Possible trojan, possible false positive?

[ekd]

Hello. I hope this is the right forum to ask about this. I've tried searching for the issue but have had no luck finding anything at all on it. Anyway, let me explain what happened from the beginning:

While casually surfing the web I mistakenly typo'd goolge instead of google.ca. A pretty easy mistake I suppose, and one I've done but caught before pressing enter numerous times. Immediately after pressing enter I realized my mistake, but before I could close the page and reopen google avast! gave me a an infected website prompt and said it was blocked. For reference it was "Threat JS:ScriptIP-inf [Trj]".

This was on Firefox and I also have ABP and NoScript running, so I was fairly confident nothing had infected me. Paranoia got the better of me and I decided to run a full-scan just for the sake of it.

When the scan completed it said the following trojans were found, all with "Threat: Win32:Cycbot-KI [Trj]"

C:\Windows\SysWOW64\kernel32.dll|>[Emul]
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_efce4eb86fe8ae92\kernel32.dll|>[Emul]
C:\Windows\SysWOW64\kernel32.dll|>[Emul] (same as the first)

The files couldn't be repaired or moved to the chest (not that I think that would be a good idea anyway, given what they are).

Upon finding this, I scanned the files with MBAM and found nothing. I proceeded to manually scan the files with avast! and found nothing. I used the avast! online scanner and still found nothing. I rescanned the entire windows folder with both MBAM and avast! and found nothing.

I did another full scan after this and the same 3 files were detected as threats again. I'm guessing the |>[Emul] is where the problem is, but I have no idea what that even means.

If it helps I'm on Windows7 home 64-bit. avast! version 6.0.1289

Any help would be appreciated.

[Pondus]

I used the avast! online scanner and still found nothing.

upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti     http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/
Metascan  http://www.metascan-online.com/

[Pondus]

tried doing the same as you....writing  goolge.com  i then get redirected to the real google

testing that wrong google URL with some online scanners i get no detection...




OBS...did you update MBAM before you scanned ?

[ekd]

Both files have been submitted previously (not by me). Both previous reports had nothing. In both cases I reanalyzed just in case.

https://www.virustotal.com/file-scan/report.html?id=979b96262620ceb59621b3007678af35faafdba34e9dc5c48f5da2cc08ba1d25-1316806761

and

http://www.virustotal.com/file-scan/report.html?id=dac1f31009c755e38dc8f86bfcfb70d06fdf21ff0ff24701520e26988100ff30-1316807508

Looks like they're okay according to this.

[ekd]

MBAM checks for updates regularly when I open it to scan and should be up to date. My current version is 1.51.2.1300

I'm fairly sure I went to goolge .ca not .com but am unwilling to test it again for obvious reasons. When I look in the web shield log I see the following:

http:// secredir .com/?sov=goolge.ca
http:// www. secredir .com/?sov=goolge.ca

(Note I've added spaces to prevent it from linking).


Also I have just finished another full scan after restarting my computer and nothing was found. Maybe WebShield sandboxed the website and the threats detected were emulated versions stored in memory, and were removed upon restarting? Of course I have no idea how WebShield or sandboxing works so this is just wishful thinking.

[Pondus]

MBAM checks for updates regularly when I open it to scan and should be up to date. My current version is 1.51.2.1300

default setting is to alarm if signatures is older then 7 days....you may sett it to 1
anyway i always hit the update button before i scan


you can report False Positive here  
http://www.avast.com/en-us/contact-form.php?loadStyles

you may add a link to this topic




if you are still suspicious that you have something ?  
you can follow this guide and attach the OTL log so essexboy can have a look...
http://forum.avast.com/index.php?topic=53253.0

[ekd]

Not too worried anymore and thank you for your help. I haven't noticed any problems yet (and don't expect to) but may be back if any pop up. I'm sure I was just being paranoid, but better too much than too little I suppose.

Thanks for the tips about MBAM, too.

