Author Topic: Trojan? Or not? Help!  (Read 15505 times)

0 Members and 1 Guest are viewing this topic.

SteveO29

  • Guest
Trojan? Or not? Help!
« on: August 10, 2006, 04:41:34 AM »
Hi all,

This is a little long, so please bear with me..

I've been a Norton Anti-virus user for about two years, ever since I bought my new computer. Also, I'm very cautious when it comes to viruses. I never use my computer's e-mail program, instead I opt for web-based e-mail clients like Yahoo, Hotmail and G-mail. Even so, I never open e-mails if they look suspicious or have attachments.

I also never run programs that I get from sources I don't trust. I practice safe web-browsing and have always had a firewall and anti-virus program running.

That being said, my Norton subscription ended two days ago. So, after hearing many good things about Avast!.. I thought I'd try it. I uninstalled Norton and installed Avast!. It ran it's first scan.. and all was clean. I ran another scan a little later.. again, everything was clean.

Now.. today I decided to try a "thorough" scan rather than the "standard" scan that it did the last two times. Well, this time I got a virus warning.. and of all places on my D: drive!

It said the file that was infected was "wksv7std.sbs" located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324 [Trj]. Avast!'s recommended advice was to move this file to the virus chest.. which is what I did.

Now, my D: drive is just a "recovery partition" used by my computer. I never write anything to it. When I click on that drive it tells me that this area of my drive contains files used for system recovery. And that I should not delete or alter files in there. And that any change could prevent any recovery later.

Now, I'm no expert when it comes to viruses.. but I just have this feeling that Avast! was just being overly sensitive. I've used other virus programs in the past, and at times they would detect viruses in completely innocent files.

Another reason I think the file is fine is that when I open Avast!'s virus chest.. and look at the file in question.. under 'virus' it says '--no virus--". It also says the last time the file was changed was 6/4/2002.. which is before I bought the computer.

Anyhow.. that's my situtation. Now my questions..

If the file is truly a trojan, how would I know for sure? Also, if it is a trojan.. has Avast! cured the problem by locking it away in the virus chest?

But. if it is ~not~ a trojan, can I put the file back where it belongs by clicking "restore" in the virus chest menu without it messing up my recovery partition?

I'm sorry, I know this is a little long-winded. But any advice would be TRULY appreciated!

--steve
« Last Edit: August 10, 2006, 09:50:18 AM by SteveO29 »

galooma

  • Guest
Re: Trojan? Or not? Help!
« Reply #1 on: August 10, 2006, 06:32:43 AM »
Hi and welcome Steve ,
 My first suggestion would be to scan the suspect file at http://virusscan.jotti.org/ this will give you an opinion from all the other leading AV scanners.
You will have to restore / remove from chest to perform this function.
If its not recognised by anyone else then its more likely that its a false positive and can be placed in exclusion lists.
 Send a copy to virus @ Avast in a password protected ZIP using virus as the password and occasionally scan it with avast to see if its still recognised.
good luck

SteveO29

  • Guest
Re: Trojan? Or not? Help!
« Reply #2 on: August 10, 2006, 08:33:05 AM »
Thank you so much for the quick reply! I really appreciate it!

I read your suggestions, but I have a few problems.

First of all.. if I were to restore the file from the virus chest.. there would be no way to access it because it's on my D: drive. Anytime I try to access anything on my D: drive, I'm given a warning that the D: drive is just a "recovery partition". I can't read it, or write to it. It's locked.

Secondly.. the file in question is 47.1 megabytes! Which means I can't scan it at the location you mentioned because that site only accepts files up to 15 MB.

How is it possible for a 47.1 MB trojan to get on my D: drive.. a drive that is basically locked and used only for recovery? Plus.. I'm a dial-up user and I never leave my computer running unattended. I would definitely know if a 47.1 MB file was somehow uploaded to my computer.

Plus.. isn't 'wksv7std.sbs' a file that deals with clipart? It all just doesn't make sense.

This MUST be a false virus reading, correct?

