Win32: Trojan-gen {Other} - how do I get rid of it?

Viruses and worms
1

Hi guys,

I’m new to this and my Avast has just found the following virus:

Win32: Trojan-gen {Other}

I’ve tried downloading other programs but can’t seem to get rid of it. What can you suggest?

Thanks!

2

Download Superantispyware free version from www.superantispyware.com/ . Update it and run a full scan. Tell us if it quarantines any files.

Download a program called Hijackthis from Trend Micro. Here is the link: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Run a scan and post a log of what it finds. Do not fix anything in Hijackthis unless told to do so.

3

Thanks very much for the response, philly12.
I have downloaded both programs now and I have several hundred items in the Quarantine for SuperAntiSpyware. They are grouped into 3 categories:

  • Adware.180solutions/ZangoSearch
  • Adware.ClickSpring/PuritySCAN
  • Adware.Tracking Cookie
4

I also ran HijackThis, but am unable to post the log as it exceeds 10,000 characters…
I’ve saved the Notepad document and uploaded it to RapidShare: (Sorry for the inconvenience)

http://rapidshare.com/files/91974545/hijackthis.log.html

Thanks so much for your help!!

5

okay first things first. Next time you can split your log into two posts or upload your log using the “additional options” button when posting. I don’t think the advast admins will download your log from that site (i could be wrong). I have included your log in my post for them to look at.

The following is a probable nasty, but do not fix it until an admin tells you to:
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

this is also probably a nasty but again wait to fix it:
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?9d450ca2261f89af789aab3 8db4e10ddeb3bb451f7c233931d34f2380afe5a2a2bafdc292518e8ae6fc9e4ab0d46a6b080c1929 fd407547f1cd9e9e4153daec7937382cda8:d075e8ea8f5d0dcdea43fc78836d4b32

I noticed that you are using zangocash. This is probably why you are having problems. Zango is a known installer of malware and is dangerous. I would advise you to get rid of anything you have installed from zango.

Now, please tell me if the following description is correct. I am not prying into your personal info, i am asking the following to make sure nothing was installed without your knowledge:

You take photos with a canon camera. You use a site called mediashare by entriq to distribute these photos and such. You use windowslivemessenger. You upload things to myspace by using a myspace uploader. You also upload things to facebook and windows live. You use etrade and upload files to it.

Is this description correct? Again, i am not trying to pry, i just want to make sure none of these things are done without your knowledge.

6

Thanks for the info! I didn’t think of splitting it into two! :-X

I don’t know what zangocash is and I couldn’t find it in the Add/Remove Programs list - so do you know anyway I can get rid of that?

Everything you described was correct - except for mediashare by entriq (I’m not sure what that is)…

Thanks again for all your help!! I appreciate it… Hopefully an admin will help me out soon!

7

hmm…u have a few things installed by mediashare entriq. If you didn’t install them, I wonder if they are possible adware items. I guess we will wait and see.

8

Hi

Are you still having problems. there’s just a few entries in your HJT log, nothing serious. Perhaps SAS got whatever your problem was.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?9d450ca2261f89af789aab38db4e10ddeb3bb451f7c233931d34f2380afe5a2a2bafdc292518e8ae6fc9e4ab0d46a6b080c1929fd407547f1cd9e9e4153daec7937382cda8:d075e8ea8f5d0dcdea43fc78836d4b32

Close all other browsers/windows, click fix, close HJT.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

9

Thanks for the reply!
I have followed all those steps, and after rebooting again, ran Avast - but it still came up with the “Caution: Virus has been detected” message several times for Malware. I just did another SAS scan and removed items… I’m posting my HijackThis log again… Maybe you could tell me if there’s still a virus or adware on my computer?

Thanks!

10

Can you go to

C:\program files\alwil software\avast4\data\log

in the right hand panel you will see a warning log. Could you please post the last part of it going back to when you started getting these detections.

Thanks

11

Okay… Here is the Warning Log attached…
Thanks again

12

also! just so you know… with the avast scan… I didn’t complete it because it kept interrupting with the Warning detections… So the entries for the 17th Feb aren’t complete I don’t think

13

For some of this see this link to clear out your java cache

http://www.java.com/en/download/help/5000020300.xml

For the other detection, open the avast chest and extract the following file to a temporary folder and submit the file to

www.virustotal.com

C:\Documents and Settings\Owner\Local Settings\Temp\nsl2.tmp\Mutex.dll

Please post the results, I’d like to see what other scanners detect.

The last detection in your log was the morpheustoolbar. Was that a new addition?

14

Hi…
I could no longer locate that file! ???
Would it be because I ran SAS again and quarantined all infected items? I ran another avast scan today after doing SAS and it no longer comes up with any virus warning. Does that mean SAS has done the trick?

Also, Morpheus toolbar was not a new addition - I had Morpheus the program, but never installed a toolbar.

What should I do about USB’s, iPods connected to the computer at the time it was infected? Should I scan them with avast or SAS?

Thanks again for all your help,

15

If you moved the file to the chest, it should still be there. Nothing can remove it from the outside of the chest. I’m not sure why avast detected something in the java cache, maybe it got corrupted after the java update, because that’s the only thing you did and avast didn’t find anything there prior. Depends if SAS found anything.

Morpheus could have installed it on it’s own. Again if you moved it to the chest, you can test it at virus total.

It wouldn’t hurt to scan your flashdrive with avast. You should also do this.

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb hd

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. There is no need for such a file on any removable storage device – iPod, USB flash drive, cell phone, .etc as you can open these drives manually.

It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

You can do this with all of your usb devices.

If everything is ok, I’ll put up a clean up routine after.

16

Thank you! I’ve followed all those instructions and everything appears to be fine. Thank you so much for your help and patience!

17

You we;come. :slight_smile: