stem from?
Many thanks for that help. Can I just ask though, what do you mean by ‘check these out’? Do you mean restore the files? Or delete them or something?
I did an online scan of the first infected file to see what happened. Firstly I restored the file - C:\Documents and Settings\Matt Wilko\Local Settings\Application Data\Mozilla\Firefox\Profiles\hgga03l0.default\Cache_CACHE_003_ - and then I entered it into Jotti to be scanned (VirusTotal didn’t seem to work…it just took me to a blank screen). The results in Jotti were that one scanner (Avast) found it to be infected with the Inservice trojan. All the other scanners found no error. I’m still not really sure whether that means I should delete it, keep it in the chest or restore it though?! Same goes for the other codecs/uninstall files.
If you could let me know what you think it’d be brilliant.
Cheers Polonus, Wilko here is derived from Wilkinson which is my surname! I think it may be Irish…but don’t quote me on that! Thanks for checking the log.
By check them out you did exactly what I intended use VitusTital and or Jotti (my preference would be VirusTotal as that has more different scanning engines. Personally there is no need to check detections in temporary locations, as by their nature they are temporary and temporary files can simply be deleted, I usually recommend clearing temporary files before running an on-demand scan for the same reason they are temporary.
Basically you are checking that the detection is good, if only avast detects it then it may be a false positive detection. So I don’t want you to delete them but confirm/check the detection is good.
These were the ones I think should be checked:
15/04/2007 21:13:26 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE” file.
Detections relating to codes files:
03/03/2006 00:19:41 Matt Wilko 676 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Program Files\DivX Codec 3.11\DivX Codec\uninstall.exe” file.
03/03/2006 00:09:55 Matt Wilko 676 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Applications\Div X\DivX-3.11-Installer.exe” file.
02/03/2006 22:17:40 Matt Wilko 408 Sign of “Win32:Trojan-gen. {Other}” has been found in “D:\Applications\Div X\DivX-3.11-Installer.exe” file.
If any prove to be false positives, add it/them to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
I did a scan on all the items in the chest in Avast, and all of the ones you mentioned in your last post - apart from one (below) - came up as ‘no virus’ which i guess means theyve been cleaned up?
The one that is still not clean is:
15/04/2007 21:13:26 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE” file.
Now, unfortunately i can’t restore this file for some reason (i can’t restore any of the tsuninst.exe or tsinst.exe ones).
What I can - and did - do was scan the PK270WSP.EXE file, where the log says those two Tsuninst and Tsinst files are located in Virus Total. It came up with the following results (sunbelt and webwasher gateway found it suspicious):
AhnLab-V3 2007.4.14.0 04.16.2007 no virus found
AntiVir 7.3.1.52 04.16.2007 no virus found
Authentium 4.93.8 04.16.2007 no virus found
Avast 4.7.936.0 04.13.2007 no virus found
AVG 7.5.0.447 04.16.2007 no virus found
BitDefender 7.2 04.17.2007 no virus found
CAT-QuickHeal 9.00 04.16.2007 no virus found
ClamAV devel-20070312 04.16.2007 no virus found
DrWeb 4.33 04.17.2007 no virus found
eSafe 7.0.15.0 04.16.2007 no virus found
eTrust-Vet 30.7.3572 04.16.2007 no virus found
Ewido 4.0 04.16.2007 no virus found
FileAdvisor 1 04.17.2007 no virus found
Fortinet 2.85.0.0 04.16.2007 no virus found
F-Prot 4.3.2.48 04.16.2007 no virus found
F-Secure 6.70.13030.0 04.16.2007 no virus found
Ikarus T3.1.1.5 04.16.2007 no virus found
Kaspersky 4.0.2.24 04.17.2007 no virus found
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.16.2007 no virus found
NOD32v2 2195 04.16.2007 no virus found
Norman 5.80.02 04.12.2007 no virus found
Panda 9.0.0.4 04.17.2007 no virus found
Prevx1 V2 04.17.2007 no virus found
Sophos 4.16.0 04.16.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.17.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.16.2007 no virus found
VirusBuster 4.3.7:9 04.16.2007 no virus found
Webwasher-Gateway 6.0.1 04.16.2007 Virus.Win32.FileInfector.gen (suspicious)
Aditional Information
File size: 750794 bytes
MD5: 254a68d2ee2fd86f0ac070ae63a47dfc
SHA1: bcfdc355eccb7023f31d4cf34557dff6e70d6792
packers: PKLITE32
packers: PKLite32
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
What should I do with this in mind?
Moving on, I think that if I ignore the temp files - which I will delete at some point - and the system restore ones (which I’ll get rid of after turning system restore off hopefully) - that just leaves the two PK270WSP files (Tsinst.exe and Tsuninst.exe) and the _Cache_003 file.
With the _Cache_003 file, I think this has been replaced by Mozilla as there is a smaller file of the same name in the same folder. I scanned this in Avast and on VirusTotal and it is fine. However, if I scan the file of the same name (but different size) in the Chest, it is still infected.
OK, I’ve just put the restored _cache_003 through Jotti.
Here’s the results:
Scan taken on 16 Apr 2007 23:18:32 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Inservice-DH
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
One thing I have noticed a couple of times now (each time I’ve restored the _Cache_003 file) is that the graphics on this forum go all weird - it’s just a white background and just text, no graphics whatsoever really.
Also on Firefox, if I open the VirusTotal page it has ‘AMATEUR’ written cross the screen - in a massive font size, with a website of www.amateurallure.com written above it. I haven’t and won’t be seeing what that site is, although I googled it and it looked really dodgy.
Anyway, I can’t use Firefox to scan the _Cache_003 file in VirusTotal - nothing happens when I click Send. I can’t click on a few buttons on the VirusTotal homepage actually. They just won’t work. I’m currently trying to scan it in VirusTotal using Internet Explorer but it’s taking ages to load and has crashed every time so far… I’ll keep trying though.
I did a scan on all the items in the chest in Avast, and all of the ones you mentioned in your last post - apart from one (below) - came up as 'no virus' which i guess means theyve been cleaned up?
No it is more likely that the detection wasn’t good, a false positive, so you should send samples to avast as outlined in the False Positive link I gave above.
I also believe the PKZIP one may also be a false positive detection.
Now, unfortunately i can't restore this file for some reason (i can't restore any of the tsuninst.exe or tsinst.exe ones).
Checking back in your posts these were in:
15/04/2007 22:12:43 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSINST.EXE” file.
15/04/2007 21:52:46 Matt Wilko 384 Sign of “Win32:Spyware-gen. [Trj]” has been found in “D:\System Volume Information_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSUNINST.EXE” file.
So you have no need to restore these and windows will stop you placing (even restoring) files in this windows protected area.
So I would simply suggest re-installing PKZIP 2.7 again.
As I said it really is a waste of time worrying too much about stuff in temp locations like the browser cache, there is little point in trying to restore it, it is temporary. Not to mention Cache_003 is special file containing multiple files collected into one cache, so there is little point in recovering this.
I had the same issues with the site www.bondara.co.uk that i have been working on. Thanks to the comments in this forum i could get it fixed. Thank you. Thanks guys.