Trojan in my ASUS folder?

[ruinofthedeadfluffy97]

I scan my computer every night, and I got up this morning and saw a trojan in my ASUS folders.

Avast couldnt find the file specified, so it couldnt be moved to the chest.

Boot-time scan didnt work either. (Didnt detect anything)


I'll provide OTL logs in a minute.


Will this trojan;

Steal my tax info?
My passwords?
My BANK info?

Crash my computer?


Also, could I perform a manual removal? How?

[DavidR]

What is the infected file name, the full path to where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You could also check the offending/suspect file (if you can physically trace it) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

[ruinofthedeadfluffy97]

What is the infected file name, the full path to where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Well, I should be able to locate it. But if I do, will that cause any harm to my computer?

*edit*

Well, I'm in the folder, and I don't see the .exe like in the scans, but I DO see the same file name with .exe.MANIFEST at the end.

Is that bad?

[DavidR]

Finding the actual Location won't active it, running it would active it, but before you even do that you should post the file name and location it helps us to determine the possibility of a false positive.

For detection information on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log  (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).

Do you mean manifest.exe rather than exe.manifest ?
The reason I say this is that I'm not aware of any .manifest file type, but there are many hits on that file type, http://filext.com/file-extension/MANIFEST. So it could possibly be legit, which doesn't mean it is also clean.

[ruinofthedeadfluffy97]

Finding the actual Location won't active it, running it would active it, but before you even do that you should post the file name and location it helps us to determine the possibility of a false positive.

For detection information on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log  (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).

Do you mean manifest.exe rather than exe.manifest ?
The reason I say this is that I'm not aware of any .manifest file type, but there are many hits on that file type, http://filext.com/file-extension/MANIFEST. So it could possibly be legit, which doesn't mean it is also clean.

Here's the location.

C:\Program Files\ASUS\Pc Probe II\Probe2.exe.manifest

In the folder itself, it comes up as MANIFEST file. This is the only file with .exe in it's name.

*edit*

Now to get those logs...

[DavidR]

I'm always suspicious when I see files with two file types (extensions), but that's me.

The folders are probably hidden:
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

[ruinofthedeadfluffy97]

The logs are attached.

[ruinofthedeadfluffy97]

I'm always suspicious when I see files with two file types (extensions), but that's me.

The folders are probably hidden:
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

After I do this, should I re-scan? Maybe Avast might be able to put the files in the chest?

[DavidR]

It rather depends on why avast couldn't send the file to the chest, e.g. file in use or file is too big, etc.

if in use then a boot-time scan should be able to get round that as it runs before windows has fully started.

In that image that I posted (click to enlarge), if you put your settings as indicated beside the red line, that would show all file types and not just known types (that makes me mad as know to who is my question and that would be to microsoft).

Now you have located it you could send it to virustotal as I outlined earlier in my first reply.

[ruinofthedeadfluffy97]

It rather depends on why avast couldn't send the file to the chest, e.g. file in use or file is too big, etc.

if in use then a boot-time scan should be able to get round that as it runs before windows has fully started.

In that image that I posted (click to enlarge), if you put your settings as indicated beside the red line, that would show all file types and not just known types (that makes me mad as know to who is my question and that would be to microsoft).

Now you have located it you could send it to virustotal as I outlined earlier in my first reply.

Will do!

And also, why DIDN'T Avast pop-up on the corner displaying that it found a virus?

When I run my scans, it's around mid-night when I go to bed, and I'm not active.

[DavidR]

Well when you start an on-demand scan it is going to be scanning files that would otherwise be dormant/inert so a new/modified signature could be added and then you get the alert.

Personally in a resident on-access antivirus scanner, on-demand scans are much depreciated, especially every day. For the most part the on-demand scan is going to be scanning files that are otherwise dormant or inert as the resident on-access scanner will scan files that present an immediate risk, or are a target of infection when they are created, modified, opened or run.

I run a weekly scheduled Quick scan on default settings and a monthly scheduled Full System Scan and I find that sufficient.

Also by not scanning so frequently if you do happen to have a new signature added which picks up a file incorrectly (false positive) it gives time for that signature to be corrected before you run your scan.

[ruinofthedeadfluffy97]

Well, virustotal didn't find anything infected.

Should I scan again?

[DavidR]

If VT didn't find anything including avast then it is likely it was a false positive which has been corrected. This is one of the reasons why the URL to the results is important (and why we ask for it) as we know what virus definitions version was used. We and can also confirm that the correct file was uploaded and it wasn't 0bytes (empty). This would be an indication that avast blocked the upload if you didn't create and exclude the suspect folder.

Ensure that you have the latest virus definitions update and find that file in the original location and right click on it and scan it again.

[ruinofthedeadfluffy97]

If VT didn't find anything including avast then it is likely it was a false positive which has been corrected. This is one of the reasons why the URL to the results is important (and why we ask for it) as we know what virus definitions version was used. We and can also confirm that the correct file was uploaded and it wasn't 0bytes (empty). This would be an indication that avast blocked the upload if you didn't create and exclude the suspect folder.

Ensure that you have the latest virus definitions update and find that file in the original location and right click on it and scan it again.

Okey doke.

Thanks for the help again, David. :-)

[DavidR]

You're welcome.