« previous next »
Pages: [1]   Go Down

Author Topic: Troj/Bancos-BGA  (Read 5936 times)

0 Members and 1 Guest are viewing this topic.

kardmania

  • Guest
Troj/Bancos-BGA
« on: August 17, 2009, 04:50:13 PM »
Avast is not finding this trojan.  Any good way to find out if this is a false positve and if not the best way to remove the threat without purging Avast?
Logged

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Troj/Bancos-BGA
« Reply #1 on: August 17, 2009, 05:00:04 PM »
upload it to virustotal.com (VT) and post the link to the results.

if you want to move the file to avast! chest then do this : virus chest > user files > add files - browse for files > click email to avast! and do a manual update.

alternate method to upload to avast!: zip the file with a password and send the zipped file  to virus@avast.com with the password for the zip in the body of the email.

first of all upload the file to VT and post the link here.

edit: didn't avast give any warning saying "Win32:Rootkit-gen" ?
« Last Edit: August 17, 2009, 05:11:41 PM by nmb »
Logged

kardmania

  • Guest
Re: Troj/Bancos-BGA
« Reply #2 on: August 17, 2009, 05:22:42 PM »
The program that found these issues was sophos anti-rootkit 1.5.  Avast boot scan noted cab archive corrupted which I have been told means that Avast cannot open the file and does not indicate malware.  Not the spots where the problem exists anyway.
Logged

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Troj/Bancos-BGA
« Reply #3 on: August 17, 2009, 05:25:36 PM »
Quote from: kardmania on August 17, 2009, 04:50:13 PM
Any good way to find out if this is a false positve

submit to virus total and post link here. please. if you can. also, submit the archive which avast says as corrupted and sophos says as troj.
Logged

kardmania

  • Guest
Re: Troj/Bancos-BGA
« Reply #4 on: August 17, 2009, 06:03:55 PM »
not sure if I can capture a screenshot while doing a boot scan but will try and get it next run

These files seem to be designed so that they cannot be uploaded or copied


Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 8/13/2009 at 22:43:49 PM
User "NF" on computer "PC137019336299"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:   Starting process scan.
Info:   Starting registry scan.
Info:   Starting disk scan of C: (NTFS).
Hidden:   file C:\adc552d81b1233f485ae0f1a036f\update\update.exe
Hidden:   file C:\adc552d81b1233f485ae0f1a036f\update\updspapi.dll
Hidden:   file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\VGKWT0CA24S9I3CA2ZEJYVCA4MIVTNCAEHZE23CA5RF7IWCAUO9X0ICAPIKW4ECAR2L54ICAR22P4DCALR5HJKCA8O5NLYCAMUF6X7CAYF3H2ECAVFYUTXCAMSZ3G0CAVU4SXMCAW6W6B9CA6GIKV9CADZ7SK1CA59LS7HCAGOAOI9CAVQK4KXCAVBCMK4.txt
Stopped logging on 8/13/2009 at 23:01:27 PM


Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:47:21 AM
User "NF" on computer "PC137019336299"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:   Starting process scan.
Info:   Starting registry scan.
Stopped logging on 8/14/2009 at 8:47:27 AM


Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:51:22 AM
User "NF" on computer "PC137019336299"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:   Starting process scan.
Info:   Starting registry scan.
Stopped logging on 8/14/2009 at 8:51:52 AM


Sophos Anti-Rootkit Version 1.5.0  (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:53:59 AM
User "NF" on computer "PC137019336299"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:   Starting process scan.
Info:   Starting registry scan.
Info:   Starting disk scan of C: (NTFS).
Hidden:   file C:\adc552d81b1233f485ae0f1a036f\update\update.exe
Hidden:   file C:\adc552d81b1233f485ae0f1a036f\update\updspapi.dll
Hidden:   file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\VGKWT0CA24S9I3CA2ZEJYVCA4MIVTNCAEHZE23CA5RF7IWCAUO9X0ICAPIKW4ECAR2L54ICAR22P4DCALR5HJKCA8O5NLYCAMUF6X7CAYF3H2ECAVFYUTXCAMSZ3G0CAVU4SXMCAW6W6B9CA6GIKV9CADZ7SK1CA59LS7HCAGOAOI9CAVQK4KXCAVBCMK4.txt
Hidden:   file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\B0751NDE\M8C2LLCAWTGL1PCA2KSFD9CAAA7J5RCASEK1OQCA02DYFGCAPWP99GCAMGMB16CAWRM9CWCA6A1CEVCA5ZE84WCAZVSCE9CAC6DXM3CAY7WZMYCAT2P369CA5SEU5DCAW1XK4RCAFGF7G2CA7RDWC8CAGUTQJGCAFAR9D6CAWC08K6CASUTYB6CADXY767.txt
Hidden:   file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\RSERPCCAP8SZ5VCA5I23AMCAMFXQDICAEPJYJ2CAME3IY9CAFYCPRSCAFH0MAWCA2I3AYKCAOX8MVWCAJ42PQDCA30T67TCA4ZMKVACAVJS97QCAXM6PH2CAQ27DJXCAWB4RVCCA8C4CTOCAO0ZLF7CAF88E2OCA35XGM9CAGREMOQCAAHE9HBCA30QI21.txt
Hidden:   file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\B0751NDE\D546TACAABO5JBCAB5PXDTCAEPQP8CCABW9VIDCAG2WP93CAMA4U36CA2OLRXPCANL1WU8CABNIN8QCA7HHDZ0CAZVO850CAMPGXTCCAU88328CA1D006ICASR8H6QCALD2UJVCAFE305CCACDDPQCCADNW6GECAQ31WC4CAE34QEWCASSNTUTCAF41RU0.txt
Info:   Starting disk scan of D: (FAT).
Info:   Starting disk scan of G: (FAT).
Stopped logging on 8/14/2009 at 10:00:56 AM

Logged

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Troj/Bancos-BGA
« Reply #5 on: August 17, 2009, 06:13:07 PM »
according to the sophos log file, it reports windows update files, possibly, which will be copied to a temporary folder while installing any update manually.

and, i think, the temporary files are ok.

can you do a scan using hijack this (get it here) and post log here: use additional options and upload log file.
Logged

kardmania

  • Guest
Re: Troj/Bancos-BGA
« Reply #6 on: August 17, 2009, 09:00:19 PM »
ran malwarebytes and this is the log on it:

Malwarebytes' Anti-Malware 1.40
Database version: 2641
Windows 5.1.2600 Service Pack 3

8/17/2009 1:49:57 PM
mbam-log-2009-08-17 (13-49-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 197259
Time elapsed: 59 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NF\Desktop\DL\ubsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\ZonealarmBarSetup_ZN2_tbr_4.1.0.5.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\DL June 2009\ubsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\DL May 2009\ubsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\July DL\Visioneer\7100.303110.EN.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\ASP\ASPSETUP.EXE (Trojan.BHO) -> Quarantined and deleted successfully.

i will updload a hijack this report after reboot and rescan malwarebytes

Logged
Pages: [1]   Go Up
« previous next »