Win32:Spyware-gen [TRJ]...Win32:Inservice-DH [Trj]...Unable to Scan: CHM Archive

[w1lko]

Hi,

I did a virus check with Avast last night and it came up saying I had 'Win32: Spyware-gen [TRJ]' and 'Win32: Inservice-DH [TRJ]' on some files. I've now moved these to the chest. However, I'm not entirely sure if I need to do anything else to these? Are they safe where they are? I googled the 'Win32: Spyware-gen [TRJ]' and got some results saying that the trojan re-appears on different files once it's been moved to the chest. Further to this there are several other trojans in the chest - ones that I put there some time ago. Can I do anything with these? Is it safe to leave them there?
Also, the scan picked up a few files it says it is "Unable to Scan: Archive is Password Protected" and "'Unable to Scan: CHM Archive is Corrupted". I am unable to move or delete or repair these files, even in safe mode. Are they likely to be harmful?

I've carried out spyware checks using lava soft, superantispyware, avg anti spyware, spyware blaster, and spyware doctor. I've either deleted or quarentined everything that was flagged up. I've also run CCleaner and Spybot Search and Destroy (although I didn't remove anything from S&D as I don't know what I'm doing).

I've pasted my hijack this results below and would be grateful if you could give me some advice on what you think I should do next. I'm currently updating Avast's VRDB but it's taking hours...I'm not even sure it will tell me when it's finished or what I should do when it's finished.

Any help would be greatly appreciated.

Matt

Logfile of HijackThis v1.99.1
Scan saved at 11:55:24, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avast AntiVirus\aswUpdSv.exe
D:\Program Files\Avast AntiVirus\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\Updates\25.02.07\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
D:\PROGRA~1\AVASTA~1\ashDisp.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Avast AntiVirus\ashMaiSv.exe
D:\Program Files\Avast AntiVirus\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
D:\Program Files\AVG Anti Spyware\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Applications\Hijack This\alternativ.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\Fresh\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\Updates\25.02.07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\Updates\25.02.07\bin\jusched.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\AVG Anti Spyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\Updates\25.02.07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\Updates\25.02.07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108567203532
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\Super Anti Spyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast AntiVirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast AntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast AntiVirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast AntiVirus\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\AVG Anti Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[polonus]

Hi w1lko,

The analysis of your HJT log can be found here for 3 consequent days:
http://www.hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html

polonus

[w1lko]

Hi w1lko,

The analysis of your HJT log can be found here for 3 consequent days:
http://www.hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html

polonus

hey polonius,


is that from http://www.hijackthis.de/en? i checked it out too

problem is i'm still not sure what to delete/remove or whatnot. the first two 'possibly nasty's it flags up are both in the avast program files...i'm a bit wary of playing around with these without knowing what i'm doing. i think the third 'possibly nasty' is avast too. any ideas?

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

These give is a little more scope with finding information on the file name and possibly other removal information on associated registry entries, files, etc. The malware name isn't so helpful on its own.

Those 'possibly' nasty means you need to do some research and in the case of the avast files there is no problem with those as you have installed avast into the D:\ partition ?
It is basically pointing out that it differs from the default location is C:\Program Files\Alwil Software\Avast4 and as such could be something trying to pass itself off as avast and 'possibly nasty.'

[w1lko]

ah yeah that makes sense about the avast 'possibly' ones. thanks.


here is my log file, alog with dates (latest ones first):

