Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: greenhatch on February 22, 2009, 03:56:09 PM
-
On scanning my laptop today the above apparent malware was detected which I duly transferred to the virus chest. The event viewer shows the entry:
Sign of ''Win32:Trojan-gen{Other}'' has been found in ''C:\Windows\MOTA113.exe\[tElock]'' file.
Has anyone else reported this please? If you want to review my detection, please tell me precisely how to locate the chest entry and where to send it. Thanks.
-
You can open avast Chest and see the folder Infected files on it.
You do not have to deal with the files into Chest, let it there for a while to confirm it's an infected file.
-
I've found out now how to access the virus chest and uploaded the file to virustotal.com which returned the result 0/39. Presumably that means a false positive?
-
I suppose you did not upload the file from Chest, but the original one. The file from Chest is encrypted and won't be detected as infected (it is on the Chest folder of avast).
Indeed, if you send the original file, seems a false positive. Can you know from which program does it belong?
-
I uploaded the file from the Chest in my ignorance :-X Of course it is encrypted so my uploading to virustotal.com was crap...sorry. The only information I know of the detection is what the event log entry showed as quoted in my first post.
-
I uploaded the file from the Chest in my ignorance :-X Of course it is encrypted so my uploading to virustotal.com was crap...sorry. The only information I know of the detection is what the event log entry showed as quoted in my first post.
You can extract the file to a safe folder, do not execute the file, add it to avast exclusion lists and then upload to virustotal.
-
I uploaded the file from the Chest in my ignorance :-X Of course it is encrypted so my uploading to virustotal.com was crap...sorry. The only information I know of the detection is what the event log entry showed as quoted in my first post.
You can extract the file to a safe folder, do not execute the file, add it to avast exclusion lists and then upload to virustotal.
Can you tell me how to actually extract a copy of the file safely from the chest to a new 'suspect' folder please? I don't see any right click option in the chest folder. You might have gathered that I'm a bit thick in certain areas :)
-
Hi Greenhatch,
I had a similar problem.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
taken from: http://forum.avast.com/index.php?topic=37451.0
Hope this helps.
-
Hi Greenhatch,
I had a similar problem.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
taken from: http://forum.avast.com/index.php?topic=37451.0
Hope this helps.
Hi. Do you have the Pro version of Avast? I have the Free and the simple option of right click on the systray 'a' icon does not reveal an export line in the dropdown to me. So hopefully there is a simple step-by-step procedure Tech (or a mod) can advise me how to export a copy of the quarantined file from the chest to a suspect folder.
-
Hi,
I have the free version as well. I should put my specs on the signature part. That should speed up things.
Now back to you.
First off, right clicking on the A icon will not help in this case.
Here's what you do. Start avast. Look for the icon/button that says Virus chest. Click on it. Once there look for the problem file. Select it, then right click and choose extract. After this, select (browse if you will) the file that has been excluded from the scanner. Did this Help?
-
Hi,
I have the free version as well. I should put my specs on the signature part. That should speed up things.
Now back to you.
First off, right clicking on the A icon will not help in this case.
Here's what you do. Start avast. Look for the icon/button that says Virus chest. Click on it. Once there look for the problem file. Select it, then right click and choose extract. After this, select (browse if you will) the file that has been excluded from the scanner. Did this Help?
Simple when you know how, right, lol? Very helpful! :D
-
Great,
Glad to be of service. Keep us posted on what you find.
-
Tech and Avast staff:
I uploaded an unencrypted copy of the file to virustotal.com and got a result returned of 5/39. So I've set up the user/email facility to send Alwil the file on the next update for investigation just in case. Regards
-
greenhatch, can you post the link to the file into virustotal, I mean, the virus total results link?
We can analyze it.
-
greenhatch, can you post the link to the file into virustotal, I mean, the virus total results link?
We can analyze it.
https://www.virustotal.com/analisis/08816bf11f8403c244d934310c96465f
-
Hello All,
I too registered exactly the same item at exactly the same time. This smells like a false positive.
However I shall wait for the clearance from the experts and gurus.
Hope there's a quick Avast response!
Avastfan1
PS: @Tech: I found this related thread by chance and it didn't show up in the search function? :S
-
Hi Avastfan1,
Reassuring info here: http://spywarefiles.prevx.com/RRHJEF9220657/MOTA113.EXE.html
But also this: Super(R) is SPYWARE and MALWARE. Check c:\Windows directory, you will find files like meta4.exe, mota113.exe, x2.64.exe, system32\x.264.exe and others. Google those file-names, and pray you did not enter credit card info on your computer....owned:
Or upload the file in question to virustotal.com and give us the results,
polonus
-
Hi Polonus,
Thanks for the information. I was initially reassured with your first link. Then I read the second part about Super(R) and now feel very worried and scared :(
I did indeed find those files in my windows directory. Should I delete them?
I uninstalled Super(R) immediately following your advice.
However it didn't uninstall those files. I have scanned my computer with the following programs and none of them recognised any of those files except Avast. I have had Super(R) installed for a long time and Avast NEVER once alerted me to spyware or adware.
Even the other anti-spyware/anti-malware programs (please see below) have never raised an issue with it.
Please help me Polonus!! :O
Thanks!!
