AVAST 5 detects "AGAIN" possible outbreak !!?

Viruses and worms
1

Hello,

AGain Avast suspect several “RunXX.exe” files in the Roaming/microsoft/. dir infected whit so called “Win32:EggDrop-CG” !!

AppData\Roaming\Microsoft\Run83.exe [L] Win32:EggDrop-CG [Trj] (0)

I noticed a few RunXX.exe files where the XX stand for digits like Run83, Run34 and so on !!!

Now, avast doesnt suspect all those RunXX.exe files as possible threats only a few!! Which is why iam baffled !?

Baffled, because to me those runXX.exe files looks like they dont belong there and should all be removed!! But since i dont find any information at all on the net about wot those files actually are and wot they do, i guess i cant ditch them whitout comprimising the stability from my system !? But then again, if those file woud have anything to do whit microsoft i should have found some info :-\ !!

Iam more and more convinced it woud be wise to delete them, or they might be False POsitives AGAIN >:(!!

So, is there is any one out there whit similar runXX.exe files on a Windows 7 x64 system ?

Thanks in advance,
michel,

2

well, in this case Malwarebytes would not help you at the moment because it missed to detect these sample of Zbot (or same Trojan EggDrop), so, try to scan your computer using Hitman Pro and let it remove everything it find (during removal you can enabled 30 days trial key).

http://www.surfright.nl/en/downloads/

3

Avast team! please improve your detection…

Hope the false alarm will improve.

4

Update to my previous post:

Its dangerous enough from the looks of these scan reports :

https://www.virustotal.com/analisis/d75eb1911f3024796a686788ac8f34f089b2eecb19f19c4fc61262e656bb9396-1266446983

http://virusscan.jotti.org/en-gb/scanresult/039c676aa2293bcb72eef22b9fab9b64179698da

But then again nothing from high praised AV programs like Kaspersky or Bitdefender ???

5

I know of Hitman Pro. I have used it in the past, but wosnt verry helpfull back then and i dont like it… because of the cumbersome installs of many “Shareware” program’s it isnt verry torough or helpfull untill you buy the shitware >:(

sorry

6

@forid Farhang

Well ,against better judgement i have followed your advise and downloaded Hitpro (64bit) since my os is 64bit initially

And like i thought, it detected the verry same 2 RunXX.exe files that Avast 5 detected previously nothing more nothing less ???

The thing is , its not the first time avast suspect a “RunXX.exe” file from that same location :-\ !!

Which means 2 things, either its an False Positive or the other RunXX.exe files slips through the security of avast and several other Anti wotever programs i have installed aswell now !!!

thanks though for your insight ,

michel

7

You should not have any exe files in that location - I believe Avast is right, the others may be as yet undetected variants

8

@EssexBoy,

Iam more and more convinced of that too m8te!!!

I have decided to make an backup from my system, and start whit operation WipeOut ;D

Those run.exe’s doesnt belong there for 2 reasons.

  1. i know exactly which process that should runn and is to be trusted on the background from day ONe i have installed win7

  2. I dont find NOTHING , NADDA , ZIP back about those Run.exe files onsite Microsoft aswell ::slight_smile: !!

my regards,
michel,

9

@kabster:

Please try to scan undetected Runxx.exe files in www.virustotal.com too and post link to result here, I’m curious about them! :wink:

10

Ha Kabster,

Also consider this information into your decisions on this:
http://www.tallemu.com/oasis2/file/dritek_system_inc_/x64commander/runxx_exe/838067
and part of the Acer Laptop driver:
http://www.torrentz.com/66a99e929d2d209c15c19499f46a9dd276132335
If malware it can be svchost related rootkit, ask our friend essexboy to investigate,
so if it is not vital for your OS remove,

groetjes,

polonus

11

Hi polonus

due to what Tallemu says, it must be under %ProgramFiles%\Launch Manager\ but kabster says he found the files in %AppData%\Roaming\Microsoft
so in my eyes those files are very suspicion (because today I’ve discovered some undetected variant of EggDrop and reported them).