16/04/2007 12:17:55   Matt Wilko   3100   Sign of "Win32:Inservice-DH [Trj]" has been found in "C:\Documents and Settings\Matt Wilko\Local Settings\Application Data\Mozilla\Firefox\Profiles\hgga03l0.default\Cache\_CACHE_003_" file. 
15/04/2007 23:11:42   Matt Wilko   244   Sign of "Win32:Inservice-DH [Trj]" has been found in "C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\65tb6yb8.zip" file. 
15/04/2007 22:12:43   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSINST.EXE" file. 
15/04/2007 21:52:46   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSUNINST.EXE" file. 
15/04/2007 21:14:10   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\Applications\PKZip V2.7\PK270WSP.EXE\TSINST.EXE" file. 
15/04/2007 21:13:26   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE" file. 
25/10/2006 23:33:10   SYSTEM   720   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\KsUser.dll (C:\WINDOWS\system32\KsUser.dll) returning error, 0000A474. 
23/10/2006 23:59:16   SYSTEM   256   Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001. 
02/09/2006 22:57:16   SYSTEM   252   aswServ::AavmStart ERROR... 
11/08/2006 10:17:20   Matt Wilko   2380   Function setifaceUpdateFiles() has failed. Return code is 0x20000011, dwRes is 20000011. 
15/07/2006 14:48:35   Matt Wilko   1792   Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
28/04/2006 01:54:29   SYSTEM   1756   An error has occured while attempting to update. Please check the logs. 
28/04/2006 01:54:27   SYSTEM   1756   Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142. 
26/03/2006 16:40:02   Matt Wilko   1224   Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
26/03/2006 15:03:08   Matt Wilko   2396   Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
05/03/2006 21:36:57   Matt Wilko   1752   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034239.exe" file. 
05/03/2006 18:39:43   Matt Wilko   1752   Sign of "Win32:Trojano-3295 [Trj]" has been found in "C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\b24yvwhj.exe\[Yoda]" file. 
03/03/2006 17:36:56   SYSTEM   1760   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034238.exe" file. 
03/03/2006 12:05:58   SYSTEM   1756   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
03/03/2006 12:05:58   SYSTEM   1756   An error has occured while attempting to update. Please check the logs. 
03/03/2006 06:28:48   SYSTEM   1756   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP239\A0034238.exe" file. 
03/03/2006 00:19:41   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Program Files\DivX Codec 3.11\DivX Codec\uninstall.exe" file. 
03/03/2006 00:09:55   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file. 
02/03/2006 22:17:40   Matt Wilko   408   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file. 
23/02/2006 00:16:06   Matt Wilko   1752   Sign of "MS06-001 WMF Exploit" has been found in "C:\DOCUME~1\MATTWI~1\LOCALS~1\Temp\k6v07c6o.wmf" file. 
16/02/2006 22:28:54   Matt Wilko   3232   Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 

[DavidR]

The x:\System Volume Information folder (x being the drive leter) is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore

I would recommend you periodically clear out your tempray files including the browser cache, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc..

The ones relating to codecs, are one of the common areas for trojan infection especially if you did a search for free codecs, however, there have been some strange detections of uninstall files so I would check these out. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.


The others appear to be good detections based on their location and file names, but you can check them out if you wish.

[polonus]

Hi w1lko,

Well all the avast entries in the HJT logfile are fine, this is one of the undocumented HJT hick-ups. I also checked up on fdcatch.dll and wltrysvc.exe; no problems there either. As far as I can see the log is clean, just get the latest version of Sun Java, if you haven't that already. Just curious what the others will recommend or if something was overlooked...

polonus

PS Wilko here is a boy's name from the Groningen province? Where yours stem from?

[w1lko]

The x:\System Volume Information folder (x being the drive leter) is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore

I would recommend you periodically clear out your tempray files including the browser cache, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc..

The ones relating to codecs, are one of the common areas for trojan infection especially if you did a search for free codecs, however, there have been some strange detections of uninstall files so I would check these out. You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.


The others appear to be good detections based on their location and file names, but you can check them out if you wish.

Hi David,

Many thanks for that help. Can I just ask though, what do you mean by 'check these out'? Do you mean restore the files? Or delete them or something?