Avastfan1
------------------------
Malwarebytes - No infections
Kaspersky online scan - no infections
SuperantiSpyware - no infections
ZA Anti-spyware - no infections
Hijackthis Log - no red cross items (sent to http://www.hijackthis.de/ (http://www.hijackthis.de/))
Avast - refer to previous post
Rootalyzer - no infections
Blacklight anti-rootkit - no infections
-
Hi Polonus,
Here are the results for those files:
meta4.exe
jotti.org - found nothing
virustotal - only 2/39:
1) CAT-QuickHeal found (Suspicious) - DNAScan
2) eSafe found Suspicious File
x2.64.exe
jotti.org - found nothing
virustotal - only 3/39:
1) CAT-QuickHeal found (Suspicious) - DNAScan
2) eSafe found Suspicious File
3) Sunbelt found Trojan.Win32.Packed.gen (v)
system32\x.264.exe
jotti.org - found nothing
virustotal - only 1/39:
1) eSafe found Suspicious File
Please note: I can't upload MOTA113.exe because when the Avast alert sounded - I ticked 'no action' and this seems to be preventing me from uploading the file.
PLEASE, PLEASE, PLEASE help me Polonus! I am not an expert at all, but I've always tried to keep my anti-virus, anti-spyware and anti-malware up to date.
Thanks!!
-
https://www.virustotal.com/analisis/08816bf11f8403c244d934310c96465f
It's not easy to say... maybe a false positive, maybe on contrary avast in is the first ones to detect...
-
Hi Tech,
Thanks for the information. I am really beginning to get worried now.
Two Avast Gurus (yourself and Polonus) have both expressed concerns with this.
What should I do? :O
Please help!
Avastfan1
-
What should I do? :O
Send file to avast Chest and let it there for further analyzes.
Besides, I suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Hi Tech,
Thanks again for the support. Should I send all the files mentioned to the Chest? (ie. just MOTA113.exe or all the others which Polonus flagged?)
1. Done - used CCleaner
2. Done - Avast detected it. Dr. Web didn't.
3. Done - SAS and MBAM found no infections at all.
4. Done - Rootalyzer and Blacklight didn't find anything.
5. HJT log below.
6. I am scared to do this. I am not that familiar with system restore. Do you REALLY recommend this?
7. Do I really need Spywareblaster when I have SAS and MBAM and Spybot?
8. Done - None noted. I use the online version of Secunia once a week.
Thank you so much for your help!
Avastfan1
---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:10:58 AM, on 23/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HiJackThis.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
CONTINUED IN NEXT POST
-
Continuation - sorry for the long post.
Thanks Tech and Polonus!
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /start_mode="auto"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228391919093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228391899437
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 10457 bytes
-
Hi tech,
Two quick questions concerning your post.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
Doesn't avast have the antirootkit part integrated in it or do you have download it (and if so is it free for home users)
Same goes for Trend Micro RootkitBuster, is it free or is there a fee.
Thanks.
-
Hello Confused Computer User,
Are you also caught up in the same problem which I have?
Would be keen to hear the views of all people affected.
Thanks!
Avastfan1
-
Hi Avastfan1,
Are you also caught up in the same problem which I have?
No, not really.
I am interested in knowing what is the best way to approach such issues because of a past experience with a false positive (which ended well)
See: http://forum.avast.com/index.php?topic=37451.0
In my case DavidR helped me through the whole process and it was ok. If I can give any advice, it's not to worry. with time and patience all is fixed.
I hope it is the same case for you.
-
Hi Confused Computer User,
The HJT logfile seems OK, one thing: MSIE: Unable to get Internet Explorer version!
Do not know what that is?
polonus
-
Hi Polonus,
Thanks for the reply. The 'Unable to get Internet Explorer Version' is due to me having a brain wave one day.
I tried to remove and delete Internet Explorer from my Windows XP system. I was unsuccessful as Windows constantly regenerates the file. Tried to delete it because Firefox is so much more secure.
Do you think I should delete those other files Polonus (meta4.exe) etc.? Or just MOTA113.exe?
Is my system now compromised?
I researched SUPE(R) on google but I couldn't find any critical links accusing it of being spyware or malware.
However I believe you if you say it is - you are afterall an Avast Guru and a lot wiser than I am.
Please tell me your thoughts and let me know what you would do if you were me! :O
Thanks!!
Avastfan1
-
As the thread starter, I thought I would just confirm for everyone that I had scanned with SAS and MBAM last night also, but no other detections were indicated (I had already quarantined MOTA113.exe detected by Avast).
-
avast said this was a false positive less than a year ago. I find it hard to believe this has changed in the intervening time. If it is indeed a false positive then, sadly, it will not be the first time (or second ... ) that avast has flagged previously corrected false positives again.
-
Yes, a problem with generic signatures, tweaking them could bring back a detection previously corrected.
-
False positive has now been confirmed.
Fixed with the latest VPS update - 090224-0.
Thanks Avast!!!!
-
Tech and Avast staff:
Okay grand so it was a false positive. Referring to my original post at the start of this thread, do I therefore now restore the file that I quarantined?
''Win32:Trojan-gen{Other}'' has been found in ''C:\Windows\MOTA113.exe\[tElock]'' is my Event log entry of the 'detection'. And is C:\Windows\MOTA113.exe anything in particular (other than the false positive)?
Thanks for any further advice.
-
Yes you can, open the chest, infected files section and right click on the file, select restore. Check the original location that the file is there and delete the copy from the chest.