--steve
« Last Edit: August 10, 2006, 11:46:58 AM by SteveO29 »

Spiritsongs

  • Guest
Re: Trojan? Or not? Help!
« Reply #3 on: August 10, 2006, 06:03:08 PM »
 :)  Hi Steve :

     Anytime a recent Norton User has switched to Avast, we
    are concerned as to IF Norton has been COMPLETELY
    REMOVED from the computer !? In addition to "uninstalling"
    from Add/Remove Programs, we recommend using their
    SymNRT "Removal Tool" ; have you done this ? I usually
    recommend using a computer's "Search > All files and
    folders", using the search "term" "Symantec" & later
   "Norton" and "Delete" anything it finds + using a registry
    cleaner to remove entries there.
    Assuming Norton is COMPLETELY gone, I recommend you
    get a "2nd Opinion" about this "trojan" by using the good
    and FREE "Ewido" available from www.ewido.net/en ; this
    program "specializes" in detecting ( & removing ) trojans,
    worms, keyloggers, etc . Could either install the program
    and/or run its Online Scanner .

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re: Trojan? Or not? Help!
« Reply #4 on: August 11, 2006, 12:19:47 AM »
I must say we would like to check the file (wksv7std.sbs) - it sounds like a false positive indeed; but we must have it first.
If it's possible somehow, you can upload it to our anonymous FTP: ftp://ftp.asw.cz/incoming
But I guess it might be hard to do on dial-up... :(

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Trojan? Or not? Help!
« Reply #5 on: August 11, 2006, 03:35:55 AM »
But I guess it might be hard to do on dial-up... :(
Anyway, there is always the possibility of packing the file into an archive...
Hope the compression makes it smaller.
Do you have winzip, winrar or a free tool for it? (like 7-zip or IZArc).
The best things in life are free.

SteveO29

  • Guest
Re: Trojan? Or not? Help!
« Reply #6 on: August 11, 2006, 09:59:42 AM »
Hi all,

I'd like to thank everyone for the replies!

I would like to upload the file in question for inspection, but I have a dial-up connection and a 47 MB file would take forever to transfer. I even tried to compact it (as Tech suggested) and it's still huge.

If anyone wants to inspect the file.. I'm pretty sure that if you obtain wksv7std.sbs from ~any~ source and scan it with Avast, you'll get the same result. This file was on my D: drive, a drive that's locked to me. I can't write to it at all.. and the files on that partition were put there when I bought the computer new from Gateway. So how could it be a trojan or virus?

Also, upon browsing the forums here.. I noticed someone else encountered the same problem I did.

See here http://forum.avast.com/index.php?topic=20125.0

Also.. the warning ~only~ comes up when I do a "thorough" scan.. Avast ignores it when I do a "standard" scan.

It simply has to be a false positive.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re: Trojan? Or not? Help!
« Reply #7 on: August 11, 2006, 11:33:48 AM »
Yes, I remember somebody else reported the same in the past.
Unfortunatelly, I didn't find any "source" for this file... it's an old thing.

If anybody has that file, you're welcome to upload it, of course.
Thanks!

Photomumm

  • Guest
Re: Trojan? Or not? Help!
« Reply #8 on: August 12, 2006, 01:35:00 AM »
Hello,
    I am reading this thread and it's like a script from my office today!! I have had the exact same issue, I am running a Thorough scan, and I have had a few alerts claiming that I have a Trojan Horse, but these are on my D: drive (also a recovery disk, like the user who started this thread). I, however, am not on Dial up, and would be happy to upload this file so whomever can take a look at it. Please advise me on how to do this. Thank You!
 ;D

Photomumm

  • Guest
Re: Trojan? Or not? Help!
« Reply #9 on: August 12, 2006, 01:50:21 AM »
Hello,
  Me again, I also had another file from my D: drive identified as a Trojan, the file name is BASE_19.inp and it comes up with the same virus name as the others (I have had this "virus" detected on 3 drives, my C: drive, my D: drive and my L: drive (an external USB connected hard drive)). In all, thats 4 Trojan horse files found. Like the gentleman above, I do not want to delete any files from my D: drive for fear that I might mess up my system recovery drive (does that make sense). 3 of the 4 times this was detected, it was in an MSWORKS directory, and I too searched online for that file name, and found all references of it regarding MSWORKS Clipart. Thank You for the help!


ktl

  • Guest
Re: Trojan? Or not? Help!
« Reply #10 on: August 12, 2006, 03:02:15 AM »
Well, I also just switched from Norton and when I did my scan it came up with 6 Trojans!

