Jump to content

another false positive? or a hidden new trojan


Recommended Posts

Hi all friends.

My a2scanner detected a weird virus called Virus.Win32.Virut!IK

in just a couple of files. The weird situation is that, the files are found to be completely clean in virustotal.com. Specific malware detector for Win32.Virut is unable to find anything. But the mentioned virus is almost impossible to be detected because it gets updates frequently and changes itself. I'm not sure if this is a true or false alarm.

Here are the "normal scan log file" , "heuristics scan log file" , and the suspicious files

Virus total result:

http://www.virustotal.com/tr/analisis/bf0285ad8dcf7369d9660b59fe05f3f6b7abbf10a222ef350aa8c29c7cfb6b72-1255432057

{ZIP file with executables inside was removed} edided by Lynx

My regards.

Link to post
Share on other sites

Hi professional_1,

Welcome to the forum

I removed the archive with suspected executables attached by you

If you are suspecting False Positive flaggings and you want to find out how to investigate the matter please create a new thread in the respective section of the forum (a-squared Free in your case)

Otherwise, since you posted the request into Malware Removal Help section

=======

Read the following instructions

START HERE, if you don't we are just going to send you back to this thread <--click

Prepare and post the required log files into this thread

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana

for assistance and further instructions.

=======

My regards

Link to post
Share on other sites

professional_1,

I edited your last post

Neither suspected files no link for downloading them should not be provided

You can Submit files to EMSI developers for analysis when you are suspecting False Positive flaggings.

My regards

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Post fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

only windows update gives error.

error code is 0x80240025

now i restored winlogon.exe with original sp3 winlogon.exe

still the same 0x80240025 error. but now the system looks almost clean.

note:

my windows xp is %100 legal and i have it's invoice. i have the original serial number sticker and original xp cd.

Link to post
Share on other sites

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation.

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

File::
d:\windows\logs2.zip
d:\program files\Common Files\BOONTY Shared.zip

Folder::
d:\temp\1
d:\temp\2

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Post fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

those files which are in "d:\windows\logs2.zip, d:\program files\Common Files\BOONTY Shared.zip,

and folders

d:\temp\1

d:\temp\2"

were all created by me. most of them were created before i contacted online staff of emsi software. the folders d:\temp\1, and d:\temp\2 were backups of logs and cleaned malware (quarantine copy) for sending you. combofix is not infected.

BOONTY Shared.zip and logs2.zip were my other various backups too. they are not infected but i will delete them all.

boonty shared.zip: some parts of removed software, and remaining junk files which were laterly manually deleted. BOONTY Shared.zip was the backup before manual deletition.

logs2.zip: some logs files backup before ccleaner's operations. i had taken those backups. they are just log extensioned files.

the files will be deleted with combofix.

i will post fresh logs for them soon:

* ComboFix (C:\combofix.txt)

* a-squared Free

* ISeeYouXP

and thanks for all.

Link to post
Share on other sites

My desktop just contains links and some txt files, no long-term storage. and thank you for advice.

The delete script for combofix just moved that files to combofix quarantine called "Qoobox"

The file regedit.exe is now false positive approved. just an update for a2scanner fixed that false positive by re-scanning a2scanner's own quarantine. And Lmhost file is zero bytes long and it's content is empty. But combofix thought that it is infected. i think it was a false positive too.

Because of global upload quota, i had to zip the log files you requested.

Regards

Link to post
Share on other sites

i think that only winlogon.exe was infected but it was not a high-effective malware. i restored winlogon with the original service pack 3 winlogon, then re-activated windows. i also restored regedit.exe, notepad.exe.

but yesterday i saw that secondary logon service of microsoft windows was running, and i never needed secondary logon.

according to wits tool set, if i am not seeing wrong, some sort of blank-user named session was created to connect to windows at an unknown time. session id: 00000000-0000f962

i don't have any guest accounts or anonymous accounts active. so what is this,

you know anything about this dear brother ?

1108.jpg

wits can be obtained from here:

http://sourceforge.net/projects/twapi/files/Current%20Releases/Windows%20Inspection%20Tool%20Set/WiTS%202.1.11/wits-2.1.11-setup.exe/download

And thanks for all.

Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...