Win32: Trojan-gen {Other} - What to do?

I was doing a manual scan in Avast and it detected Win32: Trojan-gen {Other} in two files. One of the files is in D:\System Volume Information.… and the other is D:\Program Files\Bridge Building Game\Uninstall.exe

Upon detection I sent both of the files to the Virus Chest. But I am not sure what to do now?

Also I think I might know where this came from. A couple of weeks ago Avast detected viruses in 6 seperate incomming emails. I told Avast to delete the emails (it gave a few options) but for some reason they were still delivered into my inbox. Shouldn’t avast have deleted them permenantly as I told it to do? I use thunderbird as my email client. So basically I have two questions.

  1. What do I do now to get rid of this trojan?
  2. Why didn’t Avast delete the emails as I told it to and do I need to change some configuration in Avast to make it do this?

Here are the lines from avasts log with the original email detections:

Sign of “Win32:Spyware-gen [trj]” has been found in "Incoming email
Sign of “Win32:Rootkit-gen [Rtk]” has been found in "Incoming email
Sign of “Win32:Rootkit-gen [Rtk]” has been found in "Incoming email
Sign of “Win32:Trojan-gen {Other}” has been found in "Incoming email
Sign of “Win32:Trojan-gen {Other}” has been found in "Incoming email
Sign of “Win32:Spyware-gen [trj]” has been found in "Incoming email

And then the manual scan detection:

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\Program Files\Bridge Building Game\uninstall.exe” file.
Sign of “Win32:Trojan-gen {Other}” has been found in "D:\System Volume Information_restore{…

Any help would be appreciated

I don’t believe the two detections you mention have any relationship with those found in incoming email.

The Internet Mail (avast email scanner) scans messages before they get into your system (inbox) so they couldn’t get established to infect other files.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

I suspect that the uninstall.exe might be a false positive (see below on actions) but I have no idea about the one in the _restore point. Personally I wouldn’t be too concerned about that one as it is a copy of a file that would have been removed or deleted from the system folders (for some reason) so it isn’t critical (IMHO) and I would rather not have a suspect _restore point waiting to byte ;D me in the rear at some time in the future (so the chest is a fine location for it) when I used system restore.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Send them to Alwil for analysis. Seem false positives of the generic signatures (-gen).
Maybe you can post a link to this thread in the comment area while sending to them.
You’ve done the right think. If the correction is done, you can restore the uninstall.exe file. The other is from System Restore and when you have moved it to Chest the restore point was corrupted. I suggest you run a boot time scanning with avast and then generate a new, clean, restore point.

You can have the attached file deleted and only the email body passes through ???

General cleaning procedure:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Difficult to say as you’ve tried a lot of different actions at that time…
They could also due to false positives detections…

Thanks for your help. Here are the reports from Virus Total

http://www.virustotal.com/analisis/c828b1e6f3e12a848d7bf9cba56f7335
http://www.virustotal.com/analisis/a3df7dffa5efc3206b3f48d3d30ad330

the first is Trojan.Win32.KillWin.mi
as you can see both bit-defender and f-secure target it specifically if you want a second opinion from an on-line scanner
keep in chest
export to avast
work through Tech’s list

the second is also detected as
Trojan.Win32.KillWin.mi
and
Dropped:Trojan.Generic.761448 by bit-defender

so
instead of dr web try one of those for your on-line scan

with MBAM update scan put a check mark next to any baddies and click REMPVE SELECTED- a backup will be made
with
SAS update Clean and Quarantine

if you have Spybot installed update, re-immunize and scan

Post the logs but edit out cookies from SAS and Spybot Search and Destroy
post any additional hits from Avast boot scan
your boot scan sill run the avast rootkit tool so run the trend micro one

Re VT results 1 A0019255.exe from the _restore point, whilst it is a relatively conclusive set of results there is still an element of doubt (though there is no way I would change my initial comments about it) as the detections are Possible, this, generic than and many concentrating on Trojan.Win32.KillWin.mi.

Since this is pretty much the same as the uninstall.exe I suspect that this restore point relates to that file. In fact the MD5s in the VT results are identical, so the file other than the file name (which doesn’t change the content) is one and the same.

To me I would have to wonder how the uninstall.exe ended up as a _restore point when it wasn’t originally in a system folder (unless this covers all .exe files regardless of location and I don’t know that [I have system restore disabled permanently[)

So on to the Bridge Building Game (Uninstall.exe) is this a game that you installed and have had for some time and was it downloaded from a reputable site/company) ?

It isn’t uncommon for uninstall files to be detected by avast because of what they do (kill files, etc.) and that would neatly bring us on to the Trojan.Win32.KillWin.mi bit, it may be that an uninstall routine might need/want to kill a process,etc. but not windows NT file which this seems to get its name from.