I did an online scan of the first infected file to see what happened. Firstly I restored the file - C:\Documents and Settings\Matt Wilko\Local Settings\Application Data\Mozilla\Firefox\Profiles\hgga03l0.default\Cache\_CACHE_003_ - and then I entered it into Jotti to be scanned (VirusTotal didn't seem to work...it just took me to a blank screen). The results in Jotti were that one scanner (Avast) found it to be infected with the Inservice trojan. All the other scanners found no error. I'm still not really sure whether that means I should delete it, keep it in the chest or restore it though?! Same goes for the other codecs/uninstall files.

If you could let me know what you think it'd be brilliant.

Matt

[w1lko]

Hi w1lko,

Well all the avast entries in the HJT logfile are fine, this is one of the undocumented HJT hick-ups. I also checked up on fdcatch.dll and wltrysvc.exe; no problems there either. As far as I can see the log is clean, just get the latest version of Sun Java, if you haven't that already. Just curious what the others will recommend or if something was overlooked...

polonus

PS Wilko here is a boy's name from the Groningen province? Where yours stem from?

Cheers Polonus, Wilko here is derived from Wilkinson which is my surname! I think it may be Irish...but don't quote me on that! Thanks for checking the log.

[DavidR]

Hi David,

Many thanks for that help. Can I just ask though, what do you mean by 'check these out'? Do you mean restore the files? Or delete them or something?

I did an online scan of the first infected file to see what happened. Firstly I restored the file - C:\Documents and Settings\Matt Wilko\Local Settings\Application Data\Mozilla\Firefox\Profiles\hgga03l0.default\Cache\_CACHE_003_ - and then I entered it into Jotti to be scanned (VirusTotal didn't seem to work...it just took me to a blank screen). The results in Jotti were that one scanner (Avast) found it to be infected with the Inservice trojan. All the other scanners found no error. I'm still not really sure whether that means I should delete it, keep it in the chest or restore it though?! Same goes for the other codecs/uninstall files.

If you could let me know what you think it'd be brilliant.

Matt

By check them out you did exactly what I intended use VitusTital and or Jotti (my preference would be VirusTotal as that has more different scanning engines. Personally there is no need to check detections in temporary locations, as by their nature they are temporary and temporary files can simply be deleted, I usually recommend clearing temporary files before running an on-demand scan for the same reason they are temporary.

Basically you are checking that the detection is good, if only avast detects it then it may be a false positive detection. So I don't want you to delete them but confirm/check the detection is good.

These were the ones I think should be checked:
15/04/2007 21:13:26   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE" file.

Detections relating to codes files:
03/03/2006 00:19:41   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Program Files\DivX Codec 3.11\DivX Codec\uninstall.exe" file.
03/03/2006 00:09:55   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file.
02/03/2006 22:17:40   Matt Wilko   408   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file.

If any prove to be false positives, add it/them to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

[w1lko]

By check them out you did exactly what I intended use VitusTital and or Jotti (my preference would be VirusTotal as that has more different scanning engines. Personally there is no need to check detections in temporary locations, as by their nature they are temporary and temporary files can simply be deleted, I usually recommend clearing temporary files before running an on-demand scan for the same reason they are temporary.

Basically you are checking that the detection is good, if only avast detects it then it may be a false positive detection. So I don't want you to delete them but confirm/check the detection is good.

These were the ones I think should be checked:
15/04/2007 21:13:26   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE" file.

Detections relating to codes files:
03/03/2006 00:19:41   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Program Files\DivX Codec 3.11\DivX Codec\uninstall.exe" file.
03/03/2006 00:09:55   Matt Wilko   676   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file.
02/03/2006 22:17:40   Matt Wilko   408   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\Applications\Div X\DivX-3.11-Installer.exe" file.

If any prove to be false positives, add it/them to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hi David,

I did a scan on all the items in the chest in Avast, and all of the ones you mentioned in your last post - apart from one (below) - came up as 'no virus' which i guess means theyve been cleaned up?

