XP Home with Avast 4.8 Home; Windows Defender in Real-Time protection; updated Micrsoft Windows and Spyware Blaster.
Recently I had a couple of intrusions which I thought I had got rid of.
But, I have a possible problem that I do not understand. Because I had a virus that opened Internet Explorer in the Windows Firewall I have been watching it and disallowed just about everything. But in avery short time TWO entries appear which I had not approved. They are identical: Windows Media Format SDK (iexplorer.exe)
Is this normal? If so, what causes the entries to appear?
Sorry… I’m not on XP now to see if I have that entries by default.
Anyway, to be sure you’re clean, I suggest:
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
I did the Avast Boot scan and it found a virus in
c:\Recycler\ s-1-5-21- etc (any numbers)\Dc129.exe\Files\initrd.img\imitrd\opt\pavc\usr\lib\libpskavs.so.1.4.3.24
The file is infected with Annihilator-272
However, I was unable to delte/Move/Chest with Error 42111 - operation not supported for this kind of archive
same problem with Repair: Error42060 (file was not repaired)
As I have no idea where this file is (I have no C:\ Recycler, by that name anyway, unless it is the Recycle bin) I don’t know what to do.
I decided t turn off system Restore but have not emptied the Recycle Bin awaiting your instructions
Meanwhile, I have been googling for this virus and it appears that it may be conected to Panda. I did use Panda recently. I also used the Online Housecall antivirus and I have discoered that in c:\Docs& Settings\Me\housecall6.6\Quarantine there are 2 entries for Pskavs.dll.bac a00436 (and the second ending in a01056)
I have also analysed online, as you suggested, the HijackThis report and starngely it tells me that Avast is not on (It is!) ad that I don’t have a Firewall (I do): windows’ own.
It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. You can look here for a good anti-virus scanner.
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
I’m confused now…
The file is into an archive one (.zip, .cab, .img…). It can’t harm from there. Don’t worry. avast can’t deal with the whole archive and the file is left inside it, harmless.
I don’t think so… it’s on the Recycle bin, maybe of another user in this computer… how many login names are there in this computer? The adminstrator and other users or just one, your login? Are you logged as an administrator?
First it found th same virus again (libpskavs.so.1.4.3.2.4.vir) but this time in the Avast4\data\moved folder.
So: a) it did move the file earlier even if it said that the operation was not supported
and b) this time the vius is no longer Annihilator - 272 but Micro -128
What is going on?
Anyway, I moved it to the Chest, and now need to know what I should do.
10/23/2008 07:01
Scan of all local drives
Scanning aborted
Number of searched folders: 2271
Number of tested files: 46826
Number of infected files: 0
10/23/2008 09:05
Scan of all local drives
File C:\RECYCLER\S-1-5-21-857417043-2124973893-2320036816-1005\Dc129.exe\Files\initrd.img\initrd\opt\pavcl\usr\lib\libPskavs.so.1.4.3.24 is infected by Annihilator-272, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Scanning aborted
Number of searched folders: 5000
Number of tested files: 408553
Number of infected files: 1
10/23/2008 15:14
Scan of all local drives
File C:\Program Files\Alwil Software\Avast4\DATA\moved\libPskavs.so.1.4.3.24.vir is infected by Micro-128, Moved to chest
Number of searched folders: 7776
Number of tested files: 813829
Number of infected files: 1
What option did you select on detection ?
If you chose Move/rename does what it says on the tin, it moves the file and tags .vir at the end of the file name.
This shows to me that you didn’t move it to the chest, but used Move/Rename not Move to chest:
The moved folder is a) outside the chest, b) only used if you selected Move/Rename, see image.
Where are you looking (folder and file name) of this change ?
If you are using explorer to look at the chest you won’t see the original file name, this is part of the protection of the chest (files names to the outside world are different and files are encrypted). This effectively stops files being accessed and run from the outside of the chest.