[creyl]

Hello!
The exact same files showed up when I scanned my computer over the night. I haven't been to any suspicious sites that I know of..
Should I just choose "do nothing"?

[johnon]

Hi,

Exactly the same here.  Looks like a false positive.

[urbanpanda]

I recently stumbled upon this problem myself, yesterday.

I've done pretty much everything the topic creator did.

Is anyone able to elaborate more on this subject?

[Pondus]

follow essexboys guide here and attach the logs  http://forum.avast.com/index.php?topic=53253.0

lower left corner > additional options > attach
if the logs are to big upload to  http://www.mediafire.com/   and post the download link here


@creyl
@johnon
@urbanpanda

create your own topic and attach the logs in, as helping multiple users in the same topic will be chaotic

[trilog3]

I have Avast (free) version 6.0.1289 and OS is 32-bit Vista Home (SP2). With AvastUI I created custom scan which checks computer operating memory and auto-start programs (all users) and
when I run custom scan it says win32-cycbot-ki found. I checked my computer with
Avast Full System scan => clean
Avast boot time scan (all drives) => clean
Avast quick scan => clean
Microsoft Security Scanner => clean
F-Secure online scanner 4.2 => clean
When running custom scan (operating memory & auto-start programs) I had notepad and firefox running (screenshot), If I close all programs then custom scan says avastui.exe and svchost.exe processes are inflated by win32:cycbot-ki.
I tried Avast 6.0.1289 in another computer with Vista Home 32-bit (SP2) and custom scan (operating memory & auto-start programs) and result is that avastui.exe, svchost.exe and scheduler.exe are infected by win32:cycbot-ki. All scans made with latest definition versions (23.9.2011 and 24.9.2011)
When I adjusted the sensitivity of custom scan from normal to quick, then no alerts, all clean

Screenshot of scan results
http://postimage.org/image/13yaxpz2c/

[jock1e]

I had the exact same problem last night after I scanned.
Avast managed to delete one of the problems but left the other 2.
Well that was a mistake as it stopped all of my security programs from running.
I ended up having to do a sfc /scannow which helped.restored to a different restore point which worked.I had to go into safe mode to run System restore as it did not work in normal mode.
Rebooted and all was working ok again.
To be in the safe side ran the rest of my Security programs and Avast and nothing was found.
Switched of system restore then on again creating a new restore point cleaned out all the junk and so far everything is ok.
I will agree it looks like they are all false positives and if so caused me quite a few problems.

[Pondus]

I have Avast (free) version 6.0.1289 and OS is 32-bit Vista Home (SP2). With AvastUI I created custom scan which checks computer operating memory and auto-start programs (all users) and
when I run custom scan it says win32-cycbot-ki found. I checked my computer with
Avast Full System scan => clean
Avast boot time scan (all drives) => clean
Avast quick scan => clean
Microsoft Security Scanner => clean
F-Secure online scanner 4.2 => clean
When running custom scan (operating memory & auto-start programs) I had notepad and firefox running (screenshot), If I close all programs then custom scan says avastui.exe and svchost.exe processes are inflated by win32:cycbot-ki.
I tried Avast 6.0.1289 in another computer with Vista Home 32-bit (SP2) and custom scan (operating memory & auto-start programs) and result is that avastui.exe, svchost.exe and scheduler.exe are infected by win32:cycbot-ki. All scans made with latest definition versions (23.9.2011 and 24.9.2011)
When I adjusted the sensitivity of custom scan from normal to quick, then no alerts, all clean

Screenshot of scan results
http://postimage.org/image/13yaxpz2c/

DO NOT select scan memory in custom scan settings, as this give som strange scan results
the forum is full of these cases if you search

use the default quick/full scan with default settings


IMO this setting must be removed from next avast version, alternative have a BIG red warning label. DO NOT use before christmas 2050   

[essexboy]

C:\Windows\SysWOW64\kernel32.dll|>[Emul]

The emul at the end means emulation so you are probably running a memory scan