Win32:Spyware-gen

I am using Avast Pro Edition on Dell desktop with Win XP. Avast is set to update dat files automatically, so I believe I have the latest editions 090926. On 092709 PC was infected with Win32:Spyware-gen (trj) in the A0198811.dll file. I know this because when I attempted an Avast virus check a warning came up and said to reboot PC and run book time scan. I ran the boot scan, however at the end of the scan the PC froze on the instructions to press a key to delete/move this virus etc.

So I had to turn off the PC and then I started it in safe mode. I also started another Avast thorough virus scan in safe mode that has been running for 18 hrs…very slowly. Should I stop this slow scan? Start it again in normal mode? Try another boot scan? How can I best remove this virus?
Thanks,

Was that file into the System Volume Information folder (the System Restore folder)?
If so, disable System Restore on Windows ME, XP or Vista. After disabling you can enable it again.

You don’t give the full path the the A0198811.dll file, but I would guess it is a _restore point ?

Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

If it was found on a boot-time scan then there might also be information in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.

I’m not sure what type of scan you were doing ?

The suggestion to run a boot-time scan, is normally associated with an infection found in memory. If so my assumption about it being located in a _restore point is incorrect.

Thanks for your quick response. I’m sorry that I didn’t get the full path of the boot scan results. The PC froze and I couldn’t get keyboard or mouse to respond. So I couldn’t select a key to delete or move infected file…nor copy the message.

I’m at work, so I’ll check the log this evening. But before I can do that, I need to deal with the very slow Avast virus scan that I started in safe mode. Should I kill it or let it run? At 6% complete after 18 hrs, it may take 48 hrs to complete. I ran an updated Malwarebyes scan before the Avast scan and Malwarebytes came up clean.

thanks,

Well The thouroghnd use scan is in safe mode then it should be slower then normal but not that long.

You said malwarebytes came up clean and it was up-to-date.
Was it a full scan?
Have you tried superantispyware?
Make sure to manually update and use free version.
Run full scan.
www.superantispyware.com/

Personally I would stop it.

If a normal scan found it (you didn’t say what type of scan) then that same scan should find it. When you get home, before running another scan check the logs I suggested and report what was found first.

Thanks, I think I will stop the thorough scan running in safe mode when I get home. Originally I started a thorough scan in normal mode but when it ran a check (prior to scan) that’s when the virus warning came up and stated that I needed to restart so Avast could run a boot scan. PC froze at the end of the boot scan when results were displayed.

I ran the Malwarebytes as a full scan on C:, and it came back clean. I have not tried superantispyware. I’ll down load and run it…before I try to run Avast again, do you think? Maybe order doesn’t matter?

I will check the logs this evening and post the info before running further scans.
Thanks,

The order of the scans isn’t too important and a Quick scan in MBAM should be enough for a first shot. Since that is clean, I would move on to SAS next again a Quick scan first, before you start click the Preferences, Scanning Control and tick all the boxes.

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Cautiously optimistic. When I checked the Avast scan last night it was stopped & displayed warning - Win32:Spyware-Gen virus found in C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1281\A0198811.dll. Warning asked if file s/b deleted or moved to chest; I deleted it. Then canceled scan; restarted PC in normal mode. Before restarting I disabled System Restore.

Given previous advice, I saved Avast logs - error and warning reports, see attached files. I also ran quick scans using, Malwarebytes, Superantispyware, Spybot, and Avast…just to be sure. All scans came up clean. See MWB log attached. I haven’t enabled System Restore as I want to make sure virus is a goner.

I’m hoping I’ve killed this critter but am not sure. Is there a way to check? Perhaps do a search on Win32:Spyware-gen file name? Thanks for all the good advice.
melody

All the stuff in the warning log are old detections dating back from January 2009 and earlier, so nothing relevant there to your current situation. Cancelling the scan would also cancel the update of the warning log.

MBAM log is clear and the error log is unrelated to detections, but that too is relatively old, with the last entry being 9/27/2009.

So things for the moment are looking better. Run SAS now and post/attach its log.

Thanks, David, for your response. I will run SAS again tonight, after work, and post log tomorrow. I ran it last night and it came up clean…but another time wouldn’t hurt and I didn’t capture the log.

Plz note the last 1/2 dozen lines at bottom of warning.txt… are warnings related to current time frame 09/2009.

