Subsari Trojan found

[kakapo]

Hello again,
 
For the first time avast! has found a trojan in my Asus A2 laptop running XP Home.

File name:  C:\Program files\Asus\WLAN Card utilities\ St Monitor.exe

Malware name: Win32 Subsari

Also found it in Restore:

File name:  System volume Information\_restore {A82FE-8FB-8C08-4C1E-A43}

Win 32 Subsari [trj]

I placed the files in the chest and before I do more harm than good, thought I'd check here to see if my plan will work:

I would turn off system restore.

Delete temporary files - I THINK this means the temporary directory thru' Explorer, or is it just temporary net files?

Schedule a bootscan (archive scanning ON)

See if it's gone. Change all passwords/ private data and main password.

Have I missed anything? Is there something else I should do? I will wait for your words of wisdom before I proceed as I am a little nervous.... I have no idea how I became infected as I'm very careful and use only Opera browser for websurfing, don't open attachments from unknown sources, scan everything before opening and don't click on links in emails..... but it's there! YUK!

I really appreciate your advice. TIA
k

[FreewheelinFrank]

Hi kakapo,

From the location, I suspect it might be a false positive. Can you extract the file from the chest to, say, your desktop, disable the avast! scanner (otherwise avast! will simply stop you doing anything with the file) and send it to VirusTotal.

http://www.virustotal.com/

Please post the results here.

[kakapo]

Hi FreewheelinFrank!

Thank you very much for your rapid reply. SO appreciated.

I suspected it may be a fp too. I am on my uninfected PC right now but will get to the laptop and do as you suggest this afternoon. I will definitely post Virustotal's results here. Thank you.

Happy days to all
k.

[Lisandro]

You did the right thing sending the file to Chest. First do not harm, delete is not the first option.
After submitting the file to VirusTotal, just to be cool, you can use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

[brush]

I am getting similar result in 4yr old program - VeoCreativeStudio.exe
I moved to quarantine, uninstalled program, re-installed from original vendor CD, and Avast caught again on install.

Submitted to VirusTotal and avast was the only scanner out of 32 to catch what I assume must be a false positive.

Next step??

[oldman]

Submit the file to avast. (virus@avast.com). Email a password protected zip, or submit from the chest, no need to password protect it in a zip.  In either case, include in the message body a brief note explaining why you think it is a false positive and the vps that detected it. If using a zip, also include the password.

Until the detection is corected you can add it to the excusion list.

For on demand

right click the "a" icon, select program settings, exclusions, use the add and browse features here.

For on access

Left click the "a" icon, select standard shield, customize button, advanced tab.

[Lisandro]

Next step??

You can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

[kakapo]

Thank you all. It does seem like a false positive. Many thanks for your input on what to do. Saved me a few grey hairs.
I'm afraid I was unsuccessful at attempting to email the file to avast!from the chest as the file was too big and exceeded the limit. Message said "Sent with errors" which probably isn't much use to them. I couldn't figure out how to do as you suggested oldman, but I'm still trying to work it out. If there's another way and you think they should be informed, please post instructions otherwise I'll do as you suggest Tech and add it to the exclusions.

Your help is much appreciated.

[brush]

Thanks for the help folks!

I have added to Exclude list in appropriate places.

Avast would not let me email directly either, as it was too large (Freeware avast, maybe). I zipped and sent to avast via Eudora instead. Had to disable (temporarily) avast email scanner to let it get out though (the quick and dirty method).

Sit back and wait now I guess.

[DavidR]

If you had to disable the email scanner then it is unlikely that you zipped and password protected the attachment as avast can't unpack password protected zip files. If it isn't zipped and password protected it might not even get to avast, it could be intercepted by an email server along the route.

There are size limitation for the chest both in the max size of the chest and a file that you can send. You can adjust these at the Program Settings, Chest.

[kakapo]

Hmmm......

Thought I had it all figured out......Maybe I do.... I zipped the files and sent them un-passworded to avast by disabling the Outlook scanner. Do you think avast! will get them? Do they acknowledge receipt?  Must be HUGE files as they're taking forever to send but maybe dial-up's slow today. Thank you all for your help.

[oldman]

I don't think they will get through unpassworded. To make a password protected zip(in winzip), after you create a new archive and before you add any files to it, click the password button and make a password. Then you can add the files. DavidR explained why the passwording worked.

[DavidR]

I too doubt it will have got through as many email servers also have AV running to kill infected emails, so it could well have the attachment stripped or the email deleted.

avast! don't normally respond unless they need more information, so you wouldn't know if it got through, this I feel is wrong and an auto responder email at the very least should go out.

[brush]

I too doubt it will have got through as many email servers also have AV running to kill infected emails, so it could well have the attachment stripped or the email deleted.

avast! don't normally respond unless they need more information, so you wouldn't know if it got through, this I feel is wrong and an auto responder email at the very least should go out.

1. True - I did NOT password protect - I did not understand that it was necessary.
2. Disabling the scanner seemed logical (at the time) as I understood that avast looked inside zipped files.
3. As 31 out of 32 scanners did NOT have an issue with the file, I figured it had a reasonable chance of getting through.
4. Related to 3 above - avast is expecting real viruses to be sent to this address, so surely they are going to let it through.
5. If the avast program (Chest) more easily allowed a quarantined file to be emailed directly, this would not be such a convoluted process.

[oldman]

snip>b]I couldn't figure out how to do as you suggested oldman[/b], but I'm still trying to work it out. <snip

I'd be happy to clarify, just ask.    I try to post things in a way that it makes sense to the person reading it, but I know that doesn't always happen.