I have seen where others also have this virus. I just found it today running avast. The computer seems to be running fine and avast found it and I moved it to the virus vault. Reading some of the other posts I have done some of what has been sugested but figured I should post my own issues unless otherwise covered. I was wondering if deleting the trojan is ok. I have rebooted, rerun avast-the trojan didn’t reappear. I tried to run the avast cleaner, but I noticed that this virus wasn’t one listed in the ones to be cleaned. I ran it anyway. I haven’t done the system restore where you disable it and then reable it after step three and wanted to get any advice.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:01 PM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
It says sign of WIN 32;troj-gen{other} found in C. In the Virus vault they are in System Volume Information Restore,C:\ Program Files Gem Master and C:\Program Files English Otto. Thanks for your response. I will look at the Bonjour issue that you suggested. I also did the reboot avast and scanned the archive and I got 5 messages with Installer Archive is Corrupt. I don’t know if running the reboot and archive then fixed those issues. Hope I have given you the right info.
Items detected in the System Volume Information restore points are better in the chest as you really don’t want to have the possibility that in the future if you use system restore they could be reinfecting your system. Remember that the reason they are in the System Volume Information restore points is that they were previously deleted or moved from the system folders, etc.
The other items you haven’t given the file names either and that helps, you have to expand the column widths to see the full information, or you could go directly to the source file, C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log using notepad and copy and paste the alerts.
Bonjour comes with apple products, but by all accounts is unnecessary, so check out the information first before deciding.
Sorry here it is hope this is right. Thanks again for your time and feedback Scott
7/24/2008 2:51:37 PM 1216925497 SYSTEM 1652 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
8/9/2008 7:23:57 AM 1218281037 SYSTEM 1636 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Brackett\Local Settings\Temporary Internet Files\Content.IE5\95BVO2MD\topnav[1].swf (C:\Documents and Settings\Brackett\Local Settings\Temporary Internet Files\Content.IE5\95BVO2MD\topnav[1].swf) returning error, 0000A413.
8/13/2008 11:25:51 AM 1218641151 SYSTEM 1576 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
8/26/2008 12:11:40 AM 1219723900 SYSTEM 1692 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
10/9/2008 7:00:43 AM 1223550043 SYSTEM 1528 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
10/10/2008 8:45:54 AM 1223642754 SYSTEM 1528 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
10/18/2008 9:24:13 AM 1224336253 SYSTEM 1512 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
11/28/2008 8:55:14 AM 1227880514 SYSTEM 1584 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/6/2008 8:55:07 PM 1228614907 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hXXp://j1j2j34.com/seas/spl/pdf.pdf” file.
12/6/2008 10:12:00 PM 1228619520 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hXXp://j1j2j34.com/seas/spl/pdf.pdf” file.
12/9/2008 7:29:06 PM 1228868946 SYSTEM 1520 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\SoftwareDistribution\Download\60e28f2fefe55b8867c36eb78f0d8fdc\BIT8B.tmp (C:\WINDOWS\SoftwareDistribution\Download\60e28f2fefe55b8867c36eb78f0d8fdc\BIT8B.tmp) returning error, 00000026.
12/16/2008 12:34:17 AM 1229405657 SYSTEM 1524 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/16/2008 4:34:23 AM 1229420063 SYSTEM 1524 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/16/2008 8:34:28 AM 1229434468 SYSTEM 1524 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
1/5/2009 8:25:45 PM 1231205145 SYSTEM 1712 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://www.tvguide.com/ScriptResource.axd?d=S_87Xd2HAdUfH6HxRyXa8rVdd9AxnC7cBO2sAjDBOF_QVmv6IV26ZeRI6Q38YYzPzOiE34LU6Yz3f39FqYHU94MpKTAX7BToaJcbyGZeK1o1&t=633564874556067955 (C:\WINDOWS\TEMP_avast4_\unp21235768.tmp) returning error, 0000A413.
2/23/2009 11:34:10 AM 1235406850 SYSTEM 1532 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
2/23/2009 3:37:21 PM 1235421441 SYSTEM 1532 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
3/25/2009 6:57:07 AM 1237978627 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\EnglishOtto\uninstallotto.exe” file.
3/25/2009 7:16:37 AM 1237979797 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\GemMaster\uninstallgemmaster.exe” file.
3/25/2009 7:23:05 AM 1237980185 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{163AE8C9-33BA-4185-877E-271E48F5CC80}\RP520\A0070728.exe” file.
3/25/2009 7:23:05 AM 1237980185 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{163AE8C9-33BA-4185-877E-271E48F5CC80}\RP520\A0070729.exe” file.
3/25/2009 7:47:34 AM 1237981654 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\EnglishOtto\uninstallotto.exe” file.
3/25/2009 11:11:43 AM 1237993903 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\GemMaster\uninstallgemmaster.exe” file.