The one that is still not clean is:

15/04/2007 21:13:26   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\Applications\PKZip V2.7\PK270WSP.EXE\TSUNINST.EXE" file.

Now, unfortunately i can't restore this file for some reason (i can't restore any of the tsuninst.exe or tsinst.exe ones).

What I can - and did - do was scan the PK270WSP.EXE file, where the log says those two Tsuninst and Tsinst files are located in Virus Total. It came up with the following results (sunbelt and webwasher gateway found it suspicious):

AhnLab-V3   2007.4.14.0   04.16.2007   no virus found
AntiVir   7.3.1.52   04.16.2007   no virus found
Authentium   4.93.8   04.16.2007   no virus found
Avast   4.7.936.0   04.13.2007   no virus found
AVG   7.5.0.447   04.16.2007   no virus found
BitDefender   7.2   04.17.2007   no virus found
CAT-QuickHeal   9.00   04.16.2007   no virus found
ClamAV   devel-20070312   04.16.2007   no virus found
DrWeb   4.33   04.17.2007   no virus found
eSafe   7.0.15.0   04.16.2007   no virus found
eTrust-Vet   30.7.3572   04.16.2007   no virus found
Ewido   4.0   04.16.2007   no virus found
FileAdvisor   1   04.17.2007   no virus found
Fortinet   2.85.0.0   04.16.2007   no virus found
F-Prot   4.3.2.48   04.16.2007   no virus found
F-Secure   6.70.13030.0   04.16.2007   no virus found
Ikarus   T3.1.1.5   04.16.2007   no virus found
Kaspersky   4.0.2.24   04.17.2007   no virus found
McAfee   5010   04.16.2007   no virus found
Microsoft   1.2405   04.16.2007   no virus found
NOD32v2   2195   04.16.2007   no virus found
Norman   5.80.02   04.12.2007   no virus found
Panda   9.0.0.4   04.17.2007   no virus found
Prevx1   V2   04.17.2007   no virus found
Sophos   4.16.0   04.16.2007   no virus found
Sunbelt   2.2.907.0   04.07.2007   VIPRE.Suspicious
Symantec   10   04.17.2007   no virus found
TheHacker   6.1.6.088   04.09.2007   no virus found
VBA32   3.11.3   04.16.2007   no virus found
VirusBuster   4.3.7:9   04.16.2007   no virus found
Webwasher-Gateway   6.0.1   04.16.2007   Virus.Win32.FileInfector.gen (suspicious)

Aditional Information
File size: 750794 bytes
MD5: 254a68d2ee2fd86f0ac070ae63a47dfc
SHA1: bcfdc355eccb7023f31d4cf34557dff6e70d6792
packers: PKLITE32
packers: PKLite32
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


What should I do with this in mind?


Moving on, I think that if I ignore the temp files - which I will delete at some point - and the system restore ones (which I'll get rid of after turning system restore off hopefully) - that just leaves the two PK270WSP files (Tsinst.exe and Tsuninst.exe) and the _Cache_003 file.

With the _Cache_003 file, I think this has been replaced by Mozilla as there is a smaller file of the same name in the same folder. I scanned this in Avast and on VirusTotal and it is fine. However, if I scan the file of the same name (but different size) in the Chest, it is still infected.

Any ideas on what I should do?


Many thanks,

Matt

[w1lko]

OK, I've just put the restored _cache_003 through Jotti.

Here's the results:

 Scan taken on 16 Apr 2007 23:18:32 (GMT)
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found Win32:Inservice-DH
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
F-Secure Anti-Virus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Rising Antivirus    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing

POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

---

One thing I have noticed a couple of times now (each time I've restored the _Cache_003 file) is that the graphics on this forum go all weird - it's just a white background and just text, no graphics whatsoever really.
Also on Firefox, if I open the VirusTotal page it has 'AMATEUR' written cross the screen - in a massive font size, with a website of www.amateurallure.com written above it. I haven't and won't be seeing what that site is, although I googled it and it looked really dodgy.
Anyway, I can't use Firefox to scan the _Cache_003 file in VirusTotal - nothing happens when I click Send. I can't click on a few buttons on the VirusTotal homepage actually. They just won't work. I'm currently trying to scan it in VirusTotal using Internet Explorer but it's taking ages to load and has crashed every time so far... I'll keep trying though.

