avast itself infected?!

[soul]

3.) Send it to virus (at) avast (dot) net

oops - the email i sent to that address with the zipped attachment just bounced back:
"Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.  This is a permanent error; I've given up. Sorry it didn't work out.
<virus [editing on purpose: at] avast [dot] net>:
Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local.  (#5.4.6)"

not sure what that means, but if someone can help me get this thing submitted, i would love to, if it's potentially helpful to other people.

[soul]

thank you, DavidR - i didn't mean to ignore what you previously flagged as needing fixing!  i think maybe i thought some of them would be fixed by the various tools i tried, and/or it's just a lot to absorb at once, for a newcomer.  i am very grateful, and i shall now go try to fix those oddities by hand; and to submit a fresh log to the Highjack This site. 

thanks & thanks & thanks

[FreewheelinFrank]

These two entries are rather worrying:

c:\winnt\system32\microsoft\user\FireDaemon.EXE
c:\winnt\system32\microsoft\user\dll39.exe

I came across this page which suggests they may have been placed on your computer to allow somebody to control and store files on your computer from a remote location.

Do you recognise these processes and have you installed them for a reason?

C:\WINNT\system32\microsoft\user\dll39.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.d
C:\WINNT\system32\microsoft\user\firedaemon.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.3826

http://bbs.higaitaisaku.com/cbbs.cgi?mode=one&number=85330&type=85328&space=15&no=0

[FreewheelinFrank]

a-Squared will remove this if you check 'scan for riskware.'

http://www.emsisoft.es/es/malware/?Riskware.RemoteAdmin.Win32.RA.3826

[soul]

thank you Frank - i've asked the guy who installed windows 2000 for me about the Fire Daemon files, but he hasn't replied yet.  i'll try a-squared.  thank you.

[soul]

thank you so much - a-squared got them, all right. 
i had that internat.exe checked out, and i'm told it's the legitimate one, so that's a relief; and i'll nudge my friend about whether or not he knows where the Fire Daemon files came from.
things seem to be much more under control now, and i'm hugely grateful to you all for your very gallant and wonderful help.  many blessings on you!

[FreewheelinFrank]

Thanks very much!

Glad we could help!

[mouniernetwork]

Are you sure that internat.exe is legitimate ??
Because I was almost possitive that it was a virus, the registery entries are matching perfectly with the ones from the virus, here is the link:
http://www.symantec.com/security_response/writeup.jsp?docid=2002-081216-0215-99

Al968

[FreewheelinFrank]

Internat.exe seems to be associated with pretty old viruses: the one al968 mentions is from 2002, and there's another from 2004. I would hope avast! would pick these up by now!!

http://www.sophos.com/virusinfo/analyses/trojlydraf.html

The process can also be legitimate:

http://www.liutilities.com/products/wintaskspro/processlibrary/internat/

So you should follow al968's advice and check it out.

[soul]

thank you again - i submitted that internat file to both the Highack This site and the Spykiller site, and was told it's the legitimate file.  as i noted up there somewhere, i also tried to submit it to Avast as the good Al968 suggested, but the email bounced back as undeliverable for some reason.

i've also gone ahead and turned off/disabled the FireDaemon files, and will uninstall them once i figure out how to do that.   

again, many many thanks and blessings on you all for all your great help.

[mouniernetwork]

What you might want to go to be on the safge side is run the following removal tool which actually looks for Netshake :

http://spywareremove.com/removeNetSnakea.html

Its better to be worry than to be sorry. 

Al968

[soul]

actually i *am* a bit worried - i wouldn't want the legitimate internat.exe to get wiped out.  i don't mean to seem foolish or ungrateful, but ... are we sure this tool  will leave my real internat.exe unharmed? 

also, i've just tried again to submit the zip file i made out of it to Avast at the email address Al968 gave me, but once again it bounced back as undeliverable.  is there some other way i can try to submit it to them?

thanks so much ...

[mouniernetwork]

do you set the password to virus each time ??

If so you can send it to me and I will submit it to Avast.

Al968

[soul]

Al968, i'm just using winzip (the trial version) to make the zip file, and i don't see any option that would allow me to give it a password.   if that's what i have to do in order to submit it to Avast's email address (or to yours) i'm afraid i won't be able to do it.  i'm sorry.

[mouniernetwork]

But why don't you use the windows two make a zip file.
All you have to do is right click on the file that you want to zip, select send to -> And choose compressed file.

Otherwise you can just send me the file unzip and I'll do it.

Everything for the Virus definition 

Al968