9/16/2009 8:07:45 PM SYSTEM 1520 Sign of “JS:Downloader-EH [Trj]” has been found in “hxxp://car7unit.info/oper/show.php?s=607bc1ce71{gzip}” file.
9/25/2009 5:23:58 PM SYSTEM 1540 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\program files\common files\akamai\rswin_3586.dll” file.
9/26/2009 1:13:33 AM SYSTEM 1528 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\program files\common files\akamai\rswin_3586.dll” file.
9/26/2009 8:12:15 AM SYSTEM 1540 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\program files\common files\akamai\rswin_3586.dll” file.
9/27/2009 9:00:07 AM SYSTEM 1536 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\program files\common files\akamai\rswin_3586.dll” file.
9/27/2009 12:54:51 PM SYSTEM 1536 Sign of “JS:FakeAV-BI [Trj]” has been found in “hxxp://mycomputerfastscan11.com/scan1/?pid=283&engine=%3D3Q05TDuNDYuMTk0Ljg4JnRpbWU9MTI1NjA4Mc0OaA%3DM” file.
9/27/2009 1:33:19 PM SYSTEM 1544 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\program files\common files\akamai\rswin_3586.dll” file.
9/27/2009 4:28:59 PM Pat Jamison 1352 Sign of “Win32:Spyware-gen [Trj]” has been found in “c:\program files\common files\akamai\rswin_3586.dll” file.
9/27/2009 5:35:17 PM Pat Jamison 1144 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
9/28/2009 10:03:57 AM Pat Jamison 1144 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1281\A0198811.dll” file.

It’s not clear to me if the earlier warnings for JS:Downloader-EH [Trj], JS:FakeAV-BI [Trj], or Win32:Spyware-gen [Trj] on 9/26 mean that these trojans are still resident.

Only Win32:Spyware-Gen virus found in C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1281\A0198811.dll came up during the Avast thorough scan run in safe mode yesterday.

thanks, melody

I don’t know why when I looked at the log I didn’t see any of those.

  1. Now seeing the rswin_3586.dll belonging to akamai the file could be legit but what it is doing might be considered suspicious, but it isn’t totally certain it is malicious so should be checked. I hope you sent it to the chest, the recommended action ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

  1. The other two you mention, given that they are web URLs and not located on your system, they will have been stopped by the Web Shield and the only option given on detection would be Abort Connection. This drops the connection for the infected item and stops it getting on to your system, so they aren’t active.
9/16/2009 8:07:45 PM SYSTEM 1520 Sign of "JS:Downloader-EH [Trj]" has been found in "hXXp://car7unit.info/oper/show.php?s=607bc1ce71\{gzip}" file.

9/27/2009 12:54:51 PM SYSTEM 1536 Sign of “JS:FakeAV-BI [Trj]” has been found in “hXXp://mycomputerfastscan11.com/scan1/?pid=283&engine=%3D3Q05TDuNDYuMTk0Ljg4JnRpbWU9MTI1NjA4Mc0OaA%3DM” file.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw (as I have done in the Quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.

  1. The last one in the _restore point I believe is probably a copy of the original rswin_3586.dll. Having disabled system restore and rebooted that will clear ALL _restore points, infected or otherwise.

Hi melodyjamova,

What is the present status of mycomputerfastscan11 dot com?
This site is suspicious- visiting the site can seriously damage your computer.

Part of the site has been suspected of suspicious activities taking place there.

The last time this has been found was on 2009-09-27.
This site was hosted on 4 networks including AS20495 (WEDARE), AS39758 (SIMPLIQ), AS36351 (SOFTLAYER).

Did the site host malware?
Yes, this malicious software has infested 267 domains e.g. marchex.com/, butorba.hu/, ivhp.org.tr/.

How this took place?
By adding malicious code to trusted, reputable sites, after which we give these sites as suspicious,

polonus

David

Sorry about the live links. I’ve neutered them in the post.

Regarding rswin_3586.dll in the akamai file, I believe I may have deleted it from the chest. I’ll check tonight. It is my habit to delete files moved to the chest after 24 hrs. I don’t trust leaving nasty stuff on my PC even in a secured chest. Generally speaking, I follow the recommended action to move suspicious files to the chest whenever there is a warning. Likewise I immediately disconnect when a warning pops up about a site.

In the event that I didn’t delete rswin_3586.dll, I’ll search for it in C:\program files\common files\ and follow your advice to move it to a new folder C:\Suspect. What is the benefit of posting this suspicious file to Virustotal.com? Why not just delete it?

