Win32:Trojan-gen{Other)

While viewing a video on YouTube, Avast detected this Trojan and then shut my computer down and rebooted. Here is the information that I have via Avast:

Name: mxwcaonesr.tmp
Location: C:\Documents and Settings\user\Local Settings\Temp
Virus: Win32:Trojan-gen {Other}

As it was detected by Avast, I immediately moved the infection to the chest. Problem is I have no clue on what to do next. Should I just leave it there in the chest, delete it, or what. I really don’t have any knowledge on what should be done next. I don’t want to delete something and then find out later that it was needed. Since the trojan was detected, nothing else has been detected. I did a full scan and that was the only the detected in the scan.

So, what should I do??

Hello davisjr75

welcome to forums

upload it to avast by clicking email to avast icon and then doing a manual update of avast.

upload the file to virustotal.com and post log here.

if you are afraid that you are infected then do a full system scan using malwarebytes anti malware. getit from here malwarebytes.org

YouTube and other social networking sites can be at higher risk as they are big targets for malware due to their massive user base.

If it did come from YouTube I would have expected the Web Shield to have detected it before it got to the Temp folder.

A google search for the file name returns only this topic, so it appears to be randomly generated, which can be an indication of malware activity. Considering it is in a Temp location and a .tmp file I personally wouldn’t spend too much time investigation this file, but possibly try to find what created it.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Ok uploaded the file to Virus Total. This is what came up:

File mcxwsneroa.tmp received on 2009.07.25 14:30:51 (UTC)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 6/41 (14.64%)

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.25 -
AhnLab-V3 5.0.0.2 2009.07.25 -
AntiVir 7.9.0.228 2009.07.24 -
Antiy-AVL 2.0.3.7 2009.07.24 -
Authentium 5.1.2.4 2009.07.24 -
Avast 4.8.1335.0 2009.07.24 -
AVG 8.5.0.387 2009.07.25 -
BitDefender 7.2 2009.07.25 Gen:Trojan.Heur.FakeAV.5000FFDFDF
CAT-QuickHeal 10.00 2009.07.25 -
ClamAV 0.94.1 2009.07.25 -
Comodo 1761 2009.07.25 -
DrWeb 5.0.0.12182 2009.07.25 -
eSafe 7.0.17.0 2009.07.23 -
eTrust-Vet 31.6.6640 2009.07.25 -
F-Prot 4.4.4.56 2009.07.24 -
F-Secure 8.0.14470.0 2009.07.24 -
Fortinet 3.120.0.0 2009.07.25 -
GData 19 2009.07.25 Gen:Trojan.Heur.FakeAV.5000FFDFDF
Ikarus T3.1.1.64.0 2009.07.25 -
Jiangmin 11.0.800 2009.07.25 -
K7AntiVirus 7.10.802 2009.07.25 -
Kaspersky 7.0.0.125 2009.07.25 -
McAfee 5687 2009.07.24 FakeAlert-EL
McAfee+Artemis 5687 2009.07.24 FakeAlert-EL
McAfee-GW-Edition 6.8.5 2009.07.25 -
Microsoft 1.4903 2009.07.25 TrojanDownloader:Win32/Renos.JA
NOD32 4277 2009.07.25 -
Norman 6.01.09 2009.07.24 -
nProtect 2009.1.8.0 2009.07.25 -
Panda 10.0.0.14 2009.07.25 -
PCTools 4.4.2.0 2009.07.25 -
Prevx 3.0 2009.07.25 -
Rising 21.39.52.00 2009.07.25 -
Sophos 4.44.0 2009.07.25 Mal/FakeAV-AY
Sunbelt 3.2.1858.2 2009.07.23 -
Symantec 1.4.4.12 2009.07.25 -
TheHacker 6.3.4.3.373 2009.07.24 -
TrendMicro 8.950.0.1094 2009.07.25 -
VBA32 3.12.10.9 2009.07.24 -
ViRobot 2009.7.25.1853 2009.07.25 -
VirusBuster 4.6.5.0 2009.07.24 -
Additional information
File size: 86016 bytes
MD5…: 7ce5541fabe32a72e72231f27a24a24e
SHA1…: d53ff959d0d7a53b5e2263c9388168f2c9e6e882
SHA256: 15a0011a1acc58503e2c5e806ba13684ed1a062e75280d6766b87beb41fd4927
ssdeep: 1536:Tx0T17sEt48q4Zcz3gAdbZ8zdDAhePwFO:TxOpJ4OZkgQZ8qe40

