Suspicious File

[Drazick]

I double clicked a file which did nothing.
I uploaded it to Virus Total and got this result:
http://www.virustotal.com/analisis/42e02ad59f3decf3d3edc5e8a27babdf

I have no doubt it's a Virus.
Yet Avast didn't find anything.
What do you think? What should I do?
The file can be downloaded for further investigation here:
http://www.sendspace.com/file/nnsrxe

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic and the VT results link might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Based on the file name (Keygen.Color.Efex.Pro.v3.0.For.Nikon.Capture.NX.2.0.exe), I'm not surprised that it comes with an unwelcome gift.

[raman]

The file drops and installs a BHO dll, which will force you to download a fake AV Programm, if you open the IE

http://www.virustotal.com/analisis/68ba9e99dd43f97c2ab247a8c6929eff

[Drazick]

The file drops and installs a BHO dll, which will force you to download a fake AV Programm, if you open the IE

http://www.virustotal.com/analisis/68ba9e99dd43f97c2ab247a8c6929eff

How can I remove it?
As Avast doesn't recognize it.

[DavidR]

1. send the sample to avast
2. ad a copy to the chest as suggested
3. what is the location of the file, e.g. (C:\windows\system32\infected-file-name.xxx) ?
4. manually delete the original file. If the file is in a system folder, windows, winnt, system or system32 first disable system restore before deletion.
5. post a hijackthis log.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

[polonus]

Hi Drazick,

You can download MBAM from here: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
This anti-malware program is known to remove this for you, run a full scan with it,



polonus

[Drazick]

Hi Drazick,

You can download MBAM from here: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
This anti-malware program is known to remove this for you, run a full scan with it,



polonus

May I trust Windows Defender for scanning?

[raman]

No, do not use Windows Defender. Please use Davids "way" of cleaning. Not that polonus sugestion is wrong, but Davids is the easier one(IMO).

[wyrmrider]

May I trust windows defender for scanning
good question
If it finds the problem answer is Yes
If it does not answer is no
Windows defender would not hurt
No one scanner including the one Polonus mentions (MBAM) could you always answer that question Yes
Now there are a lot of scam scanners out there where the answer is always NO
But windows defender is NOT a scam product
There is no scanner you can get that is going to give you a 100% result

you can attack this problem either way
HJT first or scanner first
your call
in the end you need to do both (and an on line AV scan) as neither HJT or the scanners will find everything and you might have some other issues that are not obvious

looking for your next posting

[polonus]

Hi Drazick,

Wyrmrider is right here, we are now in the phase of layered av-protection. That means that to get to all the malware that is around one resident av solution and a firewall is not sufficient anymore. We need additional programs like programs that can run next to one resident av solution (you cannot have two because of real problems of interference). But a non resident scanner (always updated to the last version and update) like DrWebCureIt, Stinger.exe, MBAM, SAS are the right cocktail to close the vulnerability gap. Other measures you can take to lessen the risk of getting reinfected is if connected to the Internet go there with normal user rights (malware can do far less harm that way to your system or registry), update all the critical software and patches for your OS (OS, browser, Java, Flash, etc. etc.). Security has not to do with being a geek, but is more about a continuous security attitude, welcome to the forums, and do what wyrmrider instructs you to do,

polonus

[Drazick]

Hi Drazick,

Wyrmrider is right here, we are now in the phase of layered av-protection. That means that to get to all the malware that is around one resident av solution and a firewall is not sufficient anymore. We need additional programs like programs that can run next to one resident av solution (you cannot have two because of real problems of interference). But a non resident scanner (always updated to the last version and update) like DrWebCureIt, Stinger.exe, MBAM, SAS are the right cocktail to close the vulnerability gap. Other measures you can take to lessen the risk of getting reinfected is if connected to the Internet go there with normal user rights (malware can do far less harm that way to your system or registry), update all the critical software and patches for your OS (OS, browser, Java, Flash, etc. etc.). Security has not to do with being a geek, but is more about a continuous security attitude, welcome to the forums, and do what wyrmrider instructs you to do,

polonus

I'm using Vista.
I was ansked by the UAC to allow any Registry change. Does it mean the Trojan has no effect?
As I'm seaching for the entries listed in the "Removal" procedure yet can't find them. Windows Defender says everything is OK.

Very Strange indeed.

[raman]

This maybe prevent you from setting the BHO entrie in the Registry, but the dll should be found in system32.

Due to the missing BHO Entrie the dll is harmless. You can wait till AVASt detects the file and delete it then, or take a look at the system32 folder and search for a dll created at the time you started the exe file. The file should have 21,504 bytes.

If you are unsure what dll to delete, test it at virustotal.com befor deleting it.

[Drazick]

Is this another false alarm?

The Report:
http://www.virustotal.com/analisis/22ff363bb8a18a7ed59efde29ca2bb70

The File Itself:
http://www.sendspace.com/file/msigo7

What do you think?

[DavidR]

When I see 10 detections (avast and gdata grouped together) I tend to think it is a good detection.

However, there are many detections that are either generic, heuristic or non-signature specific (e.g. packers) I would say you should send it to avast for further analysis.

[Lisandro]

What do you think?

That it is NOT a false positive imho.