Just ran A-Squared and it cam up with a trojan but I don't think it is

[CorCentral]

I have Kaspersky Internet Security 6.0, Ad-Aware Plus, A-Squared, Spybot and Trend Micro Sys Clean........ and all but A-Squared missed this..........

Is it a false positive or should I delete?

A-Squared found this:
Trojan.Win32.Patched.e (2 files found)

C:WINNT\$NTupdateRollupPackUninstall$\Winlogon.exe
C:\WINNT\ServicePackFiles\i386\Winlogon.exe


When I search on google, all I find are references to A-Squared finding the file but little info on it.

 

[mechBgon]

Try putting it into the multi-analyzer at VirusTotal.com. Just click "browse" at the top and then Send. Survey says...?

 

[CorCentral]

Originally posted by: mechBgon
Try putting it into the multi-analyzer at VirusTotal.com. Just click "browse" at the top and then Send. Survey says...?

DING DING DING! No virus Detected!................. I WIN!
Thanks alot. That online program is pretty decent.

So why did A-Squared detect this as a virus?

 

[mechBgon]

Maybe it's using heuristics and incorrectly deducing that it's malware, or maybe it's just a "false positive." My Kaspersky antivirus decided that a .DLL file in Adobe Premiere Elements was malware and vindictively deleted it a while back WRONG! Fortunately it was simple to recover it from Kaspersky's "backup" area.

It could also be that it really is malware and none of those antivirus companies detect it yet. Someone has to be first... I've been hunting the Internet for new Trojans of a certain type lately, and it's a little distressing to see how less than half of the antivirus vendors are detecting some of the variants Kaspersky has their game face on, however, they've ID'ed every single one I've found so far.

 

[Medea]

Originally posted by: mechBgon
I've been hunting the Internet for new Trojans of a certain type lately, and it's a little distressing to see how less than half of the antivirus vendors are detecting some of the variants Kaspersky has their game face on, however, they've ID'ed every single one I've found so far.

Which trojan, mech?

 

[mechBgon]

Originally posted by: Medea

Originally posted by: mechBgon
I've been hunting the Internet for new Trojans of a certain type lately, and it's a little distressing to see how less than half of the antivirus vendors are detecting some of the variants Kaspersky has their game face on, however, they've ID'ed every single one I've found so far.

Which trojan, mech?

The Zlob family, such as VCodec, eMcodec, iCodec, etc. They seem to be making lots of variants of them to evade signature detections. Kaspersky VirusWatch search for "Zlob", they nabbed 7 variants just yesterday alone :Q I have a list of about 30 antivirus vendors that I send the samples to; hopefully it does some good.

 

[Medea]

Yeah. The variants keep coming. :| The most recent one I've seen is one from a few days ago - Quality Codec:

O2 - BHO: (no name) - {2810fba5-55ec-4bee-8263-0e2fa5883768} - C:\Program Files\QualityCodec\isaddon.dll
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\QualityCodec\isaddon.dll
O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\QualityCodec\iesplugin.dll

 

[mechBgon]

Originally posted by: Medea
Yeah. The variants keep coming. :| The most recent one I've seen is one from a few days ago - Quality Codec:

O2 - BHO: (no name) - {2810fba5-55ec-4bee-8263-0e2fa5883768} - C:\Program Files\QualityCodec\isaddon.dll
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\QualityCodec\isaddon.dll
O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\QualityCodec\iesplugin.dll

I'm trying to figure out what sites link to these fake-codec ones, or how traffic gets sent there, since not many people are going to go there just by themselves.

 

[CorCentral]

Now this is weird.

When I logged onto internet a few minutes ago, instead of my Homepage coming up, I get this page from my ISP
SPAM ALERT ?

Is this just a fluke? I hardly use my email. What do you guys recommend? I really don't think my computer is sending Spam.

edit-- I logged off and then back on to see if it would happen again and it does'nt. My regular homepage comes up.

 

[mechBgon]

Originally posted by: CorCentral
Now this is weird.

When I logged onto internet a few minutes ago, instead of my Homepage coming up, I get this page from my ISP
SPAM ALERT ?

Is this just a fluke? I hardly use my email. What do you guys recommend? I really don't think my computer is sending Spam.

edit-- I logged off and then back on to see if it would happen again and it does'nt. My regular homepage comes up.

If your compie is infected with a spambot, that could explain a lot. But don't take this alert page at face value yet, or click the links. More to come in a minute here...


OK, to start with, is this BLTV outfit your ISP?

 

[CorCentral]

Yes. They provide tv, telephone and internet services.
Just ran AdawarePlus, Kaspersky, A-squared and Spybot with no problems found.

 

[mechBgon]

If you haven't already done so, you might want to scoot all of Kaspersky's settings to maximum. Here's a rundown of what I'd use:

1) in Settings, click Protection and mark the checkbox for Potentially dangerous software: remote access utilities, prank programs, jokes

2) in Protection > File Antivirus, move the slider to High and set the action to Block access so it takes autonomous action if it detects malware.