[DavidR]

I did a scan on all the items in the chest in Avast, and all of the ones you mentioned in your last post - apart from one (below) - came up as 'no virus' which i guess means theyve been cleaned up?

No it is more likely that the detection wasn't good, a false positive, so you should send samples to avast as outlined in the False Positive link I gave above.

I also believe the PKZIP one may also be a false positive detection.

Now, unfortunately i can't restore this file for some reason (i can't restore any of the tsuninst.exe or tsinst.exe ones).

Checking back in your posts these were in:
15/04/2007 22:12:43   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSINST.EXE" file.
15/04/2007 21:52:46   Matt Wilko   384   Sign of "Win32:Spyware-gen. [Trj]" has been found in "D:\System Volume Information\_restore{56BBF39E-459B-4B83-B589-D3EEA342F947}\RP484\A0098123.EXE\TSUNINST.EXE" file.
So you have no need to restore these and windows will stop you placing (even restoring) files in this windows protected area.

So I would simply suggest re-installing PKZIP 2.7 again.

As I said it really is a waste of time worrying too much about stuff in temp locations like the browser cache, there is little point in trying to restore it, it is temporary. Not to mention _Cache_003_ is special file containing multiple files collected into one cache, so there is little point in recovering this.

[authorsimms]

OK, I've just put the restored _cache_003 through Jotti.

Here's the results:

 Scan taken on 16 Apr 2007 23:18:32 (GMT)
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found Win32:Inservice-DH
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
F-Secure Anti-Virus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Rising Antivirus    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing

POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

---

One thing I have noticed a couple of times now (each time I've restored the _Cache_003 file) is that the graphics on this forum go all weird - it's just a white background and just text, no graphics whatsoever really.
Also on Firefox, if I open the VirusTotal page it has 'AMATEUR' written cross the screen - in a massive font size, with a website of www.amateurallure.com written above it. I haven't and won't be seeing what that site is, although I googled it and it looked really dodgy.
Anyway, I can't use Firefox to scan the _Cache_003 file in VirusTotal - nothing happens when I click Send. I can't click on a few buttons on the VirusTotal homepage actually. They just won't work. I'm currently trying to scan it in VirusTotal using Internet Explorer but it's taking ages to load and has crashed every time so far... I'll keep trying though.

I had the same issues with the site www.bondara.co.uk that i have been working on. Thanks to the comments in this forum i could get it fixed. Thank you. Thanks guys.

[polonus]

Hi W1lko,

These are the results from the DrWeb online URL scan for the link you gave:

Anti-virus engine version: 4.44.0.9170
File size: 44017 bytes, with inside scripts and frames: 87811 bytes

www.bondara.co.uk - archive HTML
>www.bondara.co.uk/Script.0 - OK
>www.bondara.co.uk/Script.1 - OK
>www.bondara.co.uk/Script.2 - OK
>www.bondara.co.uk/javascript.3 - OK
>www.bondara.co.uk/javascript.4 - OK
www.bondara.co.uk - OK

This page also includes scripts/frames. All of them were also checked:

    * http://www.bondara.co.uk/script/swfobject.js
    * http://www.bondara.co.uk/script/functions.js
    * http://www.bondara.co.uk/script/feedback.js
    * http://s7.addthis.com/js/addthis_widget.php?v=12
    * http://server.iad.liveperson.net/hc/31370021/x.js?cmd=file&file=chatScript3&site=31370021&&imageUrl=http://images.liveperson.com/lp/31370021

polonus