Suspicious file comes up clean ????

Is there a way of putting a file I suspect of being a virus or trojan into the Avast Virus Chest ?

I have checked this file with Avast 4.8 but it comes up clean and nothing is found.

I have sent a copy of this file to virus @ Avast.com. for checking.

Hope I have done the right thing.

Yes, open the avast chest, click on the User Files section, from the File menu select Add. Navigate to the suspect file and select it. You would need to remove it from the original location as you are adding to the user files section and not deleting the file.

What is the suspect file name, where was it found e.g. (C:\windows\system32\suspect-file-name.xxx) ?
Have you googled the file name to see if there is anything associated with it ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Ikarus - - BehavesLikeWin32.ProcessHijack

Thank you David

Your welcome.

From this with only 1 detection and that one is not by signature but by some sort of heuristic detection, which could be prone to false positives.

You didn’t say what the file name and location was, what makes you suspicious of it ?

You could also google the file name and see if there are any associated hits.

I rescanned using virustotal again and during this scan AVG identified Dropper.Delf.AIQ

Wasn’t found by AVG on the first scan ??

Yes, that is 2 out of 32 with one of those slightly suspect.

But, you still don’t say the file name or its location or why you thought it suspicious.

Do you get an acknowledgment or finding from “virus @ Avast.com” for files submitted ??

Sorry to butt in, but I don’t think the forum works that way.
The folk who help/answer questions are usually not Avast employees. I don’t believe any of them would have access to anything emailed to avast, except for VLK. And he’s a developer.

Generally you will only be contacted if they need further information.

Still waiting for an acknowledgement to the questions asked previously. In the meantime here is another question to add to the collection. You mentioned you scanned your system with AVG, which one, AVG anti-virus or AVG anti-spyware ?

Having two resident ‘anti-virus’ scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

The one you recommended Dave “VirusTotal - Multi engine on-line virus scanner”

After much work this file was identified as “Windupdater.exe” located in the system32 folder \Windowsupdates\Windupdate­ .exe

This problem file does not become active until after a system reboot due to an entry being inserted into the start up sequence to activate it.

After googling and reading several sites it would appear this is not an easy problem to get rid of.

I was lucky I did a System restore to a point before I downloaded this file which allowed me to delete the Windupdater.exe from the system32.

And any startup sequence entry to trigger this file was left behind in the previous system restore point.

Well had you mentioned the file name earlier and its location, I would have suggested HiJackThis so we could see what was running and to remove the run entry from the registry so it wouldn’t run on the next boot, that would also have allowed you to add it i=to the chest, remove/rename it, etc.

System Restore whilst it can help, it isn’t infallible and you can often get unexpected consequences when using it to step back as what other good work you did in the period could be lost.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial.

Did you try the general cleaning procedure?
I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:07 PM, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Capture-A-ScreenShot\Capture-A-ScreenShot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM..\Run: [mxomssmenu] “C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe”
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM..\Run: [trojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU..\Run: [Orb] “C:\Program Files\Winamp Remote\bin\OrbTray.exe” /background
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU..\Run: [SandboxieControl] “C:\Program Files\Sandboxie\SbieCtrl.exe”
O4 - HKCU..\Run: [Vistapack Reloader] C:\Program Files\Vistapack XP\vistapack.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{DF21912F-3DE8-4CB9-B67F-77F1E0975BFF}: NameServer = 192.231.203.132,192.231.203.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe


End of file - 7826 bytes

I suspect that there is some bad things inside your system which is
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (there is also others infected files if im not wrong)

This is very bad(for me). Why I said this two is bad ? I said this two is bad because it is killing my system yesterday with popping up thousands of internet explorer without stopping and some others bad thing. What i did is run a Hijackthis and fix check this two and some others suspicious files like Joybeep.exe , Binary arms and others. Than I run a scan with Avast,Adaware,Spyware Doctor and it found almost about 70 files infected with trojan horse and worms.

Infected with what ?

I have used Spybot Search and destroy, Boot time scan with Avast V4.8 , SUPERantispyware , Runscanner and AVG Anti-Spyware with nothing found.

So what did you use to find your problem ?

The above 2 items you mention as a problem also came up clean.

Well if you have said that to me than do you recognize this two files? Or do you know this program?

It’s Party Poker that I have been playing for quite sometime (over 70 million play chips won and in my account) without any problems being experienced.

Not sure which program you used to identify these two files as being infected ?

Ops than sorry for what i have said wrongly. I think that i was hacked yesterday but nvm.