Avast is not finding this trojan. Any good way to find out if this is a false positve and if not the best way to remove the threat without purging Avast?
upload it to virustotal.com (VT) and post the link to the results.
if you want to move the file to avast! chest then do this : virus chest > user files > add files - browse for files > click email to avast! and do a manual update.
alternate method to upload to avast!: zip the file with a password and send the zipped file to virus@avast.com with the password for the zip in the body of the email.
first of all upload the file to VT and post the link here.
edit: didn’t avast give any warning saying “Win32:Rootkit-gen” ?
The program that found these issues was sophos anti-rootkit 1.5. Avast boot scan noted cab archive corrupted which I have been told means that Avast cannot open the file and does not indicate malware. Not the spots where the problem exists anyway.
submit to virus total and post link here. please. if you can. also, submit the archive which avast says as corrupted and sophos says as troj.
not sure if I can capture a screenshot while doing a boot scan but will try and get it next run
These files seem to be designed so that they cannot be uploaded or copied
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 8/13/2009 at 22:43:49 PM
User “NF” on computer “PC137019336299”
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\adc552d81b1233f485ae0f1a036f\update\update.exe
Hidden: file C:\adc552d81b1233f485ae0f1a036f\update\updspapi.dll
Hidden: file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\VGKWT0CA24S9I3CA2ZEJYVCA4MIVTNCAEHZE23CA5RF7IWCAUO9X0ICAPIKW4ECAR2L54ICAR22P4DCALR5HJKCA8O5NLYCAMUF6X7CAYF3H2ECAVFYUTXCAMSZ3G0CAVU4SXMCAW6W6B9CA6GIKV9CADZ7SK1CA59LS7HCAGOAOI9CAVQK4KXCAVBCMK4.txt
Stopped logging on 8/13/2009 at 23:01:27 PM
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:47:21 AM
User “NF” on computer “PC137019336299”
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Stopped logging on 8/14/2009 at 8:47:27 AM
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:51:22 AM
User “NF” on computer “PC137019336299”
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Stopped logging on 8/14/2009 at 8:51:52 AM
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 8/14/2009 at 8:53:59 AM
User “NF” on computer “PC137019336299”
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\adc552d81b1233f485ae0f1a036f\update\update.exe
Hidden: file C:\adc552d81b1233f485ae0f1a036f\update\updspapi.dll
Hidden: file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\VGKWT0CA24S9I3CA2ZEJYVCA4MIVTNCAEHZE23CA5RF7IWCAUO9X0ICAPIKW4ECAR2L54ICAR22P4DCALR5HJKCA8O5NLYCAMUF6X7CAYF3H2ECAVFYUTXCAMSZ3G0CAVU4SXMCAW6W6B9CA6GIKV9CADZ7SK1CA59LS7HCAGOAOI9CAVQK4KXCAVBCMK4.txt
Hidden: file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\B0751NDE\M8C2LLCAWTGL1PCA2KSFD9CAAA7J5RCASEK1OQCA02DYFGCAPWP99GCAMGMB16CAWRM9CWCA6A1CEVCA5ZE84WCAZVSCE9CAC6DXM3CAY7WZMYCAT2P369CA5SEU5DCAW1XK4RCAFGF7G2CA7RDWC8CAGUTQJGCAFAR9D6CAWC08K6CASUTYB6CADXY767.txt
Hidden: file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\AUNFMXJ9\RSERPCCAP8SZ5VCA5I23AMCAMFXQDICAEPJYJ2CAME3IY9CAFYCPRSCAFH0MAWCA2I3AYKCAOX8MVWCAJ42PQDCA30T67TCA4ZMKVACAVJS97QCAXM6PH2CAQ27DJXCAWB4RVCCA8C4CTOCAO0ZLF7CAF88E2OCA35XGM9CAGREMOQCAAHE9HBCA30QI21.txt
Hidden: file C:\Documents and Settings\NF\Temporary Internet Files\Content.IE5\B0751NDE\D546TACAABO5JBCAB5PXDTCAEPQP8CCABW9VIDCAG2WP93CAMA4U36CA2OLRXPCANL1WU8CABNIN8QCA7HHDZ0CAZVO850CAMPGXTCCAU88328CA1D006ICASR8H6QCALD2UJVCAFE305CCACDDPQCCADNW6GECAQ31WC4CAE34QEWCASSNTUTCAF41RU0.txt
Info: Starting disk scan of D: (FAT).
Info: Starting disk scan of G: (FAT).
Stopped logging on 8/14/2009 at 10:00:56 AM
according to the sophos log file, it reports windows update files, possibly, which will be copied to a temporary folder while installing any update manually.
and, i think, the temporary files are ok.
can you do a scan using hijack this (get it here) and post log here: use additional options and upload log file.
ran malwarebytes and this is the log on it:
Malwarebytes’ Anti-Malware 1.40
Database version: 2641
Windows 5.1.2600 Service Pack 3
8/17/2009 1:49:57 PM
mbam-log-2009-08-17 (13-49-57).txt
Scan type: Full Scan (C:|)
Objects scanned: 197259
Time elapsed: 59 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\NF\Desktop\DL\ubsetup.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\ZonealarmBarSetup_ZN2_tbr_4.1.0.5.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\DL June 2009\ubsetup.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\DL May 2009\ubsetup.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\NF\Desktop\DL\July DL\Visioneer\7100.303110.EN.exe (Trojan.BHO) → Quarantined and deleted successfully.
C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\ASP\ASPSETUP.EXE (Trojan.BHO) → Quarantined and deleted successfully.
i will updload a hijack this report after reboot and rescan malwarebytes