Win32 trojan gen (other)

Hi
I have the Win32 trojan gen (other) virus and i can’t remove it from my pc.
If anyone could help me i would appreciate that
Thanks

In the attach you can find my Hijack this logfile.

What is the name and location of the infected file please

I see nothing in the log, except, no firewall ( are you using windows ? ) Your Java is out of date,and your using SP2, when you should have updated to SP3

Could you advise the full file name and path of the file being detected, please, and the program that detects it. (I assume it’s Avast.)

My windows firewall is on and I have scanned again with avast and this are the files where the virus was found:

→ C:\Installs\hlsw_1_0_0_43_setup.exe{app}\update.exe

→ C:\System Volume Information_restore{91722856-1EE5-4CF5-9506-1BE04AA827F5}\RP9\A0005644.exe{app}\update.exe

in attach you can find my new hijackthis log

thanks !

look above please

thx

Hi Nico-Sid,

The hjt logfile did not show much out of the ordinary, but one entry to fix:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
You might have disabled this before, and those are remnants. It is an adware trojan downloader…
Then you apparently have no active software firewall running there, or just the Windows one that is only one-sided by default, I would like you to do a full scan with MBAM from here:
http://www.malwarebytes.org/mbam-download.php
and after the full scan give us a logfile txt of the results,

polonus

Do I also have to fix O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) with hijack or not?

thx

The first looks like a good detection a google search finds this, http://virscan.org/report/4b863ab27de76c4424c2c4e985e27d1c.html, old scan results from a multi engine virus scanner, from 6 March 2009. Whilst at that time avast didn’t detect it but new signatures are continually added.

You could also check the offending/suspect file (to get a more recent set of results) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

The one in the C:\System Volume Information restore point is no doubt the same file which when you tried to delete it a restore point was created.

  • There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

So allow avast to send it to the chest, deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

I suggest that you enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

This is the mbam logfile in attach

Hi Nico-Sid,

Well I think you had a lucky escape there, the infection was cleansed now. The source of this has been a game cheater download and these often come with additional malcode, nothing is completely free and especially on the Internet this is true, your dubious file was hlsw_1_0_0_43_setup.exe and it managed through the registry to disable the Microsoft Security Center (av & fw), that is why we corrected this with MBAM.
Stay safe and secure,

polonus

Is the virus gone?
and what do I have to do with the infected files?

thx

We don’t know if it is gone as we don’t have access to your system and you haven’t given any information to confirm that.

Did you run a boot-time scan as I suggested ?
Did you do as I suggested, allow avast to send it to the chest ?
If so then it will be in the Infected Files section of the Chest, where it can do no harm.

Have you looked for it in the locations it was found ?

i runned a boot-time scan.
i send the virus to the chest.

what kind of information do you need to know that i’m still infected or not?

thx

If having sent the files to the chest you should a) the detected files are no longer in the original location and b) if you run another scan nothing should be found.

So did you check the original locations and the chest Infected Files section for the detected files, they should only be in the chest.

I can’t find the files in the original location and with another scan my computer is clean.
but now my computer is very slow so i think the virus is still there

That particular virus ‘can’t’ be there as you have confirmed it yourself. It doesn’t mean that there might be something else either hidden or undetected (but not that particular one).

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Thanks for the programs, they only found tracking cookies.
I will send my latest new log files.

So, seems you’re clean. Cookies is not a thing to be worried about.

This are my latest log files (attach)

Thx

I haven’t had a look at the ad-aware log as personally I feel that program is a waste of hard disk space not to mention it is way old 2007 version. Both of the programs I mentioned are much better and you should replace ad-aware with both them.

MBAM indicates clean.

From your HJT log:
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp

Or JRE version 6 update 14 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

So it looks like you have some form for out of date applications - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

You don’t appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Other than that I don’t see anything obvious in your HJT log.

You didn’t run SAS or haven’t posted its log, if it only found cookies, no need to post.