4 are on my C drive and 2 are on my D

What do I do?  The one on my D drive was a recocovery file and it wouldn't move it to the chest because it said the file was too big.  What do I do now?

I am totally computer illiterate.

The other 5 files have all been detected in microsoft works and windows:

wsock32.dll
winsock.dll
kernel32.dll
works.exe
WKSv7std.sbs

They did not show up when I ran a standard scan only when I ran the thorough.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Trojan? Or not? Help!
« Reply #11 on: August 12, 2006, 03:33:59 AM »
The one on my D drive was a recocovery file and it wouldn't move it to the chest because it said the file was too big.  What do I do now?
Norton Ghost backup file? Is it a packed archive (like a big zip file)... they won't get out of there if you don't restore this backup... you'll be safe.

The other 5 files have all been detected in microsoft works and windows:
wsock32.dll
winsock.dll
kernel32.dll
works.exe
WKSv7std.sbs

They did not show up when I ran a standard scan only when I ran the thorough.
Are they into archive files too? Or they're there, as all other files...
Were are you seing the files... the three first ones seems to be on the System folder of avast Chest.
They're NOT infected... they're there for backup purposes... The last two ones, well, if you're seing them into Chest, you're safe.
The best things in life are free.

ktl

  • Guest
Re: Trojan? Or not? Help!
« Reply #12 on: August 12, 2006, 04:24:12 AM »
Not sure exactly what you are asking (sorry, I mentioned I'm computer illiterate)
But here is the location and exact names of where each file is.   Once I did the scan, I moved all of them to the chest.  Here is how the chest has divided them up.

Infected Files:
wksv7std.sbs    Location:  C:\Program File\Microsoft Works
works.exe         Location:   D:\j386\APPS\APP02771

System Files:
kernel32.dll      Location: C:\Windows\System32
winsock.dll                        same
wsock32.dll                       same

The one file that was too large, I moved to the recommended AVAST folder.
It was on the D drive.

D:\systemvolume information\_restore.......

So which one are safe to restore to the place of origin and which should I delete, if any?

Thanks.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Trojan? Or not? Help!
« Reply #13 on: August 12, 2006, 04:28:55 AM »
wksv7std.sbs    Location:  C:\Program File\Microsoft Works
works.exe         Location:   D:\j386\APPS\APP02771
Seems infected... let them there two or three weeks. Then right click them and choose scan again.
If after that time they're still marked as infected you can delete them.

System Files:
kernel32.dll      Location: C:\Windows\System32
winsock.dll                        same
wsock32.dll                       same
These files are CLEAN, not infected. They're into Chest due to backup purposes.

The one file that was too large, I moved to the recommended AVAST folder.
It was on the D drive.
D:\systemvolume information\_restore.......
Bad...
You should disable your system restore (Control Panel > System > System restore) and then enable it again.
It will delete all the 'restore points' but will clean your computer.

So which one are safe to restore to the place of origin and which should I delete, if any?
Do NOT restore any file... the infected because you will mess your system and the clean ones are there just as a backup.
The best things in life are free.

renee_dd

  • Guest
Re: Trojan? Or not? Help!
« Reply #14 on: August 12, 2006, 11:01:12 AM »
I have the same problem with Win32:SdBot-3324 [Trj]!

There is this trojan also in the Works Security Update File from Microsoft (free update from Works 8.0 to 8.5). http://download.microsoft.com/download/c/a/8/ca8b74c0-e20e-461d-9ca1-ad136b077226/works8.exe

Renée