Author Topic: avast itself infected?!  (Read 13302 times)

0 Members and 1 Guest are viewing this topic.

soul

  • Guest
Re: avast itself infected?!
« Reply #15 on: October 25, 2006, 09:07:51 PM »
3.) Send it to virus (at) avast (dot) net

oops - the email i sent to that address with the zipped attachment just bounced back:
"Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.  This is a permanent error; I've given up. Sorry it didn't work out.
<virus [editing on purpose: at] avast [dot] net>:
Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local.  (#5.4.6)"

not sure what that means, but if someone can help me get this thing submitted, i would love to, if it's potentially helpful to other people.
« Last Edit: October 25, 2006, 09:37:04 PM by soul »

soul

  • Guest
Re: avast itself infected?!
« Reply #16 on: October 25, 2006, 09:12:25 PM »
thank you, DavidR - i didn't mean to ignore what you previously flagged as needing fixing!  i think maybe i thought some of them would be fixed by the various tools i tried, and/or it's just a lot to absorb at once, for a newcomer.  i am very grateful, and i shall now go try to fix those oddities by hand; and to submit a fresh log to the Highjack This site. 

thanks & thanks & thanks

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #17 on: October 25, 2006, 09:15:30 PM »
These two entries are rather worrying:

c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe

I came across this page which suggests they may have been placed on your computer to allow somebody to control and store files on your computer from a remote location.

Do you recognise these processes and have you installed them for a reason?

C:\WINNT\system32\microsoft\user\dll39.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.d
C:\WINNT\system32\microsoft\user\firedaemon.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.3826

http://bbs.higaitaisaku.com/cbbs.cgi?mode=one&number=85330&type=85328&space=15&no=0
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #18 on: October 25, 2006, 09:17:33 PM »
a-Squared will remove this if you check 'scan for riskware.'

http://www.emsisoft.es/es/malware/?Riskware.RemoteAdmin.Win32.RA.3826
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

soul

  • Guest
Re: avast itself infected?!
« Reply #19 on: October 25, 2006, 09:31:39 PM »
thank you Frank - i've asked the guy who installed windows 2000 for me about the Fire Daemon files, but he hasn't replied yet.  i'll try a-squared.  thank you.

soul

  • Guest
Re: avast itself infected?!
« Reply #20 on: October 25, 2006, 11:49:12 PM »
thank you so much - a-squared got them, all right. 
i had that internat.exe checked out, and i'm told it's the legitimate one, so that's a relief; and i'll nudge my friend about whether or not he knows where the Fire Daemon files came from.
things seem to be much more under control now, and i'm hugely grateful to you all for your very gallant and wonderful help.  many blessings on you!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #21 on: October 25, 2006, 11:52:27 PM »
Thanks very much!

Glad we could help!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #22 on: October 26, 2006, 03:55:52 AM »
Are you sure that internat.exe is legitimate ??
Because I was almost possitive that it was a virus, the registery entries are matching perfectly with the ones from the virus, here is the link:
http://www.symantec.com/security_response/writeup.jsp?docid=2002-081216-0215-99

Al968

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: avast itself infected?!
« Reply #23 on: October 26, 2006, 09:04:24 AM »
Internat.exe seems to be associated with pretty old viruses: the one al968 mentions is from 2002, and there's another from 2004. I would hope avast! would pick these up by now!!

http://www.sophos.com/virusinfo/analyses/trojlydraf.html

The process can also be legitimate:

http://www.liutilities.com/products/wintaskspro/processlibrary/internat/

So you should follow al968's advice and check it out.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

soul

  • Guest
Re: avast itself infected?!
« Reply #24 on: October 26, 2006, 10:26:32 AM »
thank you again - i submitted that internat file to both the Highack This site and the Spykiller site, and was told it's the legitimate file.  as i noted up there somewhere, i also tried to submit it to Avast as the good Al968 suggested, but the email bounced back as undeliverable for some reason.

i've also gone ahead and turned off/disabled the FireDaemon files, and will uninstall them once i figure out how to do that.   

again, many many thanks and blessings on you all for all your great help.

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #25 on: October 26, 2006, 12:56:41 PM »
What you might want to go to be on the safge side is run the following removal tool which actually looks for Netshake :

http://spywareremove.com/removeNetSnakea.html

Its better to be worry than to be sorry.  ;)

Al968

soul

  • Guest
Re: avast itself infected?!
« Reply #26 on: October 26, 2006, 04:47:27 PM »
actually i *am* a bit worried - i wouldn't want the legitimate internat.exe to get wiped out.  i don't mean to seem foolish or ungrateful, but ... are we sure this tool  will leave my real internat.exe unharmed? 

also, i've just tried again to submit the zip file i made out of it to Avast at the email address Al968 gave me, but once again it bounced back as undeliverable.  is there some other way i can try to submit it to them?

thanks so much ...

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #27 on: October 26, 2006, 09:12:53 PM »
do you set the password to virus each time ??

If so you can send it to me and I will submit it to Avast.

Al968

soul

  • Guest
Re: avast itself infected?!
« Reply #28 on: October 26, 2006, 10:25:28 PM »
Al968, i'm just using winzip (the trial version) to make the zip file, and i don't see any option that would allow me to give it a password.   if that's what i have to do in order to submit it to Avast's email address (or to yours) i'm afraid i won't be able to do it.  i'm sorry.

mouniernetwork

  • Guest
Re: avast itself infected?!
« Reply #29 on: October 26, 2006, 10:31:16 PM »
But why don't you use the windows two make a zip file.
All you have to do is right click on the file that you want to zip, select send to -> And choose compressed file.

Otherwise you can just send me the file unzip and I'll do it.

Everything for the Virus definition  ;)

Al968