Hello,

Avast disabled a DLL at start-up time. Anyone know if this a false positive? What is this DLL?

OS: Windows Vista 6.0, SP: 2, 64-bit

Startup Item: Jvokiyemamer
Manufacturer: Unknown
Command: rundll32exe “C:\Users\Bender\AppData\Local\ogscota0.dll”,Startup
Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Thanks for any info!
Bender

Upload the file to http://www.virustotal.com/ and post the result here.

I would say that it isn’t a false positive if for no other reason than it being a) in the local folder, b) its strange file name and startup item name and c) it really is unusual to have a startup item especially a dll in a local folder.

Zero hits on google for this file name other than this topic, which is also highly suspect for a dll file. The same for the startup item name, which both are basically randomly created names again suspect.

Did avast send that file to the chest ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

But I suspect it will just confirm the avast detection.

Thanks guys! Yes, it was moved the Chest. I submitted the file to VirusTotal, and here are the results…

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: ebe73b5530581e87adc84ac923ce5025
Date first seen: 2011-01-13 01:21:46 (UTC)
Date last seen: 2011-01-13 01:21:46 (UTC)
Detection ratio: 12/42

http://www.virustotal.com/file-scan/report.html?id=c731a993ae14ae74689f95ed66ce37e7f03ffa887037bcb7e589b9df89293cf5-1294881706

File name:
077C10BC00BFFE7F6031015EC0CFFF002435009F.dll
Submission date:
2011-01-13 01:21:46 (UTC)
Current status:
finished
Result:
12 /42 (28.6%)

(*Partial list below)

Antivirus Version Last Update Result
AhnLab-V3 2011.01.13.00 2011.01.12 Trojan/Win32.Hiloti
Avast 4.8.1351.0 2011.01.12 -
Avast5 5.0.677.0 2011.01.12 -
AVG 10.0.0.1190 2011.01.12 -
BitDefender 7.2 2011.01.13 Gen:Variant.Kazy.3358
F-Secure 9.0.16160.0 2011.01.13 Gen:Variant.Kazy.3358
GData 21 2011.01.13 Gen:Variant.Kazy.3358
McAfee 5.400.0.1158 2011.01.13 Hiloti.gen.i
McAfee-GW-Edition 2010.1C 2011.01.12 Hiloti.gen.i

That prior post was a view of the previous report on that file. Just ran a new scan of the file…

http://www.virustotal.com/file-scan/report.html?id=c731a993ae14ae74689f95ed66ce37e7f03ffa887037bcb7e589b9df89293cf5-1295035022

AhnLab-V3 2011.01.15.00 2011.01.14 Trojan/Win32.Hiloti
AntiVir 7.11.1.144 2011.01.14 TR/Kazy.3274.197
Antiy-AVL 2.0.3.7 2011.01.14 -
Avast 4.8.1351.0 2011.01.14 Win32:Malware-gen
Avast5 5.0.677.0 2011.01.14 Win32:Malware-gen
BitDefender 7.2 2011.01.14 Gen:Variant.Kazy.3358

Yes… is Malware/Trojan without doubt.
You can keep the file on chest or delete… your choice now… my recommendation it’s to let the file on avast! chest.

Both reports are fairly conclusive (even the early one) that avast was correct in detecting it.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Though in this case after conclusive investigation it is safe to delete it from the chest, but I prefer not to act in haste and that is why there is a general rule, to which there are always exceptions.