Mind you the PE (packed executable) info from the VT results don’t look too malevolent to me but I’m no expert when it comes to that.

The detections certainly seem valid but sending them to avast for further analysis is certainly advisable, keeping the copies in the chest and periodically scan them within the chest to see if avast changes the signatures and it is no longer detected.

Okay I have sent the files to avast. I also followed all your steps Tech and basically nothing was found. So there is nothing left to do then? Is there any problems with keeping SUPERantispyware running now permanently alongside Avast?

  1. Avast boot scan found nothing.
  2. Superantispyware only found adware tracking cookies
  3. Trend Micro RootkitBuster found nothing
  4. the analysis site showed everything as safe in HijackThis log
  5. A couple of old versions of things like flash and java but nothing much

Anyway here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:26 PM, on 10/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Sloth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\INTERN~1\mum.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Notepad++\notepad++.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\downloads\RootkitBuster2.2.1014\RootkitBuster.exe
D:\downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program Files\Comodo\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Sloth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU..\Run: [InternodeUsage] D:\PROGRA~1\INTERN~1\mum.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220713242046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


End of file - 6170 bytes

No.

Update them :wink:
Oh, remove the old versions…

sloth
I wish all were as thorough as you

do you really need google updater running all the time file and 04 entry
remove the regular way is preferred

SAS, unless you have the paid version, does nothing except to check for updates (which is not bad as SAS updates constantly) It will be ready if you need it
keep MBAM, SPybot etc up to date

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

google this clsid and you will find it is windows messenger leave it alone if you use windows messenger

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

this process runs normally in c:\programme\msn messenger! Check if you know this process
(this is operating system dependent) is this IM or Windows messenger and do you use it?

D:\downloads\HiJackThis.exe
do not “open” hjt or run from temp or desktop
download to a named file and run for there to get backups etc

do not FIX anything with hjt without it being in it’s own folder

I do not see anything that really needs FIXing anyway

run ccleaner or atf cleaner
defrag
new restore point

are you running any load at start up real time anti spyware/ anti malware?

as tech says
remove all old java - very vulnerable

The SAS update process isn’t the best, unlike avast it doesn’t do incremental (small) updates which are great to have set to auto. They download the complete signatures file a couple of megabytes which is an absolute waste, especially if your on dial-up like me. I had a whinge at their support about poor update speed (dial-up) and not offering incremental updates like avast ;D

So personally even though I have the Pro version which has resident on-access I still don’t allow it to auto update, but do a manual update a couple of times a week and at least once, before I do a weekly on-demand scan.

So I would say adopt the same principal, do a manual update just before you do a weekly scan.

Interesting DavidR
My SAS I update manually by starting from the desktop
It puts a little gray bug in Systray
I click on the bug- (looks like a tick) and it incrementally updates
If I have not updated in awhile it updates lots of little updates

Are you sure it incrementally updates, as they confirmed on my support ticked it doesn’t.

I don’t know if a) you check the file size of the download a couple of MBs (or time for download) against b) what it shows, the newly added signatures and for the limited signatures the download size/duration wouldn’t warrant that small number of new signatures.

So all they are actually doing id displaying the new signatures but it downloads the complete signature file.

I just did it- interesting
it said checking for updates- then it downloaded
then is said checking for updates again and downloaded some more
so I’m thinking that I got 3494 and 3495
so are they downloading the whole file TWICE?

Okay I updated all software in accordance with Secunia Software Inspector. I also uninstalled old versions. I have also defragged and manually created a new restore point. So I am just waiting for avast to reply about the trojan detected, the two infected files are safely sitting in the vault for now.

I think its probably for Chrome web browser.

I don’t have these. When Tech wrote “3. Use SUPERantispyware, MBAM or Spyware Terminator” I took that to mean only one of them is needed so I used SUPERantispyware. With this I have disabled it from the system tray and will manually update before I scan. Should I install MBAM as well or will SUPERantispyware suffice?

I think this is because it’s Windows Live Messenger as opposed to Windows Messenger. Yes I use it.

I am running Avast and Comodo Firewall permanently in the system tray, nothing else for viruses/spyware etc. I will run SuperAntiSpyware on a weekly basis. Do you recomend having anti spyware/ anti malware software running at startup?

Thanks everyone you have been a great help.

gott run but here is a quick response
nice work

I do recommend both the MBAM and SAS (or Spybot or A-Squared) scans
MBAM being first choice

I DO recommend a run at startup anti malware
some run spyware terminator free but DO NOT install the CLAM AV or BHO toolbar
I run Spybot T-Timer and Win Patrol
other free choices are Spyware Doctor from google pack ( do not install other google crap along with it)
Microsoft Windows Defender
others swear by BO CLEAN but I do not know if it does the same things
I have NOT seen a comparison in years
others use the paid versions of MBAM or SAS