Hi there, just wondering if anyone could kindly help out:
Avast found the following in C:\WINNT\system\32\i
Win32:Downloader-BKN [trj]
It was initially found when I first installed Avast in May of this year, after coming from AVG and Avira. Moved it to the chest for a while, restored it later, neither had any effect as far as I could tell. Could not identify any damage to data. I have therefore not yet attempted to remove this “malware”, but would need to know what to do with it in the long run. (Never had any viruses in the past).
Virustotal-result below.
Uncertain how to proceed. Is this malware or a FP ?? Any further advice would be greatly appreciated.
Many thanks, Syndey
I think the VT results are pretty clear the avast detection was good and it is malware, which should have remained in the chest for a few weeks prior to being check scanned ‘inside’ the chest and if still detected, deleted. One thing for sure it is no FP.
Is this path correct, C:\WINNT\system\32\i ?
The C:\WINNT\system\32\i seems strange to start with C:\WINNT\system32\ is more likely and if correct would imply that it is designed to confuse so a user doesn’t remove it.
Hi David, thanks for getting back to me.
Win 2000.
This path is correct (had mistakenly added a backslash before - sorry !!!):
C:\WINNT\system32\i
The file properties show it has been in place pretty much ever since I had the computer.
I had the file in the chest for nearly 2 months, but it still is identified as being infected.
I sent it to the Avast support two times, never received a reply.
Also sent the file to the Avira support (including the VT results), but they insist it is clean.
So really don’t know who and what to believe and what to do ???
Thanks again,
Sydney.
I won’t judge that this file is clean… really, too many ‘important’ antivirus are detecting it as being infected. Do you need that file, I mean, why did you restore it?
Hi Tech, no I personally do not “need” that file at all. But I thought Windows did - otherwise: why should it have been there ever since Windows had been installed ??
So you think it’s o.k. to just delete the whole file ?? (i.e. move it to the chest again & delete it from there) rather than trying to fix it ?
Also, how come various antiviral programs detect different “bugs” (a worm/a trojan/etc) ?
Thanks,
Syd.
That is better, though it is also unusual for single character folder names (or is that the file name with no file type, which is also suspect), is there anything else in that folder ?
File properties aren’t entirely reliable as a) it depends on if this value is creation or the last modified date. Signatures are constantly added and updated so it isn’t unusual to see a file that wasn’t previously detected now detected. This is why it is important to send to the chest (rather than delete) and confirm the detection at VT and in this case it confirms a good detection.
You will not normally receive a reply unless they need more information, they will analyse the submitted sample and if it was an FP would correct the VPS so it would no longer be detected. Obviously if it is still considered infected then there would be no change to the VPS
They would obvious still say it is clean as they still don’t detect it, but in the face of the VT results, I’m afraid I couldn’t accept that assurance.
I still don’t know the file name that was detected, you gave a folder location and a malware name but no file name, so there is no way to know what the file is associated with using google, etc. and give any advice/assurance ?
Wow, Frank, David, thanks a lot for the infos, it all makes more sense now. You guys are great !
@ Dave: that’s all I’ve got: “Original location: C:\WINNT\system32”. “Name: i”.
I think Frank’s duck is a duck (Please see links in his 2 posts).
So: where to from here ? Move to chest & delete from there or deal with it some other way ??
Thanks so much again !
Syd.
Essentially since you have had it in the chest previously for some time and repeat scans still show infected, you should be able to safely delete it without sending to the chest.
Have you got any anti-spyware tools installed, if so what ?
If not those that Spiritsongs posted would be a good addition to your overall security.
Hi, I wish posts would not just disappear from this thread…
I have been using Ad-Aware and Spybot on a regular basis, but nothing was ever found, apart from a few tracking cookies.
I have read Spiritsong’s reply (which has now disappeared) and have in the meantime downloaded & run both: SuperAntiSpyware & Malwarebytes.
SAS just detected more tracking cookies (which I have deleted). Malwareb. did not find anything.
I cannot remember exactly what else Spiritsongs said, other than getting expert help…
So, David, you think it would be o.k. to just go into Windows Explorer and send the the “i-file” to the rubbish-bin (rather than to the chest again) ?
Frank, yeah, I entirely agree and you have proven beyond doubt that it is malware. In his post (now not showing any more), “Spiritsong” suggested to run the both applications (SAS & Malwarebytes), implying that they might get rid of the problem altogether - so that’s just what I did. Except neither fixed the problem…
“Spiritsong” also suggested using another forum for “expert help” (? which), whereas DavidR seems to be saying to simply delete the i-File…
Spiritsongs turns up occasionally, recommends SUPERAntiSpyware, recommends that the poster seeks “expert advice” on another forum, and then goes away again for a week or two.
Personally I feel this might be a remnant of a previous infection and the idea of running the other programs (which are specialist anti-spyware/trojan programs) is a belt and braces approach to confirm there is nothing else lurking.
They look for entries in the registry as well for malicious entries (where avast doesn’t do that in its scans), for something to run there will normally be an associated registry entry.
I see no point in sending the i file to the chest when that has been done before so since we are all agreed that after investigation, this is malware then delete it.
Same sentiment on Spiritsongs seek ‘expert advice’ as FWF you should be fine where you are.
Some malware is very “complex” and the “regular” antivirus and antispyware
programs MAY ONLY “detect” a “portion” of the malware . Best to get
Volunteer Expert help in a “HijackThis” forum which will run several
analytical tools/programs and since you now mention you have Spybot,
I recommend the One at http://forums.spybot.info particularly THEIR
“Malware Removal” sub-forum .
Why do you only come here to put us down by recommending that people go to another forum? It’s doubly insulting when replies to the post have clearly identified the problem, and it undermines the posters confidence in answers given. I don’t know about other forum member, but this behaviour really pisses me off.
And why do you recommend SUPERAntiSpyware every time you see the word ‘Trojan’ or ‘worm’ in a post? Have you got some special interest in that product?
Hi, just briefly wanting to thank you SO MUCH for the time, patience & energy you sacrificed by helping me sort this out !!
I’ve deleted the file & everything is sweet. At the same time I feel very lucky to have had your support !
And I am grateful for your explanations +++
Frank, you were spot-on, and your early links have been a real eye-opener.
David, I love the way you communicate and bring your point across.
Hopefully, this won’t happen again (yes, David, heaven knows how long this “thing” or its remnants have been sitting there…), but if it does I’ll know where to turn “without having to panic” (@Frank!)…
Cheers. Syd.
I “put you down” because you are frequently recommending simplistic
“Solutions” to a possibly “complex” Situation . Some experienced, trained,
certified, Volunteer “Malware-Fighters” recommend a reformat & reinstallation
of a computer that has a Backdoor trojan because that is the “safe” way to
“treat” that . Seems wise to exercise caution by going the “Extra Step” by
having someone with more knowledge than you use “tools” such as
ComboFix and others to determine IF there is something still hidden on the
computer . OF course, most Novices prefer the simplistic Approach either
through ignorance or unwilling to take the “Extra Step” to ensure the
Integrity of their computers. I agree with the “Approach” of CERTIFIED
“Malware-Fighter” “Mr Charlie” in WHAT he recommends at http://forums.maddoktor2.com/index.php?showtopic=9590 .