Same situation, different file. This file is not detected by Avast. This appears to be the only other DLL located in user/local…

Results from VirusTotal:

http://www.virustotal.com/file-scan/report.html?id=84b68fd5e08236f8dc1814542c1b288e9be2067e7d9d1445c22df5d2841c20ec-1295116584

AhnLab-V3 2011.01.15.00 2011.01.14 Trojan/Win32.Hiloti
AntiVir 7.11.1.145 2011.01.15 -
Antiy-AVL 2.0.3.7 2011.01.15 -
Avast 4.8.1351.0 2011.01.15 -
Avast5 5.0.677.0 2011.01.15 -
BitDefender 7.2 2011.01.15 Gen:Variant.Kazy.3281
CAT-QuickHeal 11.00 2011.01.15 -
ClamAV 0.96.4.0 2011.01.15 -
Command 5.2.11.5 2011.01.15 -
Comodo 7399 2011.01.15 TrojWare.Win32.TrojanDownloader.Mufanom.GEN
DrWeb 5.0.2.03300 2011.01.15 -
Emsisoft 5.1.0.1 2011.01.15 Trojan.Win32.Hiloti!IK

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

You will need to deal with the file in its original location as a manual move to the chest is a copy and paste not a removal.

It may be worthwhile running some other tools:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1. MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware (SAS). On-Demand only in free version.

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Sample submitted to Avast…

Results of Malwarebytes scan:

Hmmm… is “local settings” a hidden folder, and is the detected file (calc[1]) just a shortcut to Windows Calculator in the wrong place?

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5527

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/15/2011 5:05:07 PM
mbam-log-2011-01-15 (17-05-07).txt

Scan type: Quick scan
Objects scanned: 159342
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Bender\local settings\temporary internet files\Content.IE5\21S76IB1\calc[1].exe (Trojan.TDSS) → Quarantined and deleted successfully.

1. Well local settings shouldn’t be hidden.

2. I rather doubt it is just a shortcut in the wrong place, shortcuts don’t have .exe extensions. That is in the Internet temp files which is rather a strange place for it to be.

The TDSS reference in the malware name is a rootkit, designed to hide stuff, which can be hard to find. If it is in the MBAM quarantine now, I would suggest that you also do an SAS scan and rescan with avast and MBAM and see if anything else is found. The initial detection by avast of that dll, may well have been related.

Ordinarily I would suggest that you submit that calc[1].exe to avast, but that would mean restoring it from the MBAM Quarantine, it would go back to the original location. That would carry a limited risk, since it is in the original location (less if you exercise care and don’t run it), whilst you add it to the avast chest and send it to avast, before allowing MBAM to send it back to quarantine. That decision would have to be yours, but I understand if you don’t want to take any risk.

Turns out the “local setting” folder is a shortcut, and it was a “Protected Operating System file”, so I couldn’t see it in Windows Explorer, even when showing hidden files. I suppose it’s possible that the anti-virus software first detected the problem file navigating the shortcut path, so it was already dealt with before it traversed the actual path. Is this is a normal situation with Windows Vista (hidden and protected shortcuts), or something the Trojan did?

Additional pass with SAS detected a couple of tracking cookies, also via a hidden shortcut path. Nothing detected at this point with any of the 3.

As far as sending the sample (calc[1].exe) to Avast, probably no need. As soon as I restored it in Malwarebytes, Avast detected it and put it in the chest.

Thanks for all the help!

You’re welcome.

In addition to the trojans that were found, I also have a problem with Google links being redirected to other websites (using Firefox). This issue still exists, even though Avast, Malwarebytes and SAS do not find any problems. After a quick search, it looks like this is a different problem? What is causing this, and is it dangerous other than redirecting Google search result links?

Thanks!

Have you checked the firefox proxy ?

for Firefox there are instructions on this page and you want the setting to be no proxy

Lol! Too late to check what it WAS set to. I completely uninstalled Firefox, will be reinstalling shortly…

Ok, I reinstalled Firefox, and it was set to “Use system proxy settings” by default. This setting was not present in the article you cited. Is this new default the best option?

Still getting the Google results links that redirect to the wrong site (usually to a sales/marketing site). Rechecked the Firefox setting, and it is set to “No Proxy”.

Is this a virus that only effects Firefox and Google?

Are they only occuring in firefox ? Or is IE affected as well ?

Have only seen it in Firefox, not in IE. A lot of people seem to recommend Hitman for this particular problem.