Trojan? Or not? Help!

Hi all,

This is a little long, so please bear with me…

I’ve been a Norton Anti-virus user for about two years, ever since I bought my new computer. Also, I’m very cautious when it comes to viruses. I never use my computer’s e-mail program, instead I opt for web-based e-mail clients like Yahoo, Hotmail and G-mail. Even so, I never open e-mails if they look suspicious or have attachments.

I also never run programs that I get from sources I don’t trust. I practice safe web-browsing and have always had a firewall and anti-virus program running.

That being said, my Norton subscription ended two days ago. So, after hearing many good things about Avast!.. I thought I’d try it. I uninstalled Norton and installed Avast!. It ran it’s first scan… and all was clean. I ran another scan a little later… again, everything was clean.

Now… today I decided to try a “thorough” scan rather than the “standard” scan that it did the last two times. Well, this time I got a virus warning… and of all places on my D: drive!

It said the file that was infected was “wksv7std.sbs” located at

D:\i386\Apps\App12654\workssuite\msworks\pfiles\msworks

It said that it was a Malware type Trojan called Win32:SdBot-3324 [Trj]. Avast!'s recommended advice was to move this file to the virus chest… which is what I did.

Now, my D: drive is just a “recovery partition” used by my computer. I never write anything to it. When I click on that drive it tells me that this area of my drive contains files used for system recovery. And that I should not delete or alter files in there. And that any change could prevent any recovery later.

Now, I’m no expert when it comes to viruses… but I just have this feeling that Avast! was just being overly sensitive. I’ve used other virus programs in the past, and at times they would detect viruses in completely innocent files.

Another reason I think the file is fine is that when I open Avast!'s virus chest… and look at the file in question… under ‘virus’ it says '–no virus–". It also says the last time the file was changed was 6/4/2002… which is before I bought the computer.

Anyhow… that’s my situtation. Now my questions…

If the file is truly a trojan, how would I know for sure? Also, if it is a trojan… has Avast! cured the problem by locking it away in the virus chest?

But. if it is ~not~ a trojan, can I put the file back where it belongs by clicking “restore” in the virus chest menu without it messing up my recovery partition?

I’m sorry, I know this is a little long-winded. But any advice would be TRULY appreciated!

–steve

Hi and welcome Steve ,
My first suggestion would be to scan the suspect file at http://virusscan.jotti.org/ this will give you an opinion from all the other leading AV scanners.
You will have to restore / remove from chest to perform this function.
If its not recognised by anyone else then its more likely that its a false positive and can be placed in exclusion lists.
Send a copy to virus @ Avast in a password protected ZIP using virus as the password and occasionally scan it with avast to see if its still recognised.
good luck

Thank you so much for the quick reply! I really appreciate it!

I read your suggestions, but I have a few problems.

First of all… if I were to restore the file from the virus chest… there would be no way to access it because it’s on my D: drive. Anytime I try to access anything on my D: drive, I’m given a warning that the D: drive is just a “recovery partition”. I can’t read it, or write to it. It’s locked.

Secondly… the file in question is 47.1 megabytes! Which means I can’t scan it at the location you mentioned because that site only accepts files up to 15 MB.

How is it possible for a 47.1 MB trojan to get on my D: drive… a drive that is basically locked and used only for recovery? Plus… I’m a dial-up user and I never leave my computer running unattended. I would definitely know if a 47.1 MB file was somehow uploaded to my computer.

Plus… isn’t ‘wksv7std.sbs’ a file that deals with clipart? It all just doesn’t make sense.

This MUST be a false virus reading, correct?

–steve

:slight_smile: Hi Steve :

 Anytime a recent Norton User has switched to Avast, we
are concerned as to IF Norton has been COMPLETELY
REMOVED from the computer !? In addition to "uninstalling"
from Add/Remove Programs, we recommend using their
SymNRT "Removal Tool" ; have you done this ? I usually
recommend using a computer's "Search > All files and 
folders", using the search "term" "Symantec" & later

“Norton” and “Delete” anything it finds + using a registry
cleaner to remove entries there.
Assuming Norton is COMPLETELY gone, I recommend you
get a “2nd Opinion” about this “trojan” by using the good
and FREE “Ewido” available from www.ewido.net/en ; this
program “specializes” in detecting ( & removing ) trojans,
worms, keyloggers, etc . Could either install the program
and/or run its Online Scanner .

I must say we would like to check the file (wksv7std.sbs) - it sounds like a false positive indeed; but we must have it first.
If it’s possible somehow, you can upload it to our anonymous FTP: ftp://ftp.asw.cz/incoming
But I guess it might be hard to do on dial-up… :frowning:

Anyway, there is always the possibility of packing the file into an archive…
Hope the compression makes it smaller.
Do you have winzip, winrar or a free tool for it? (like 7-zip or IZArc).

Hi all,

I’d like to thank everyone for the replies!

I would like to upload the file in question for inspection, but I have a dial-up connection and a 47 MB file would take forever to transfer. I even tried to compact it (as Tech suggested) and it’s still huge.

If anyone wants to inspect the file… I’m pretty sure that if you obtain wksv7std.sbs from ~any~ source and scan it with Avast, you’ll get the same result. This file was on my D: drive, a drive that’s locked to me. I can’t write to it at all… and the files on that partition were put there when I bought the computer new from Gateway. So how could it be a trojan or virus?

