VirusTotal results for David

Heya David,

Did what you said .It turned up on 5 scanners

Avast - - Win95:CIH-1106
AVG - - Win32/HLLP.DeTroieClamAV
ClamAV - - Sirius.Annihilator.272
GData - - Micro-128
Sophos - - W95/Whog-878b

I put the file back into the chest.Hope I did everything right.Also forgot to mention that I actually scanned it with Malware bytes and it said it wasn’t anything malicious.

It seems a valid detection.

Your previous reporting of this was incomplete:
a) the folder info didn’t show the full path C:\users\Gus\AppData\Local this might be because Vista has a different folder structure to XP Pro (that I’m using).
b) you didn’t give the file type after the file name.

The location helps to try and see how it might have entered your system.

So what should I do?.If it keeps on showing up in that location what would you think it means in terms of it entering my system?.

If you wanna see the whole analysis here’s the addy.http://www.virustotal.com/analisis/d81f14f908d27c4dbb939b1eb020d522.

Well I don’t know because I don’t have what I asked for the full location to the file or its file type, that would help or I’m just guessing.

It could be in your temporary internet files cache which means it could be coming in via your browser but that in theory would be getting intercepted by the web shield. There are just too many permutations without full information.

You could still have something on your system undetected and downloading more malware and without a firewall that provides outbound protection (we have been down that road) there is nothing to stop that happening. But, once again all this is speculation.

Almost 2a.m. here and I’m about to call it a night, so I will leave you some homework ;D
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

Thanks David I’ll check them out.I did download a firewall by the way Online Armour.When I’m not using the comp should I shut it off?.When you say the full location or file type is that info in the chest?.I’m scanning with the F-secure online scanner right now so I’ll let ya know what happens.I tried panda n it says doesn’t support my Os and micro didn’t work either.

Check the avast! Log Viewer (C:\Program Files\Alwil Software\Avast4\ashLogV.exe), Warning section, this contains information on all avast detections.

I wouldn’t touch panda on-line with a large stick (on supported OSes it dumps c*** in the system files, unencrypted signatures that will be detected later by avast or any other AV), so you are fortunate not to have used it.

The links I gave you were downloadable off-line, stand alone anti-rootkit tools not on-line services.

Heya David,

How’s your day going?.I did what you said so hopefully this is right lol .

I went to the log viewer and this is everything it shows me for that problem that popped up yesterday .

System 1808(application) Sign of “micro-128” has been found in "C:\Users\Gus\AppData\Local\Temp\00000217"file.

Gus 1456(application) Sign of “Win95:CIH-1106” has been found in C:\Suspect\00000217"file.

I know the second one is when you told me to do that thing to upload the file to virus total.I just thought it was weird that the sign changed from “micro-128” to Win95.

Also wanted to let you know I downloaded Gmer rootkit tool and nothing popped up unless I was misunderstanding it.

There is something strange about that location (to me) but probably just because Vista and XP folder structure are different ans would be something like this in XP “C:\Documents and Settings\All Users\Application Data\TEMP”

So it isn’t uncommon for some malware to place things in the temp folders, though I would have liked to have seen avast detect when it was first created. However, the file doesn’t have a file type tacked on the end so that may be why it wasn’t scanned on creation (depends on your sensitivity settings on the Standard Shield). Or were some of them detected by the on-access (not on-demand) scans when they arrived in the temp folder ?

I don’t know why the detect might have changed, though it isn’t too unusual for a detection to be reclassified after analysis.

I would certainly suggest that you periodically clear out your temp folders if for no other reason it frees up space.
CCleaner - Temp File Cleaner, etc.

Well the avast anti-rootkit is based on the GMER anti -rootkit. Whilst the GMER tool is very good it isn’t very user friendly and requires someone that knows what the results mean to analyse them. The avast anti-rootkit tries to go further in that it tries to take decisions for users up to a point.

I think if you have moved any new detections to the chest and contents of temp and suspect folders cleared you should be OK now.

I suspect that you might well get some more of these files in Temp, if so and avast alerts, try to not down what you were doing at the time of the alert and post again.

Heya David ,

I downloaded the Ccleaner like you suggested and used it.I’ll make sure to check out the avast anti-rootkit.I’ll pay close attention to what I’m doing on the comp if one of these pesky buggers turn up again.I’ll just make sure I scan anything I do download and anything I connect to the comp.I’ll let ya know if anything else happens.

The avast anti-rootkit is incorporated into the avast program, it runs 8 minutes after boot and if you do a Standard or Thorough scan from the Simple User Interface.

Ahh ook.Told ya I was a Noob lol.I learn something new everyday.It’s funny that you directed me to F-Secure I was just watching a documentary on hackers and the net.It had one of the founders of F-Secure talking .Very cool.

I directed you to three ‘other’ anti-rootkit tools which are relatively user friendly and competent ;D

Like most tools some will have different signature/detections, which is why you will see in many of the post here options for different tools.

Coincidences are handy because just knowing the name seems to give a higher confidence ranking. Though I don’t like Panda’s on-line scanner because of the junk it dumps in your system folders I like their stand alone anti-rootkit tool.

Heya David.

Would I be able to e-mail you or private message you on here?.I need your help with something.

Sorry I can only offer help through the forums.
Any question asked and subsequent answers may benefit others viewing now or in the future.

You can only use the forums PM function when you have 20 posts anyway.

No worries I appreciate any help I can get lol…Well I have an interesting issue lol.I went to use one of my flash drives and today this pops up off it.

Application 1880 "Win32:Trojan-gen{other} Has been found in "K:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe"file.

Then it found a BV:Autorun-G[wrm] in k:\autorun.inf"

Any idea why I would get those?.I’ve connected the same flash drive to the comp the other day and scanned it n nothing popped up.Nothing else has popped up on the comp except this since we last talked.Been scanning fairly regularly with all the programs you directed me towards.

Because your flash drive is infected. So where has this drive been recently ?

The autorun.inf is a special file that when found by windows opens it and runs the contents, I bet that inside the autorun.inf file there is a command to run the svchost.exe file that would try to to infect your system.

Let avast move the files to the chest.

New signatures are constantly added so it isn’t unusual to get detections on what was previously considered OK. I can’t recall off the top of my head what your other topics were but this could have been trying to infect your system before.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

AUTORUNS - Infections
See this post, http://forum.avast.com/index.php?topic=34095.msg285331#msg285331.

Ok.No worries I moved them to the chest.I have those few freeware programs you mentioned .Except the Flashdrive one.I’ll do it right now.

The only places the flash drive has been has been my comp and the one at school.

Well schools are a potential breeding ground as others are also bringing their flash drives from home into school. Unless the school has a good network AV defence then it would be possible to infect others.

Heya David,

How’s your day been?.I scanned the comp like you said in safe mode and nothing popped up on super anti or malware bytes.I’ve been trying to use flash drive disinfector but I don’t think it’s working properly.Mostly like cause vista sucks lol.

What do you mean it isn’t working properly, symptoms please.