Author Topic: Win32 Trojan found  (Read 6871 times)

0 Members and 1 Guest are viewing this topic.

Offline dford3772

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan found
« Reply #15 on: March 29, 2008, 08:47:09 PM »
OK. I cleaned up the C Suspect file and sent those copies to reside in chest and removed from Avast scanning list.  I will remove Panda
and I also have PC Doctor for windows that must have come from a free virus scan also so it needs to go.  My PC is operating fine and
I haven't noticed any serious behavior so I lean toward the false positive too.  Do I just leave everything in the chest for a bit and then
delete or what?  There are some other .dll files in the chest connected with Win32 but they are not marked as infected and they have
been there for months.  Just leave all in the chest and maybe run another scan?
Thanks so much for your help,
Donna in AR
Acer Vista desktop, Svc Pack 2 and updates,Avast 6.0.1000
   FF 3.6.15,Chrome 10, Opera 11, and IE8(seldom used)Intel Pentium R
   Dual CPU 222E2180 @2GH, 95GB RAM although has a split HD with useless D.
Toshiba Vista Laptop intel pentium T3400, HP XP desktop athlon 4500(6 years old)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84883
  • No support PMs thanks
Re: Win32 Trojan found
« Reply #16 on: March 29, 2008, 08:50:19 PM »
I have decided this is probably real.  I did everything you said except the : and / could not be typed so i just called it C Suspect
both places. 

The folder name should be Suspect, the : and / are part of the path as in c:\ c: is the drive the \ indicates the next bit is a folder so the sum path to the suspect folder is c:\suspect.

I extracted the files and the warning went mad again and I was not allowed to move in any way to the VT upload box.
I tried right clicking and sending to VT--not allowed to move.

You need to ensure that you exclude the suspect folder and its contents so avast doesn't scan them. Add "c:\suspect\*" (copy and paste the text in quotes but not the quotes) to the avast exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

This will stop avast going mad as you call it and allow the files to be uploaded.

I may have inadvertently let the monster loose again.  I tried to copy, cut paste, move---nothing allowed.  It may be in my memory now for sure.

No you haven't infected files in isolation (different location from where they were found) without a registry key to run them, etc. are inert. That is part of the  purpose of having the suspect folder so you don't have to disable avast to be able to extract from the chest and upload to VT from the suspect folder.

I finally got both of the files into VT by opening and the reading came back 0 bytes.  This is driving me to panic for i feel like this TH is just racing through my machine.  What should I do with the useless C Suspect file?

You now no why the file size is 0 bytes, avast blocking it another reason for using the suspect 'folder' it isn't a file, you can delete the c suspect file.

Whilst this is all a moot point as you have managed to upload the files, it may be of help in the future.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline dford3772

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan found
« Reply #17 on: March 29, 2008, 09:37:51 PM »
So when a problem is found the folder should be created and not send files to chest.  Do you agree that the VT results I sent looks like false positive.  As you will see in my post to Frank my machine is working fine and i asked what to do about the files in Chest.  If it is wait-and-see then I am OK.  All scans are negative for anything.
Thanks a bunch,
Donna in AR
Acer Vista desktop, Svc Pack 2 and updates,Avast 6.0.1000
   FF 3.6.15,Chrome 10, Opera 11, and IE8(seldom used)Intel Pentium R
   Dual CPU 222E2180 @2GH, 95GB RAM although has a split HD with useless D.
Toshiba Vista Laptop intel pentium T3400, HP XP desktop athlon 4500(6 years old)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #18 on: March 29, 2008, 09:44:08 PM »
There are some system files backed up in the chest, but you should see those in a separate section.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84883
  • No support PMs thanks
Re: Win32 Trojan found
« Reply #19 on: March 29, 2008, 11:01:03 PM »
I have the folder permanently created (and excluded as I mentioned) though I have given mine a different name (it can be anything you like) and anything I don't want avast to scan lives in there (some samples/tools that would otherwise be detected by avast. Also anything suspicious goes in there so it can easily uploaded to VT.

The only files to be concerned with in the chest are those in the Infected Files section, those that avast detects and you choose to send to the chest. They can do no harm there, so you have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

In a way they are and they aren't false positives. The problem arises because Panda don't encrypt their virus signature files and avast or any other resident scanner is likely to detect them because they are looking for virus signatures. So in this case it looks like you didn't have any 'monster' running round in your system just some unencrypted panda signature files.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline dford3772

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan found
« Reply #20 on: March 30, 2008, 05:52:13 PM »
My special thanks to David and Frank for your patience and help through the first virus crisis I've experienced with Avast.  Avast saved
me even with my inexperienced hand on the throttle and you two pulled me through.  David, as far as the mess with the VirusTotal up-
loader, I think all that little download does is add a "Send to VT" in the pull-down menu.  Their directions for its use are pretty sketchy
and actually it is not necessary.  I've had a great learning experience!

I've created the folder in C and Modified Standard Shield as recommended so I will be ready if there is a next time.  Considering my previous experiences with Norton, I absolutely rave about Avast.  I would just say that new users should develop a game plan for when Avast does find a problem.  Years ago I had a machine completely disabled by a virus (with Norton) and that makes research impossible.
Thanks again for a great product and great help.
Donna in AR
Acer Vista desktop, Svc Pack 2 and updates,Avast 6.0.1000
   FF 3.6.15,Chrome 10, Opera 11, and IE8(seldom used)Intel Pentium R
   Dual CPU 222E2180 @2GH, 95GB RAM although has a split HD with useless D.
Toshiba Vista Laptop intel pentium T3400, HP XP desktop athlon 4500(6 years old)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84883
  • No support PMs thanks
Re: Win32 Trojan found
« Reply #21 on: March 30, 2008, 06:13:26 PM »
Your welcome.

VT does get busy at times and there is also the option to send it by email and there is the VTuploader on that same email instruction page http://www.virustotal.com/metodos.html. That must have been where you got the bit about vtuploader, which ads an entry to your context menu. Personally for the amount of times you are likely to use it, it isn't worthwhile.

avast 4.8 has a self-protection module which should make things much more difficult for viruses to disable it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security