3/25/2009 11:18:25 AM 1237994305 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{163AE8C9-33BA-4185-877E-271E48F5CC80}\RP520\A0070728.exe” file.
3/25/2009 11:19:59 AM 1237994399 Brackett 4976 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{163AE8C9-33BA-4185-877E-271E48F5CC80}\RP520\A0070729.exe” file.
Disable the system restore to delete the files (points) infected and enable it again.
Also it will be good to run avast at boot time (and send infected files, if any, to Chest).
There shouldn’t be any need to disable system restore if the detected files in the C:\System Volume Information_restore points were successfully moved the the chest.
I suggest that you check the following at virustotal (see below) as I believe there is a possibility they are false positive detections.
3/25/2009 6:57:07 AM 1237978627 Brackett 4976 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\EnglishOtto\uninstallotto.exe" file.
3/25/2009 7:16:37 AM 1237979797 Brackett 4976 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\GemMaster\uninstallgemmaster.exe" file.
The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. I think it may be triggering on the uninstall files, as uninstall functions are designed to delete stuff.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
When I run avast at boot time do I need to scan the archives as well. I did that once earlier today. I am sorry but you lost me about the create suspect in cdrive. Not exactly sure what or how to do that-Sorry not expert on computer
No archives are by their nature inert and I don’t scan them, as they have to be opened, files extracted, and then executed and before that the resident scanner would scan them.
All you are doing is creating a new folder (using windows explorer) in the C drive, you can call it whatever you like, but suspect isn’t something you are going to forget.
Then you are going to exclude that folder from being scanned or when you extract the file from the chest avast would alert, it would also alert when you tried to upload to the file to virustotal.
Now you have created and excluded the new folder (call it whatever you want), you can now export (that copies the file) the file from the chest to the folder you can upload it.
I think I figured out the suspect file When I go into the shield and then went to settings, exclusions then hit add and pasted C:\Suspect or is it C:\Suspect*. And How to export I don’t see any prompt to export these so I can then send to virus total.
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe”
O4 - HKLM..\Run: [ISW.exe] “C:\Program Files\AT&T\Internet Security Wizard\ISW.exe” /AUTORUN
O4 - HKLM..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: AltaVista Search - file://C:\Documents and Settings\Brackett\Application Data\ALTAVISTA\SelectedContextSearch_AltaVista Search.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate - file://C:\Documents and Settings\Brackett\Application Data\ALTAVISTA\SelectedContextTranslation.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198088338484
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
–
End of file - 12877 bytes
I tried to inlude it all the first time but it wouldn’t let me post because I hade gone over the 1000 character post limit.
I was curious and opened up this thread, and avast didn’t like the
12/6/2008 8:55:07 PM 1228614907 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hxxp://j1j2j34.com/seas/spl/pdf.pdf” file.
12/6/2008 10:12:00 PM 1228619520 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hxxp://j1j2j34.com/seas/spl/pdf.pdf” file.
Links. I got an on-access scan block.
Could you maybe modify the original post to include hxxp instead of http for the links?
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.
The below entries were rated as either questionable or bad :
C:\ImageMate CompactFlash USB\SandIcon.Exe
Not needed at start-up but not bad neither. No need to worry about this one. It might slow start-up by one second or less. http://www.what-is-exe.com/filenames/sandicon-exe.html
O4 - HKLM..\Run: [ISW.exe] “C:\Program Files\AT&T\Internet Security Wizard\ISW.exe” /AUTORUN
O4 - HKLM..\Run: [ISW.exe] “C:\Program Files\AT&T\Internet Security Wizard\ISW.exe” /AUTORUN
Two entries that are the same. Only one should be needed, if at all needed. http://www.pcreview.co.uk/startup/ISW.exe.php
Do you use AT&T Internet Security Wizard and does it include an antivirus module?
We have bellsouth DSL. I thought I was using a firewall. My security shield has been active although I noticed when I rebooted that for a split second it was red and then it kicked in. I ran the reboot with avast late last night. I fell asleep and when I woke up it had run and gone to the log onto your computer page.
Below is the response I got when I exported the viruse info and then sent to virus total for analysis-can you tell me if I did this correctly.
Well, whatever you uploaded, it wasn’t malicious. But, did you upload the actual file? If you did, it looks clean.
Again though, your original post should be changed to hxxp instead of http. I’m still getting warnings every time I open this post…
Fix this: 12/6/2008 8:55:07 PM 1228614907 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hxxp://j1j2j34.com/seas/spl/pdf.pdf” file.
12/6/2008 10:12:00 PM 1228619520 SYSTEM 1708 Sign of “JS:Packed-L [trj]” has been found in “hxxp://j1j2j34.com/seas/spl/pdf.pdf” file.