Can't upload from Suspect file without warnings

[DavidR]

Here is the C:Program Files\Acer Game Zone\Backspin Billiards\Launch.exe after submission to VT.  It looks deadly!

Again the majority of the detections are Generic or Suspicious (Heuristic), which are more prone to false positive detection.

So the jury is still out.
If you haven't already done so send these to avast for further analysis as possible false positives.

[dford3772]

Thanks to both of you.  I want to clean out the Suspect files and return them to the Chest;  how do I do that?  I thought I could right click and do it but not so.

Since I've played with these so much I'm going to run another Avast scan on both machines and if I get more files I'll VT them too.  I guess just file in chest and keep scanning to see if still infected?

[DavidR]

On contrary of David, I think the file could be indeed infected.

Where did I say it 'is' a false positive.

Most of these are generic detections, which are more prone to false positive detection though they all follow the same theme, a password stealer
<snip>
So I would suggest that you don't use on-line banking until this is resolved and then change your passwords.
<snip>

So where in here am I suggesting it isn't infected, I'm urging caution whilst at the same time giving information to be checked about the NSsetup.exe file. Many setup files are detected by generic signatures because of what they do and we haven't got the full information on where it was located.

Games are notorious for this kind of checking to ensure no hacking but that is speculation as we don't have the full information. So I will let you obtain that and continue with this one.

[dford3772]

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1324\A0171333.exe

I included this path of one of them in an earlier post.  Is this the name you are talking about?  I guess I get
too nervous to do copying and pasting when I'm into a mess like this.
Donna

[DavidR]

Well that file name doesn't match any of the files you uploaded to virustotal.

But as I have said before in another topic, there really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

So if thee is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

[dford3772]

OK current scans are coming up empty.  All Suspect files are restored to chest.  I know that if this is real it may re-infect on bootup.  I have mailed all
files but one to Alwil but I don't know which one I left off;  when might I hear from those and how?

Is there a cleaning regimen I should follow?  I'm always very careful and I can't figure where I got this unless from some site I visited.  At the least I guess
I need to scan on bootup.  I don't do online banking but I do order things online so it is worrisome.  I guess I just thought I was safe because I've gone for a long time without a problem.
Donna

[Lisandro]

Is there a cleaning regimen I should follow?

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[dford3772]

I use SuperAntispyware and Ad-aware.  When I'm using any of these apps what do I do with Avast--disable
it or uninstall? 
Thanks for the help,
Donna

[Bluesman]

I use SuperAntispyware and Ad-aware.  When I'm using any of these apps what do I do with Avast--disable
it or uninstall? 
Thanks for the help,
Donna

You can run the programs with avast active, you don't need to disable or uninstall avast.

[DavidR]

Yopu don't need to disable and certainly not uninstall, that would be a game of ping pong I wouldn't like to play.

However, when I run another security scan (not avast) I pause the Standard Shield, not because you have to but because it would effectively cause duplication in scanning, SAS wants open a file to scan, so avast would also scan that file before allowing SAS to open and scan it. This also reduces the small possibility of a clash but the main reason is it will reduce the overall scan duration.

I would get rid of adaware it is a waste of hard disk space and get MABM as a second on-demand anti-malware to replace it.
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

What is your firewall ?

[dford3772]

On both XP and Vista I run the Windows firewall and then I have a wired Lynksys router for boxes and printer and I run its firewall also ion each machine.
Thanks for all the help.  I've been gone for a couple of days and simply shut everything down so now I'm going to see if the malware has reappeared.

I had already decided Ad-Aware a waste of space as all it has ever found fior me is cookies.  I'll try the MABM immediately.
Donna

[DavidR]

Well the windows firewall has its limitations XP no outbound protection, Vista outbound protection disabled by default, not very user friendly if enabled. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

Router, hardware firewall, unless it specifically says it providers outbound protection, then it doesn't.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

[dford3772]

I thought a hardware firewall closed ports but then I'm new to that game anyway.  What firewall would you recommend?  I had and liked Comodo for a long time BUT their version not too long ago became far too complicated and that is when I got into the router as hardware firewall.

Since one of the Acer games was infected, I'd like to remove the Acer Game Zone and all the games that go with it as I have no use for those and need the space.  I've looked online but I can't really figure out if I'd get into serious trouble removing such "crap" as it is so lovingly called.

I installed MABM and love it!  A scan revealed no problems on either machine.  I also ran another Avast one and neither machine is showing a problem.
Maybe I'm OK for now.
Donna

[DavidR]

The problem is that downloads initiated by you/your system will be let back into your system, which is why checking for unauthorised outbound connections is important.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

[dford3772]

The links for a software firewall are great!  However, I'm lost on this question:  I have everything on an ethernet hookup which I like very much so can I
disable the router firewall and run something like PCTools keeping the ethernet hookup?
Donna