12

@Omid Farhang,

Yes the malcreants probably tried to have that driver go “under the detection radar” so to speak as runXX is also part of Windows Hardware Quality Labs (WHQL) a Microsoft procedure for certifying that a driver works as expected to the MS Windows Operational System, so they go to great length (30 day validation and e-mail of the results by MS) to validate their miscreation, and who then would flag when it is MS accredited driver software :smiley:
Searching further on this make your neckhairs stand up quite a bit, it sure is rather suspicious and as you rightly say the location where it was found as well,

pol

13

Done that, just forgot to mention them in my last posts… And, the reports from the files arent consistent to say the least !!

this is wot i got from Run31.exe world of difference compared to the Run83.exe i showed a log file from in my previous posts earlier:

https://www.virustotal.com/analisis/efc128cb2e076bab6b153edb5cc9146c04d2b807b42655cd292601ab0d850a43-1266449924

“only 1”

and

http://virusscan.jotti.org/en-gb/scanresult/06779c907f88a7ae8e10e46bdd05f50641f5627a

None found through jotti! But then again, “symantic” isnt included in jotti’s list to do a scan!!

And again Run41.exe now:

https://www.virustotal.com/analisis/f4e669c8186736de79c6ff0b8d3741c3637d5d07e07b39a37234f2fd566719ca-1266450632

And again detected by “symantec” and as result = suspicous-insight

Needless to say, jotti didnt found anything !!

And the same here :

https://www.virustotal.com/analisis/efc128cb2e076bab6b153edb5cc9146c04d2b807b42655cd292601ab0d850a43-1266450877

One important note about this file !!! Even though Virus total did found only 1 possible hit on that file, awhile ago i saw this file running as an process in the background from my system :o

The only way to end and Stop that Run64.exe process wos to shutdown = restart my system . After restart it wos gone from out the list of running processes !!??

I dont have any of those products installed nor the locations to where the files could be !

As for the second link !! Dont know wot to think of it lol… But since i dont work on a laptop i think that doesnt apply to my situation !>?

But you mentioned SVCHOST.eXE process :o !! Is it possible one or more SVCHOST files shouldnt be running on the background and are therefor the cause of those other RunXX.exe files slipping through into my system right onto my harddrive ???

A os does run several trusty SVCHOST.exe process . Now, how on earth could such a well protected process be tampered whit from outside !?

I mean, windowns defender 64bit is continuesly updated on top of the UAC protection and so on ???

Man , iam glad they finaly made an Freeware Sandboxie for 64bit os systems !!

spruitjesgeur,

michel

14

Ha die kabster,

Download this here: http://www.microsoft.com/technet/sysinternals/utilities/psservice.mspx

A simple batch file that I created uses the SysInternals PSSERVICE program to get a list of the services and open a notepad. Nothing fancy, but saves time when diagnosing.

This file can be found here: http://www.bleepingcomputer.com/files/getservices.php

How to do this all the info and the above is here: http://www.bleepingcomputer.com/tutorials/tutorial83.html

This to get at the malware that is started as HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll

Just explore this, “even een kwestie van de malware bij de staart grijpen”,

polonus

15

This is getting better ???

Avast 5 doesnt suspect anything wrong while doing an on-demand scan on the remaining RunXX.exe files.

But while sandboxie is running on my system it suddenly detects the RunXX.exe files as :

DefaultBox\user\current\AppData\Local\Temp\CCryp122.exe [L] Win32:Malware-gen (0)
File was successfully deleted…

and

DefaultBox\user\current\AppData\Local\Temp\Crypted.exe [L] Win32:IRCBot-BSX [Wrm] (0)

HOw does this fit into anything !??? Either its an possible threat or it isnt wtf ??? ??? ???

16

Vooruit dan maar ::slight_smile: …!

I’ll keep you posted about my progress… L8ter :stuck_out_tongue:

spruitjesgeur,

michel

17

@pol,

Ermmm… i have generate the required list using the batch file and the included SWSC application !

Now, the weird part it i only could retrieve any system info through notepad running the batch NOT as administrator !??

So , i dont know if you will got everything listed !?

Running as administrator gives me “SWSC application not recognized as internal or external command” error message :o !!

Wot about that!! Maybe its because iam already working in a inviroment as administrator automatically because of my userprofile !?

Now , wot am i supposed to do whit the utility from the first link ?

michel,

18

@pol

Here you are, either a portion of my system or the entire mumbo jumbo (dunno) listed into a txt fille !

(Het txt bestandje met dat beetje info is alles dat ik je kan verschaffen tot dus zover :P)

De Groeten

michel

19

That having said ! I want to point out , i wos runing Avast 5 outside sandboxie folks .

And AVAST 5 ONLY detected threats while using the suspicious remaining RunXX.exe files through Sandboxie !!

Have DELETED EVERY RUN.EXE app in the meanwhile period !

michel;

20

try to use a boot time scan to your pc using Avast,.

Good luck and God Bless…