I did a standard scan today and it detected ircbot-cjk in the recycling folder so I sent it to the chest but how would I verify if it is the genuine thing or just a false positive, I was going to run it through virustotal but how would I do that without trigerring its effects by moving it outside the chest area?
its file name has dc52.zip and it has photobucket in its file name
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder.
You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Virustotal so far has it it to be confirmed by all scanners, what should I do?
it seems to be a very dangerous file yet the scan only found that one file, could it be that the file was on my system but wasnt run?
it also appears it was only found in my old Symantec s-protect folder
my firewall has not displayed that the file is trying to access the internet or is asking for permission which it would need to in order to transmit data, is this right?
does the file need to be run for it to begin infecting things?
Virustotal so far has it it to be confirmed by all scanners, what should I do?
What do you mean by this, none of the scanners detect it, it hasn’t finished scanning it, what ?
That was why I asked for the location it could be something previously detected an put in the s-protect folder (I know nothing of the workings of Symantec products), then it is unlikely to pose a great risk. Files have to be run to present a problem otherwise it is dormant on your system as in its original location or the c:\suspect folder you exported it from the chest to upload.
If you haven’t got any symantec product then you should investigate the clearing and deletion of the s-protect folder.
I meant that most of the scanners on virustotal have detected it as being malware, sorry I should have been clearer
I think the s protect folder is where it stores deleted files in case you want to recover them at a later date, so when I deleted the original file Norton systemworks remembered it for restoring should I find I deleted it by accident etc, so it would appear I havent run it as it was in a hidden folder made by symantec and all checks of the registry dont appear to show any traces of the malware had it run (I’m not 100% sure though)
some names it was picked up as are:
mal/hckpk-A
backdoorIrc.irc.tiny
w32.ircbot
Which conforms avasts detection as good.
Whilst the s-protect might be a protected recycle bin it may well be as you say this was a previously detected and deleted and ended up in the s-protect folder. What probably surprises me is that avast was able to scan inside what should effectively be a protected area, doesn’t speak well of symantec.
If those malware names relate to registry entries, check that the actual file name doesn’t exist on your system. It is best not to simply mention a malware name in isolation, it should go with any file name and location. In combination it is more useful when you are searching for information.
I have just installed superantispyware and ran a scan, nothing came up (I had quarantined the malware file with Avast before scanning), no traces where found either so hopefully that means the file hadn’t been run and that it was just sitting there inactive
Any tips on using superantispyware as it runs in the background even on the free version is there anyway of closing it after you are finished with it?
I was surprised how quick it runs as well, so far no conflicts between Avast, Comodo and superantispyware, how frequent are updates for it and is the software one of the best for finding malware and trace elements?
what slightly worried me was that the definition for this malware was only released earlier this month and the others had it registered a few months back, is Alwil trying to improve on their detections for these paticular cases?
The free version of SAS is an on-demand scanner only (and manual updates) so it doesn’t run in the background, I do a weekly SAS scan (pausing standard shield during the SAS scan), before running the scan go on-line and update the signatures.
The only free resident anti-spyware is Spyware Terminator.
No what I meant is it is still listed in task manager as a process after I close the program, is there a way of freeing that memory back up for other programs.
How have you found the product and its compatibility with other security software?
ps does superantispyware have a catalog of malware that details what they do and there risk or does it have something that tells you what is covered in the signature updates (like Avast)?
Closing only closes the GUI interface but the tray icon remains but there is no background or on access scanning going on.
I right click the SAS tray icon and select exit and that closes everything no task manager entry.
I don’t know if they have a signature update history, I have never gone looking, I’ll leave that up to you ;D
thanks for your help,would you consider my computer clean after running SAS, adaware and Avast full scans?
if I have any further problems can I ask for further help regarding any issues?
SUPERAntiSpyware> preferences> uncheck “Show SUPERAntiSpyware icon in system tray”
After you restart SUPERAntiSpyware nothing will be running in the background when you close SUPERAntiSpyware. 8)