While installing Alzip (ESTsoft), I received an avast notification that it found W32:Trojan-gen{other} in C:\Windows\is-LJ1CI.exe. I tried to send it to Virus Total both through SSL and normal. It returns a screen saying “0 bytes size received.” Yet the file is 55,808 bytes.
What now? I did send the file to avast through the avast function to do that.
Try copying it to a temporary location, the original in that location might be protected.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
I =did= have it in a separate location…had extracted it from the chest into C: root…then tried to send it to Virustotal from that location.
I have to leave house right now…will investigate the other suggestions you had in about 2 hours when return.
LATER: to clarify, avast was not alerting when I tried to send it…the receiving site just put up the page saying 0 bytes.
deleted dup
deleted dup
(Aside: whoa…apparently doing a “Modify” creates an entirely new post. Sorry about that…won’t modify any more.)
You can go into one of the posts and modify it leaving <deleted - duplicate> or words to that effect. Doing a modify shouldn’t create a duplicate post, don’t know what went wrong there. There is also a little icon in the posts like a piece of paper and a stubby pencil, click that it is an in-line editor.
I know why avast didn’t alert, usually you didn’t add it to the resident exclusions in the standard shield as in my original post. If you did that then exactly what did you enter ?
I notice that there is a typo in what you have posted here, with a Pipe | and not a colon :
If you right click on the file and select properties, security perhaps you can try taking ownership of it, it may also be a read only file, etc.
I did it exactly as previously described, and I just went back and did a check look again…C:\Suspect_files IS THERE in the list at the bottom.
Yes, that was a typo… it is C:\Suspect_files
Done that already…
Owner is Administrators
On that file, Administrators have all permissions checked except ‘special.’
Users have ‘read & execute’ and ‘read’ checked. (Kind of strange how read is OK’ed there twice)
I gave Users ‘full control’ thinking that might be why the send-it-to-virustotal was failing, but there was no change; exactly the same rejection appears as shown previously.
This is a highly unusual situation and I would appreciate continued help to resolve it.
Is this some highly advanced virus/trojan that has implemented a way to prevent being sent to scanners? Or what. It is totally unbelievable that a file can prevent itself from being transferred to another site.
So your exclusion entry is like this C:\Suspect_files* (you didn’t show it in your reply), the asterisk is important it is a wild card for all files and or sub folder in the C:\Suspect_files folder ?
The strange thing is a google search for the file name you gave only returns one hit, this topic and to me that is also suspicious, certainly for a file in the windows folder. I wouldn’t have though it would be generating random executable file names.
You could try to upload the complete installer file, alzip.exe (6.5MB) to virustotal. I would have downloaded it and tried to upload it, but I’m on-dial-up and that would have taken a long time.
Other than that I’m at a loss as to what else to suggest, as I would have though what had been suggested would get round the problem. I’m just an avast user like yourself.
Arghhh…the window where you put that says to put in the LOCATION! A location is a folder, not a folder + an asterisk.
Cannot correct that right now as I am into a thorough full scan…will be awhile before that finishes. Then I will correct it and try to send the file again.
Whilst it mentions Location you should have seen examples of the use of wild cards (the *) and that is why it was in the original explanation on what to do because the interface isn’t too clear.
That was what was preventing the upload (not having the asterisk), but there were sure no clues during the attempts as to avast being the cause.
Nevertheless the results are below…7 of 32 show a hit; generally Hupigon. No clue where I got this virus from–I am very careful.
Anyone know what the vector is for this?.
Strange thing…Virustotal shows no hit by avast, but avast was what alerted me.
Other than getting rid of this file, what else to do?
http://i266.photobucket.com/albums/ii248/movrshakr/webimages/VIRUSTOTALRESULTS.jpg
The help file seems ok…
It happens… I mean, the different detection.
To be sure you’re clean, I suggest:
I use Spyware Blaster and Secunia all the time. I will do the other steps.
LATER:
DONE: 1. Disable System Restore and reenable it after step 3.
DONE USING CCLEANER: 2. Clean your temporary files.
===Now running DrWeb CureIT =======
As for 3, next step, I did that earlier (did not discuss it here then). It started the text only screen was showing the scan in progress. I left the machine with boot scan running, but when I returned much later, machine was on, screen was black, everything unresponsive to mouse, touchpad, any key. I had to hard kill power (hold button). Coming back up I had the failure to start situation and had to run the ‘do you want to try to repair start up.’ I don’t like severe failures like that.
This isn’t unusual with VirusTotal as it doesn’t update its avast signatures in real time so the user is likely to have a more up to date version. The main reason for checking with VT is to see what other scanners find, basically to confirm or deny a detection.
Neither do we… it’s strange… Can you check the report?
The report file is created automatically in \Data\Report\aswBoot.txt
The entire contents were:
07/22/2008 12:46
Scan of C:
DrWeb scan is still running…bar is only at about 30% across. Been running well over an hour. Wow is this ever a slow one.
It did find something in a Windows boot CD in the download folder where I stored it, but I’ve never done anything with it. Unfortunately, DrWeb seems to stop and ask whenever it finds something, so I’ll leave it running, but will get up tomorrow and find it has stopped itself at the next thing it finds. I gotta go beddie bye now.
DrWeb completed overnight…8 hours plus!! It found one other thing,
strun_setup.exe; C:\Documents and Settings\useraccount\Downloads\Startup;Archive contains infected objects;Moved.;
I cannot get Superantispyware to complete. After about 8 minutes, it hangs up and just freeses at
“C:\Users\useraccount\AppData\Local\Yahoo\Widget Engine\Unzipped\Weather Underground.widget\Weather Underground _ dir.widget\Contents\Weather Underground.js”
The clock keeps running, but it never moves on to another file to scan. Guess I will have to DL MBAM or Spyware Terminator and try them. Never heard of those before.
Have to go to a weekly meeting now. It’s rough having ‘life’ interrupt my save-my-computer effort.
Are you using a laptop? Are the fans working on it?
Your boot log, and consequently the boot scanning, is not working… seems that could have been an overheat.
About SuperAnstispyware, strange the behavior… Can you run it booting on Safe Mode?