PEiD…: -
TrID…: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1108
timedatestamp…: 0x48046bfe (Tue Apr 15 08:49:02 2008)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.tedt 0x1000 0x5c5e 0x5e00 5.10 e4d8b8bfacdae17c571dd85d32b1eb59
.rdaaa 0x7000 0x91e5 0x9200 6.34 c322bf4a0e1067b29a0357bb9d63e5cd
.eddta 0x11000 0xecf8 0x2e00 0.00 09619cad959a5c220c87f12082613988
.idata 0x20000 0x1dee 0x1e00 0.00 9b7aed5b7acd844124ead0e6d35e9fbb
.rsrc 0x22000 0x1000 0x400 3.88 3f8573cf0e33e600a6c7634cf61f8ef0

( 4 imports )

user32.dll: CreateIcon, DialogBoxParamA, GetDlgItem, DrawTextW, IsMenu, LoadMenuA, CopyImage, GetCursor, DrawIconEx, GetDC, AppendMenuW, AlignRects, DrawIcon, CalcMenuBar, CloseWindow, InsertMenuA, DialogBoxParamW, GetWindowTextA, EndDialog, LoadCursorA, GetFocus, AppendMenuA, GetWindowTextLengthA, CopyRect, CopyIcon, GetMenu, DrawTextA, IsWindow, BlockInput
advapi32.dll: RegCreateKeyExA, RegEnumKeyA, RegReplaceKeyA, RegQueryValueExA, RegDeleteValueA, RegOpenKeyExA, RegGetKeySecurity, RegDeleteKeyW, RegQueryValueW, RegCreateKeyExW, RegEnumKeyW, RegOpenKeyA, RegOpenKeyW, RegQueryValueExW, RegQueryValueA, RegReplaceKeyW, RegDeleteValueW, RegLoadKeyA, RegEnumKeyExW, RegEnumKeyExA, RegCreateKeyW, RegEnumValueA, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryInfoKeyA, RegEnumValueW, RegFlushKey, RegDeleteKeyA, RegLoadKeyW
kernel32.dll: GetLastError, GetCPInfo, GetLastError, DeleteFileA, GetLastError, GetLastError, GetLastError, HeapAlloc, GetLastError, GetFileAttributesA, GetLastError, lstrcpynA, GetLastError, lstrlenA, GetLastError, GetModuleHandleA, GetLastError, GetCommandLineA
advapi32.dll: RegFlushKey, RegOpenKeyA, RegCreateKeyExW, RegEnumKeyExW, RegQueryValueExA, RegEnumKeyExA, RegEnumKeyW, RegOpenKeyExW, RegDeleteKeyA, RegOpenKeyExA, RegReplaceKeyA, RegReplaceKeyW, RegCreateKeyW, RegQueryValueA, RegDeleteValueW, RegEnumKeyA, RegOpenKeyW, RegEnumValueW, RegLoadKeyW, RegQueryValueW, RegEnumValueA, RegQueryValueExW, RegDeleteValueA, RegGetKeySecurity, RegCreateKeyExA, RegLoadKeyA, RegQueryInfoKeyA, RegDeleteKeyW, RegQueryInfoKeyW

( 0 exports )

PDFiD.: -
RDS…: NSRL Reference Data Set

Try downloading malwarebytes as Davidr suggested.Run a full scan with it and post back a log

Whilst 6/41 isn’t a large detection I believe it to be good enough in this case and the fake alert malware name tend to indicate rogue security applications which display fake security alerts.

MBAM is very good in finding associated elements of fake alert/rogue security applications.