Also, upon browsing the forums here… I noticed someone else encountered the same problem I did.

See here http://forum.avast.com/index.php?topic=20125.0

Also… the warning ~only~ comes up when I do a “thorough” scan… Avast ignores it when I do a “standard” scan.

It simply has to be a false positive.

Yes, I remember somebody else reported the same in the past.
Unfortunatelly, I didn’t find any “source” for this file… it’s an old thing.

If anybody has that file, you’re welcome to upload it, of course.
Thanks!

Hello,
I am reading this thread and it’s like a script from my office today!! I have had the exact same issue, I am running a Thorough scan, and I have had a few alerts claiming that I have a Trojan Horse, but these are on my D: drive (also a recovery disk, like the user who started this thread). I, however, am not on Dial up, and would be happy to upload this file so whomever can take a look at it. Please advise me on how to do this. Thank You!
;D

Hello,
Me again, I also had another file from my D: drive identified as a Trojan, the file name is BASE_19.inp and it comes up with the same virus name as the others (I have had this “virus” detected on 3 drives, my C: drive, my D: drive and my L: drive (an external USB connected hard drive)). In all, thats 4 Trojan horse files found. Like the gentleman above, I do not want to delete any files from my D: drive for fear that I might mess up my system recovery drive (does that make sense). 3 of the 4 times this was detected, it was in an MSWORKS directory, and I too searched online for that file name, and found all references of it regarding MSWORKS Clipart. Thank You for the help!

Well, I also just switched from Norton and when I did my scan it came up with 6 Trojans!

4 are on my C drive and 2 are on my D

What do I do? The one on my D drive was a recocovery file and it wouldn’t move it to the chest because it said the file was too big. What do I do now?

I am totally computer illiterate.

The other 5 files have all been detected in microsoft works and windows:

wsock32.dll
winsock.dll
kernel32.dll
works.exe
WKSv7std.sbs

They did not show up when I ran a standard scan only when I ran the thorough.

Norton Ghost backup file? Is it a packed archive (like a big zip file)… they won’t get out of there if you don’t restore this backup… you’ll be safe.

Are they into archive files too? Or they’re there, as all other files…
Were are you seing the files… the three first ones seems to be on the System folder of avast Chest.
They’re NOT infected… they’re there for backup purposes… The last two ones, well, if you’re seing them into Chest, you’re safe.

Not sure exactly what you are asking (sorry, I mentioned I’m computer illiterate)
But here is the location and exact names of where each file is. Once I did the scan, I moved all of them to the chest. Here is how the chest has divided them up.

Infected Files:
wksv7std.sbs Location: C:\Program File\Microsoft Works
works.exe Location: D:\j386\APPS\APP02771

System Files:
kernel32.dll Location: C:\Windows\System32
winsock.dll same
wsock32.dll same

The one file that was too large, I moved to the recommended AVAST folder.
It was on the D drive.

D:\systemvolume information_restore…

So which one are safe to restore to the place of origin and which should I delete, if any?

Thanks.

Seems infected… let them there two or three weeks. Then right click them and choose scan again.
If after that time they’re still marked as infected you can delete them.

These files are CLEAN, not infected. They’re into Chest due to backup purposes.

Bad…
You should disable your system restore (Control Panel > System > System restore) and then enable it again.
It will delete all the ‘restore points’ but will clean your computer.

Do NOT restore any file… the infected because you will mess your system and the clean ones are there just as a backup.

I have the same problem with Win32:SdBot-3324 [Trj]!

There is this trojan also in the Works Security Update File from Microsoft (free update from Works 8.0 to 8.5). http://download.microsoft.com/download/c/a/8/ca8b74c0-e20e-461d-9ca1-ad136b077226/works8.exe

Renée

renee_dd, thanks for the link! The detection occurs inside there indeed. I’ll have it checked.

ktl, what virus was reported in works.exe? That same one?

Igor,

both infected files have been deteced with the following virus:

Win32:SdBot.33…

Also, I’m a bit scared about doinig the “system restore” thing recommended earlier. Am I going to lose things I have installed if I restore my computer to an “earlier” time, as my computer referred to it? I am attending an online course and have tons of things that I need on the computer, including software downloads. I cannot afford to lose any of this, nor do I have the time to reinstall all of it…

Renee, if I’m reading Igor’s post correctly, well, I think it’s not good to leave a live link to an infected file here…
People could click unadvertisely in it :frowning:

Ktl, if the system restore is infected you will ‘bring back’ the infection when you try to restore your ‘things’ of an earlier time…
Maybe you can clean both of them (in the computer and in the system restore) at a time, but, only maybe… we can’t be sure.
System restore could fail in most times when you need a ‘deep’ restore back (programs). It’s not a tool for that. You need a backup tool. Microsoft is selling apples intead of oranges with this tool >:( :stuck_out_tongue:

Hi,

Since I started this thread, I figured I’d give an update.

My Avast program just updated it’s virus database. So I did another thorough scan of all my drives, and it found no infected files.

Also “wksv7std.sbs” is no longer detected as a trojan.

So, I guess all is good?

Seems ok…
Did you scan with a-squared, ewido or Spyware Terminator (trojan removers)?