3) in Protection > Mail Antivirus, again set the slider to High, Block Access, and make sure both checkboxes are enabled under Connectivity.

4) in Protection > Web Antivirus, set the slider to High, Block, and enable both checkboxes in Connectivity.

5) in Protection > Proactive Defense, enable everything but Application Integrity Control. Within the Application Activity Analyzer > Settings, ensure that rootkit detection is enabled.

6) going down to Scan, scoot the slider to High, then set it to Do not prompt for action so it takes autonomous action. Now hit the APPLY button to apply these settings to the sub-tasks within Scan.

7) go into each sub-task within Scan (Critical Areas, My Computer, Startup Objects), and for each one, hit the Customize button, go to the Advanced tab on the panel, and DISABLE iChecker and iSwift for each of these three scan types. This ensures that every file gets re-scanned EVERY time.


Now do an update and fire off a Scan My Computer using these new draconian settings :evil: I'd also try F-Secure's BlackLight beta rootkit detector too.

 

[CorCentral]

Ok, scan is running. The first time I hit the reply button here, that Spam Alert page came up agian.

 

[CorCentral]

Ok, I just had this popup from Kaspersky at about 31% scanned....
Proactive Defense info
Detected Registry access:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Policies\SYSTEM
Running process (PID:236):
C:\WINNT\system32\services.exe

Process is trying to gain write access to system security settings
Allow or Deny?

 

[mechBgon]

Originally posted by: CorCentral
Ok, I just had this popup from Kaspersky at about 31% scanned....
Proactive Defense info
Detected Registry access:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Policies\SYSTEM
Running process (PID:236):
C:\WINNT\system32\services.exe

Process is trying to gain write access to system security settings
Allow or Deny?

Interesting! I'd do deny until I was sure what was up.

Speculation: it could be the new XML patch that Microsoft released just in the last hour, trying to auto-install itself, if you have the Automagic Updates feature turned on.

update: I just allowed my WinXP system to install the XML patch and it did not trigger KAV's Proactive Defense like that. So I'd stick with deny for now.

 

[CorCentral]

So if I deny this, nothing will screw up and I can always get it back?

Scan at 70% and all is well.

Edit: I denied it.

I don't have automatic updates on because of dial-up. When I'm on the internet, I don't want it lagging. I'm pretty good at manually updating everything though

 

[CorCentral]

No Threats Detected.
Should I leave the settings you had me change the way they are? Or change them back?

 

[mechBgon]

If there's a possibility that there's malware and it just hasn't been ID'ed yet, then the maxed-out settings might help flush it out sooner and deal with it better. Especially the autonomous actions (instead of it waiting for a human decision). I use those settings all the time myself. Your new rig is pretty fast, right? so it shouldn't be too much of an impact.

 

[CorCentral]

It's plenty fast and even faster now that I got rid of Norton a few days back. I've noticed Windows now boots a little faster.

I'm going to go and download the newest F-Secure Blacklight and post back with the results. I've run this in the past (a week or so ago) but I'll run it again......

Edit: Just dowloaded and ran Bliacklights rootkit eliminator and it came up clean.

So what's next? I suppose I'll call my ISP now and see what they say.

 

[Medea]

mech -

I just recently purchased Kasperksy's Suite, so I'm still unfamiliar with some of its settings.

Thanks for posting the suggestions. :thumbsup:

 

[mechBgon]

Sure thing :thumbsup: I don't like Kaspersky's logic regarding iSwift/iChecker. If a file is malicious, but gets scanned with virus defs that don't see it as malicious, then it's home free as long as it doesn't get accessed afterwards. I want it detected ANYWAY.

Sure, the scans take a lot longer when it always scans everything, always peels open all the compressed files, etc... well heck, that's what dual-core and fast HDD's are for, right? :evil:

I don't know about you guys, but I do find the Proactive Defense a little bothersome sometimes. But I guess we can't have our cake and eat it too.

 

[CorCentral]

Good news.........


Just got a callback from tech support

Told him I ran BitDefender (the program he wanted me to run/came up clean) and he puts me on hold for a min........... And this is the conversation:
So you're on dial-up?
I say yes.
How many times have you got the message? 3-4x today
He says they've been getting alot of spam lately and it's most likely because I connect alot during the day after someone else logged off and it looks like I'm sending the spam.
He says just to ignore the message since I have total internet access and email with no problems.

So "mechBgon", you were right in your assumption about this!
I really thank you for your time in helping me with this situation :beer:

I may take you up on the SP cd stuff for win2000 in the Spring of next year since I may just start Win2000 on a new hard drive then. I'll even add Bonus $ for the time you spent on this problem.

Thanks again Pilgrim.

 

[mechBgon]

Cool, just drop me a PM if you need that