If I find this file, can I move it to the Avast chest? I wonder that it didn’t show up on any of the scans I performed last night (SAS, MWB, Sypbot, Avast) albeit they were all quick scans.

Assuming that the infected files (rswin_3586.dll, A0198811.dll) are permanently banished, I should enable the System Restore function, yes?

thanks,

Polonius,

Thanks for your response. I’m afraid I cannot speak to the present status of mycomputerfastscan11 dot com. Or was that a rhetorical question?

I know that lately I experience more bogus sites popping up to ‘scan’ my PC when I click on a URL link from a Goggle search. It even happens in my very secure work environment. I certainly don’t choose these sites.

I do a lot of online research for the school district and my writing assignments. Surprisingly, I’ve experienced web warnings on the first 5 URL links in a Google results list. I wish there was a good way to filter infected sites.

thanks,

OK, there is little point in sending something to the chest only to delete it so soon afterwards, it should only be done ‘after’ investigation rather than before.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

The purpose it to ‘check the offending/suspect file’ you are confirming or denying if the file is in fact infected. If only avast and GData see it as infected then there is a possibility it could be a false positive detection (a fact of life with security applications) and why you shouldn’t delete as you have no options left.

The avast Win32:Spyware-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Since the Chest is a protected area and the contents are encrypted no other scanners can decrypt the files to scan them.

Yes you can re-enable system restore.

Hi melodyjamova,

According what we see here and the dll you reported initially, you have an Outerinfo aka PurityScan adware infection:
http://www.spywareinfoforum.com/index.php?showtopic=96512

Removal instructions can be found here:
http://www.geekstogo.com/forum/How-to-remove-Outerinfo-pop-ups-aka-PurityScan-OIN-t134763.html

Uninstallers can be found here: http://forums.majorgeeks.com/showthread.php?t=95465

polonus

Polonus, the A0198811.dll is/was in a _restore point and since this is a randomly generated file name I hardly think it is the same based only on the file name, unless the MD5 is the same.

I would have thought that avast and or MBAM would have noticed that, plus there are none of the symptoms present (or certainly not mentioned).

So I don’t think we can base and action in the file name alone.

Hi DavidR,

As he has/had symptoms of an adware infection

I know that lately I experience more bogus sites popping up to ‘scan’ my PC when I click on a URL link from a Goggle search. It even happens in my very secure work environment. I certainly don’t choose these sites.
(webbrowser pages redirected) and had been active in removal before reporting, we have to include the possibility of such an infection. Just curious if we have a lead here, just explore it, why not? If not, we have at least covered this ground,

pol

Which is why I also suggested uploading the suspect file to VT.

But since this is happening on another system at work

I know that lately I experience more bogus sites popping up to 'scan' my PC when I click on a URL link from a Goggle search. It even happens in my very secure work environment.

There are more and more google sponsored ads and the proverbial Google – new malware hosting issue on the avast blog it could be that too. So the permutation are endless especially if the scans that have been done didn’t turn up anything.

But that is the users choice.

David

OK, good to know. Thanks. I viewed the chest as merely a holding cell until the offender could be permanently removed. I did not know that I could run a scan on the chest. I’ll have to check Avast help files for info on how to do this.

I ran another SAS quick scan and the logs (9/28 & 9/29) are attached. The SAS quick scan this evening resulted in no findings.

I also ran a search for C:\program files\common files\akamai\rswin_3586.dll file. Nothing comes up. I did, on a whim, run a check on rswinui.exe at Virustotal.com. See attached results. I’m not sure this is useful or pertinent information.

So far, I’m not aware of SW problems due to removing the rswin_3586.dll file. Apparently some SW uses an Akamai Client, also referred to as the Akamai Download Manager or Akamai NetSession Interface. I will check out wXw.akamai.com to see if I need the .dll file.

I’m thinking my PC is clean, and I’ll enable System Restore tonight.

Polonus

Thanks for your input. I may not have expressed myself clearly in my last post. I did not mean to imply that I have unwanted web sites popping up randomly…at home or at work.

My point was that when I click on many URLs in a Google results list, often these links misdirect me to either online ‘fast’ scans or unexpected, suspicious sites. Avast usually gives me a warning when these misdirected sites open on my home PC. It’s just annoying that I can’t trust top entries on a Google results list.

Many thanks to all who responded. This was a great help.
ta,
melody