Today I've been getting a bunch of InoculateIT real time alerts saying that various files are infected with trojans. The first one I had said that Winnt\system32\dllcache\smss.exe was found to be the Win32.BTC.B Trojan, then it said that winnt\system\dllcache\pinball.exe was found to be the Win32.Hackdream trojan, then there was a third alert, but I didn't write down the file it was from the dllcache directory as well though. I can't find any mention of these two viruses on the Internet, and I have no clue what is going on. The virus scanner does not indicate that it cleaned these files, yet repeated scans will not find the viruses again. Could there be some other type of virus that is causing bogus virus reports? Anyone heard of these viruses?
Help!! Viruses I've never heard of in Windows 2000 are infecting my system!!
- Thread starter trmiv
- Start date
The first place I would check is anti-virus software mfr website. DOH! Maybe they already have new updates.
DOH! My InoculateIT virus files are up to date, I update them at least once a week, and running the update again says I have the lastest files. Not only that, I also tried the online scan at antivirus.com.
Hi, trmiv.
I took a look around, and the closest match I've found is Kaspersky AVP's reference to Trojan.Win32.AntiBTC.B (Notice the "anti" part.), but there are a lot of close-but-no-cigar entries to be found in various sources. Trojan.Win32.Hackdream is also in the Kaspersky database with close matches in other databases. Did you give the exact output for these viruses from InoculateIT? (Are you using the commercial version or the PE / Personal Edition?)
Anyway, you might wish to take a look here at the VGREP resources at the Virus Bulletin site. They have a downloadable, searchable database of current viruses included in the various anti-virus databases, but the info in many online databases is more useful because it gives more than just the names. But, since you may be looking for an alias, the VGREP tool might be the place to start. Unfortunately the tool doesn't have the exact name listings for InoculateIT's database, but I think you can safely assume that these are the same two malicious files referred to above -- or at least close relatives.
I don't understand why you're getting messages about files in the dll cache from the real time anti-virus module. Are you certain that it's the real time module that's giving the warning, or is it the so-called "progressive scan" that's giving the warnings? I can see why it would be examining the cache, but not the real-time module. And that would explain why the sudden appearance of the warnings. It wouldn't warn you until it happened upon infected files when it finally got to them in the course of scanning through your entire file complement a few files at a time at each boot time. Of course that doesn't really explain why files in the cache would be infected. Is WFP turned off on your system?
Sorry if I'm misunderstanding your situation. I'm just trying to figure out what the exact sequence of events and warnings might be because I think that might be important in this case.
I hope you'll let us know what you learn and what happens with your system. This seems like a pretty strange scenario to me.
Regards,
Jim
I took a look around, and the closest match I've found is Kaspersky AVP's reference to Trojan.Win32.AntiBTC.B (Notice the "anti" part.), but there are a lot of close-but-no-cigar entries to be found in various sources. Trojan.Win32.Hackdream is also in the Kaspersky database with close matches in other databases. Did you give the exact output for these viruses from InoculateIT? (Are you using the commercial version or the PE / Personal Edition?)
Anyway, you might wish to take a look here at the VGREP resources at the Virus Bulletin site. They have a downloadable, searchable database of current viruses included in the various anti-virus databases, but the info in many online databases is more useful because it gives more than just the names. But, since you may be looking for an alias, the VGREP tool might be the place to start. Unfortunately the tool doesn't have the exact name listings for InoculateIT's database, but I think you can safely assume that these are the same two malicious files referred to above -- or at least close relatives.
I don't understand why you're getting messages about files in the dll cache from the real time anti-virus module. Are you certain that it's the real time module that's giving the warning, or is it the so-called "progressive scan" that's giving the warnings? I can see why it would be examining the cache, but not the real-time module. And that would explain why the sudden appearance of the warnings. It wouldn't warn you until it happened upon infected files when it finally got to them in the course of scanning through your entire file complement a few files at a time at each boot time. Of course that doesn't really explain why files in the cache would be infected. Is WFP turned off on your system?
Sorry if I'm misunderstanding your situation. I'm just trying to figure out what the exact sequence of events and warnings might be because I think that might be important in this case.
I hope you'll let us know what you learn and what happens with your system. This seems like a pretty strange scenario to me.
Regards,
Jim
jaywallen: Thanks a lot for your help, let me go into a bit more detail. I am actually using the Personal Edition of Inoculate, and it was the real time protection not the progressive scan that was giving the alert. The progressive scan was on my F: drive scanning a game directory at bootup yesterday, so it was no where near the Winnt folder on my D Drive. Two of the three errors I got while playing Starcraft. I was just sitting there playing, when all of a sudden the game minimizes and the there is the Inoculate real time protection alert. The third alert happened while I was looking for information on the other viruses on the web. So, you can see all the errors happened quite awhile after the system had completely booted, and the progressive scan was done. Windows File Protection is enabled on the system.
I've since removed InoculateIT from my system, and I'm trying out Panda Antivirus to see if it will find any problems. So far it hasn't found anything scanning the same directory, but I'm going to allow it do a full system scan while I'm out and about today, and see if it can track anything down.
EDIT: I just uninstalled Panda Antivirus, because the real time Internet scan it does was really slowing down my browsing. I would click on a link, and it would take a few seconds before anything would happen. Then I shut down Panda, and click on links, and it would move immediately. Maybe I'll try the new Norton 2002.
I've since removed InoculateIT from my system, and I'm trying out Panda Antivirus to see if it will find any problems. So far it hasn't found anything scanning the same directory, but I'm going to allow it do a full system scan while I'm out and about today, and see if it can track anything down.
EDIT: I just uninstalled Panda Antivirus, because the real time Internet scan it does was really slowing down my browsing. I would click on a link, and it would take a few seconds before anything would happen. Then I shut down Panda, and click on links, and it would move immediately. Maybe I'll try the new Norton 2002.
Wow! That's really weird! Thank you for posting that data. I've never seen InoculateIT do anything weird like that. It seems like this must have something to do with an interaction between two or more software packages, doesn't it? I've seen NAV and McAfee both do strange stuff like this, but never InoculateIT. Not even with heuristic scanning enabled, the way I always used it.
Please post back to let us know what Panda finds. I really like Panda and use it on client sites, but I use InoculateIT PE on personal stuff. (So far, it's the only anti-virus I've used that's even partially usable under WinXP. And, even then, you can't use the real-time protection. Makes me feel a little exposed, to tell you the truth.)
I'll keep the old fingers crossed!
Regards,
Jim
Please post back to let us know what Panda finds. I really like Panda and use it on client sites, but I use InoculateIT PE on personal stuff. (So far, it's the only anti-virus I've used that's even partially usable under WinXP. And, even then, you can't use the real-time protection. Makes me feel a little exposed, to tell you the truth.)
I'll keep the old fingers crossed!
Regards,
Jim
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 400
Facebook
Twitter