Hi. Recently, I downloaded WinRAR to extract some .zip files. I use avast home edition, spybot search & destroy, a-squared free and ad-aware to make sure i dont get infected, and run scans often to make sure things are ok.

This morning, after i updated all of them, I ran full scans and a-squared detected Trojan.Win32.Chifrax.a in a file named Default.SFX - the precise location was C:\Program Files\WinRAR\Default.SFX

Avast didnt detect anything so far, so I just put it in a-squared’s quarantine. I also googled it to see what i could find: according to ‘Monthly Malware Statistics from Kaspersky Lab: April 2009’, “Trojan.Win32.Chifrax.a dropped out of our ranking last October but has now returned and gone straight in at number four. This Trojan, like RaMag.a, is a modified WinRAR archive, which in this instance is a self-extracting archive”.

I couldnt find much more info - such as removal steps and what exactly this possible virus can do.

Could someone help me find out if its a false positive? And if its not, how can I remove it properly?

Thanks in advance!

-= It was a false positive… Malwarebytes Antimalware was known to detect it falsely too…

http://www.malwarebytes.org/forums/lofiversion/index.php/"http://www.javacoolsoftware.com/t6592.html

-= But, to be sure you may consider sending it to VirusTotal

Sent to VirusTotal:

a-squared 4.5.0.18 2009.06.08 Trojan.Win32.Chifrax.a!A2*
AhnLab-V3 5.0.0.2 2009.06.08 -
AntiVir 7.9.0.180 2009.06.08 -
Antiy-AVL 2.0.3.1 2009.06.08 -
Authentium 5.1.2.4 2009.06.08 -
Avast 4.8.1335.0 2009.06.07 -
AVG 8.5.0.339 2009.06.08 -
BitDefender 7.2 2009.06.08 -
CAT-QuickHeal 10.00 2009.06.08 -
ClamAV 0.94.1 2009.06.08 -
Comodo 1285 2009.06.08 -
DrWeb 5.0.0.12182 2009.06.08 -
eSafe 7.0.17.0 2009.06.07 -
eTrust-Vet 31.6.6547 2009.06.08 -
F-Prot 4.4.4.56 2009.06.08 -
F-Secure 8.0.14470.0 2009.06.08 -
Fortinet 3.117.0.0 2009.06.08 -
GData 19 2009.06.08 -
Ikarus T3.1.1.59.0 2009.06.08 -
K7AntiVirus 7.10.757 2009.06.08 -
Kaspersky 7.0.0.125 2009.06.08 -
McAfee 5640 2009.06.08 -
McAfee+Artemis 5640 2009.06.08 -
McAfee-GW-Edition 6.7.6 2009.06.08 -
Microsoft 1.4701 2009.06.08 -
NOD32 4138 2009.06.08 -
Norman 6.01.09 2009.06.08 -
nProtect 2009.1.8.0 2009.06.08 -
Panda 10.0.0.14 2009.06.07 -
PCTools 4.4.2.0 2009.06.06 -
Prevx 3.0 2009.06.08 -
Rising 21.33.03.00 2009.06.08 -
Sophos 4.42.0 2009.06.08 -
Sunbelt 3.2.1858.2 2009.06.07 -
Symantec 1.4.4.12 2009.06.08 -
TheHacker 6.3.4.3.342 2009.06.08 -
TrendMicro 8.950.0.1092 2009.06.08 -
VBA32 3.12.10.6 2009.06.08 Trojan.Win32.Chifrax.a
ViRobot 2009.6.8.1773 2009.06.08 -

As showed in http://www.virustotal.com/pt/analisis/d65d279501b018bb8b5c5959a8696ceb7d18e3d96bd2e39997d56af652b5196a-1244477333

What should i do?

Looks like a false positive.

Well a-squared has a bit of form on false positives and this certainly looks that way. Report it to a-squared, personally I would suggest replacing it and adaware (a waste of HDD space) with another anti-spyware application.

If you haven’t already got this software (freeware), download, install, update and periodically run them.

• 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.

Okay, thanks. I downloaded those and ran scans, nothing…

Anyways, could someone take a look at my Hijackthis logs? thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56:32, on 9/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\a-squared Free\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joao\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip..{0B649DDB-CF54-44BA-AA29-D91AABB84F75}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip..{0B649DDB-CF54-44BA-AA29-D91AABB84F75}: NameServer = 200.204.0.10 200.204.0.138
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

–

edit: The lines

O17 - HKLM\System\CCS\Services\Tcpip..{0B649DDB-CF54-44BA-AA29-D91AABB84F75}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip..{0B649DDB-CF54-44BA-AA29-D91AABB84F75}: NameServer = 200.204.0.10 200.204.0.138

only show up in the logs when i run Hijackthis while connected to the internet. If i disconnect, they just vanish - should i worry about them?

-= The 2 entries you just mentioned are safe…

-= Some other things to consider:

(1) XP SP3
Windows Update for Windows XP’s service pack 3…

(2) No firewall process detected…
A better firewall would probably solve the problem… Windows XP Firewall has no outbound protection…

(3) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Seems to be deactivated already…

@ Jao
Presumably this is your ISP, TELECOMUNICACOES DE SAO PAULO S.A. ?
That is who the IP address in the two entries you mention belong to.