Author Topic: Win32.mIRC.62 need help :( (Read 56549 times)

bug_master · « **Reply #15 on:** April 08, 2007, 04:47:22 PM »

I have a computer for a 9 months now so I'm a bit uneducated about PC stuff

So thanks for all the help

Btw avast sometimes after scan tels me that some files are damaged and cannot be scaned.
Can they be infected?

Quote

That could be an indication of an AWF infection.

Download FindAWF, save it and run it.

Then post the log it creates.

I reinstalled avast since then, so do I still have to check it?

bug_master · « **Reply #16 on:** April 08, 2007, 04:53:01 PM »

Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\DAEMON~1\BAK

09.11.2005 Ј. 01:00 128я920 daemon.exe
1 File(s) 128я920 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04.08.2004 Ј. 03:56 15я360 ctfmon.exe
1 File(s) 15я360 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

16.02.2005 Ј. 17:15 81я920 issch.exe
16.06.2004 Ј. 07:03 221я184 isuspm.exe
2 File(s) 303я104 bytes

Directory of D:\CLONECD\BAK

28.09.2006 Ј. 22:21 57я344 CloneCDTray.exe
1 File(s) 57я344 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

128920 Nov 9 2005 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
157592 Sep 14 2006 "D:\DAEMON Tools\daemon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
81920 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jun 16 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
57344 Sep 28 2006 "D:\CloneCD\bak\CloneCDTray.exe"

end of report

Lisandro · « **Reply #17 on:** April 08, 2007, 05:05:47 PM »

Quote from: bug_master on April 08, 2007, 04:47:22 PM

Btw avast sometimes after scan tels me that some files are damaged and cannot be scaned.
Can they be infected?

Generally not. These files that can't be scanned could have some packing trouble (or are packed in a different way), or are being used, or are password protected by their program themselves, etc.

Quote from: bug_master on April 08, 2007, 04:47:22 PM

I reinstalled avast since then, so do I still have to check it?

What do you mean with 'check it'?

Lisandro · « **Reply #18 on:** April 08, 2007, 05:06:33 PM »

I suggest you send all bak folders and files to avast Chest during avast scanning...

bug_master · « **Reply #19 on:** April 08, 2007, 05:08:05 PM »

Quote from: Tech on April 08, 2007, 05:06:33 PM

I suggest you send all bak folders and files to avast Chest during avast scanning...

Why

I think they are clean.

mauserme · « **Reply #20 on:** April 08, 2007, 05:08:39 PM »

I don't think I see any indication of a current infection in your FindAWF log but just to play it safe upload these two files to Virus Total for anaysis and post the results

D:\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

mauserme · « **Reply #21 on:** April 08, 2007, 05:10:22 PM »

Quote from: Tech on April 08, 2007, 05:06:33 PM

I suggest you send all bak folders and files to avast Chest during avast scanning...

Tech - If there was AWF the bak folders would have the uninfected copies

bug_master · « **Reply #22 on:** April 08, 2007, 05:12:51 PM »

Quote from: mauserme on April 08, 2007, 05:08:39 PM

I don't think I see any indication of a current infection in your FindAWF log but just to play it safe upload these two files to Virus Total for anaysis and post the results

D:\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

What about the other files

Lisandro · « **Reply #23 on:** April 08, 2007, 05:18:04 PM »

Quote from: bug_master on April 08, 2007, 05:08:05 PM

Why I think they are clean.

To know if a file is a false positive, please submit it to JOTTI or VirusTotal (like mauserme said) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

I said to send the files to Chest because they all seems suspect to me (for the path and name):
C:\PROGRA~1\DAEMON~1\BAK folder
C:\WINDOWS\SYSTEM32\BAK folder
Even a file called ctfmon.exe in this folder is suspect...
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK folder

This file *could* be clean and legit: "C:\WINDOWS\system32\ctfmon.exe"

mauserme · « **Reply #24 on:** April 08, 2007, 05:23:09 PM »

Well, there are only 7 files. Go ahead and scan them all and post results for any that show infection.

bug_master · « **Reply #25 on:** April 08, 2007, 05:35:23 PM »

All clean

When I was infected I restored some of the files that had bak folders, becouse I read in this forum that the files in the bak are the clean ones.
So I restored some of the files in the baks.

mauserme · « **Reply #26 on:** April 08, 2007, 05:39:39 PM »

One more scan if you don't mind:

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

mauserme · « **Reply #27 on:** April 08, 2007, 05:49:03 PM »

Quote

ashavast was infected and a bak folder appeared in the avast directory

Just out of curiosity, do you know for sure ashavast was infected or did you presume it was? What made the detection?

bug_master · « **Reply #28 on:** April 08, 2007, 05:54:16 PM »

I detected it with kaspersky online scaner, and also find a copy of it in the bak folder.

Btw I got this results after scanning ComboFix $:-\$

AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 no virus found
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan-Dropper.Win32.Delf.FZ
Kaspersky 4.0.2.24 04.08.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 Win32.ModifiedUPX.gen!84 (suspicious)

mauserme · « **Reply #29 on:** April 08, 2007, 05:59:05 PM »

ComboFix is safe to run as long as you downloaded it from one of the links I posted. It will just scan and produce a log which you can post here.

Author Topic: Win32.mIRC.62 need help :( (Read 56549 times)

bug_master

Re: Win32.mIRC.62 need help :(

bug_master

Re: Win32.mIRC.62 need help :(

Lisandro

Re: Win32.mIRC.62 need help :(

Lisandro

Re: Win32.mIRC.62 need help :(

bug_master

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(

bug_master

Re: Win32.mIRC.62 need help :(

Lisandro

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(

bug_master

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(

bug_master

Re: Win32.mIRC.62 need help :(

mauserme

Re: Win32.mIRC.62 need help :(