Hello. I hope this is the right forum to ask about this. I’ve tried searching for the issue but have had no luck finding anything at all on it. Anyway, let me explain what happened from the beginning:
While casually surfing the web I mistakenly typo’d goolge instead of google.ca. A pretty easy mistake I suppose, and one I’ve done but caught before pressing enter numerous times. Immediately after pressing enter I realized my mistake, but before I could close the page and reopen google avast! gave me a an infected website prompt and said it was blocked. For reference it was “Threat JS:ScriptIP-inf [Trj]”.
This was on Firefox and I also have ABP and NoScript running, so I was fairly confident nothing had infected me. Paranoia got the better of me and I decided to run a full-scan just for the sake of it.
When the scan completed it said the following trojans were found, all with “Threat: Win32:Cycbot-KI [Trj]”
C:\Windows\SysWOW64\kernel32.dll|>[Emul]
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_efce4eb86fe8ae92\kernel32.dll|>[Emul]
C:\Windows\SysWOW64\kernel32.dll|>[Emul] (same as the first)
The files couldn’t be repaired or moved to the chest (not that I think that would be a good idea anyway, given what they are).
Upon finding this, I scanned the files with MBAM and found nothing. I proceeded to manually scan the files with avast! and found nothing. I used the avast! online scanner and still found nothing. I rescanned the entire windows folder with both MBAM and avast! and found nothing.
I did another full scan after this and the same 3 files were detected as threats again. I’m guessing the |>[Emul] is where the problem is, but I have no idea what that even means.
If it helps I’m on Windows7 home 64-bit. avast! version 6.0.1289
I used the avast! online scanner and still found nothing.
upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
MBAM checks for updates regularly when I open it to scan and should be up to date. My current version is 1.51.2.1300
I’m fairly sure I went to goolge .ca not .com but am unwilling to test it again for obvious reasons. When I look in the web shield log I see the following:
(Note I’ve added spaces to prevent it from linking).
Also I have just finished another full scan after restarting my computer and nothing was found. Maybe WebShield sandboxed the website and the threats detected were emulated versions stored in memory, and were removed upon restarting? Of course I have no idea how WebShield or sandboxing works so this is just wishful thinking.
Not too worried anymore and thank you for your help. I haven’t noticed any problems yet (and don’t expect to) but may be back if any pop up. I’m sure I was just being paranoid, but better too much than too little I suppose.
Hello!
The exact same files showed up when I scanned my computer over the night. I haven’t been to any suspicious sites that I know of…
Should I just choose “do nothing”?
I have Avast (free) version 6.0.1289 and OS is 32-bit Vista Home (SP2). With AvastUI I created custom scan which checks computer operating memory and auto-start programs (all users) and
when I run custom scan it says win32-cycbot-ki found. I checked my computer with
Avast Full System scan => clean
Avast boot time scan (all drives) => clean
Avast quick scan => clean
Microsoft Security Scanner => clean
F-Secure online scanner 4.2 => clean
When running custom scan (operating memory & auto-start programs) I had notepad and firefox running (screenshot), If I close all programs then custom scan says avastui.exe and svchost.exe processes are inflated by win32:cycbot-ki.
I tried Avast 6.0.1289 in another computer with Vista Home 32-bit (SP2) and custom scan (operating memory & auto-start programs) and result is that avastui.exe, svchost.exe and scheduler.exe are infected by win32:cycbot-ki. All scans made with latest definition versions (23.9.2011 and 24.9.2011)
When I adjusted the sensitivity of custom scan from normal to quick, then no alerts, all clean
I had the exact same problem last night after I scanned.
Avast managed to delete one of the problems but left the other 2.
Well that was a mistake as it stopped all of my security programs from running.
I ended up having to do a sfc /scannow which helped.restored to a different restore point which worked.I had to go into safe mode to run System restore as it did not work in normal mode.
Rebooted and all was working ok again.
To be in the safe side ran the rest of my Security programs and Avast and nothing was found.
Switched of system restore then on again creating a new restore point cleaned out all the junk and so far everything is ok.
I will agree it looks like they are all false positives and if so caused me quite a few problems.
I was running a normal full scan when I got this (same as the thread starter):
C:\Windows\SysWOW64\kernel32.dll|>[Emul]
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_efce4eb86fe8ae92(Other numbers/letter here though)\kernel32.dll|>[Emul]
C:\Windows\SysWOW64\kernel32.dll|>[Emul]
