Today AVAST pointed a virus on my mom’s LAPTOP when I was going to open the MSN Messenger. I made a full scan and he found some other files (there’s one that has a different name but the same size of the MSN file: 5.41 mb). I sent the files to the VIRUS TOTAL site and here are the results.
A0022590.exe
MD5: f112957a09419ab52d28607fddc62887
First received: 03.28.2007 05:03:50 (CET)
Date: 07.04.2008 22:24:30 (CET) [<1D]
Results: 7/33
Permalink: analisis/3e69543945adf4f0ac9eae3daca3cdfc
msnmsgr.exe
MD5: f112957a09419ab52d28607fddc62887
First received: 03.28.2007 05:03:50 (CET)
Date: 07.04.2008 22:43:53 (CET) [<1D]
Results: 7/33
Permalink: analisis/7643ede977bcd7e0372f1ccf20accf49
xpos.exe
MD5: f97fe2785a4ec9ac90b3e8ba1fdbc827
First received: 08.27.2007 18:45:29 (CET)
Date: 08.28.2007 19:20:21 (CET) [>311D]
Results: 22/32
Permalink: analisis/93799b3ddf3243b6745cfaf65bc44db8
Can some one please gimme some light on this? Thanks!
The first one seems infected, not a false positive.
The last, for sure, is infected.
The second, well, could be.
At the same time, avast is having quite some false positives but is the first of detecting some kind of infections. So, I’ll make an on-line scanning…
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)
Also, I suggest:
- Disable System Restore and reenable it after step 3.
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
- Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
- Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
- Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
- Immunize your system with SpywareBlaster or Windows Advanced Care.
- Check if you have insecure applications with Secunia Software Inspector.