Win32.mIRC.62 need help :(

I don’t think I see any indication of a current infection in your FindAWF log but just to play it safe upload these two files to Virus Total for anaysis and post the results

D:\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

Tech - If there was AWF the bak folders would have the uninfected copies :slight_smile:

What about the other files ???

To know if a file is a false positive, please submit it to JOTTI or VirusTotal (like mauserme said) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

I said to send the files to Chest because they all seems suspect to me (for the path and name):
C:\PROGRA~1\DAEMON~1\BAK folder
C:\WINDOWS\SYSTEM32\BAK folder
Even a file called ctfmon.exe in this folder is suspect…
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK folder

This file could be clean and legit: “C:\WINDOWS\system32\ctfmon.exe”

Well, there are only 7 files. Go ahead and scan them all and post results for any that show infection.

All clean :smiley:

When I was infected I restored some of the files that had bak folders, becouse I read in this forum that the files in the bak are the clean ones.
So I restored some of the files in the baks.

One more scan if you don’t mind:

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

ashavast was infected and a bak folder appeared in the avast directory
Just out of curiosity, do you know for sure ashavast was infected or did you presume it was? What made the detection?

I detected it with kaspersky online scaner, and also find a copy of it in the bak folder.

Btw I got this results after scanning ComboFix :-\

AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 no virus found
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan-Dropper.Win32.Delf.FZ
Kaspersky 4.0.2.24 04.08.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 Win32.ModifiedUPX.gen!84 (suspicious)

ComboFix is safe to run as long as you downloaded it from one of the links I posted. It will just scan and produce a log which you can post here.

Yeah, if you say so but still why does some antivirus programs say it is infected ???

Well, you have 27 scanners saying its not infected.

2 scanners say they detect suspicious capability - its the same idea as the “risk ware” discussed earlier. This tool will report a lot of information about your computer.

And 1 scanner, Kasperky, calls it delf. I won’t call Kaspersky bad but you’ve already expressed your opinion of it. I’ll just say all scanners are capable of false positives.

But if you’re not comfortable with it and you don’t see suspicious activity any longer then don’t worry about it. I’m not trying to force you into anything.

EDIT: Not Kaspersky but Ikarus. Still, a false positive none the less.

Well I’m still a bit freaked out from the last infestation so I’ll probably skip the check with ComboFix for now, I don’t see any suspicious activity for now (except that my folgers in my documents keep changing from tiles to icons, but that’s probably Bill Gates’ fault ;))

Btw I got this from FindAWF which I already used :o :

AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 TrojanDropper.QuickBatch.e
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 no virus found
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan.BAT.Small.f
Kaspersky 4.0.2.24 04.08.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found

I’m not being paranoid, as I said I’m not very into computer knowledge so I just can’t open a file that is said to have virus, I’ll have nightmares :wink:

I understand bug_master. It’s good to be cautious.

But please, no nightmares - I promise you FindAWF did nothing to infect your computer :slight_smile:

No worries 8)
What should the suspicious activities be if I’m infected?

It could be any number of symptoms but generally unusual system slow downs, your firewall alerting to programs you don’t recognize trying the establish an internet connection, additional malware suddenly appearing …

And how do the log files help ???

There are several different tools you might be asked to use if you’re fighting an infection. The most common is probably HijackThis. It produces a log enumerating the running processes and also atypical registry entries that can show where the malware loads, how a browser hijack was effected, etc. A tool called Deckard’s System Scanner does this same thing (installing and running HijackThis for you) but also shows files recently created and some other useful system information.

FindAWF, as you can see in your log, shows files that have matching backups and their locations. This can be used to find infections that create backups as part of the infection process (it actually does sound like you had and agent.awf infection, or similar, that you cleaned by yourself).

ComboFix looks for other types of malware that have rootkit ability and some of the more difficult adware. If you look at this thread

http://forum.avast.com/index.php?topic=27121.msg222054#msg222054

you’ll see a HijackThis log and a Combofix log that Matty attached in relation to an agent.awf infection (you need to be logged in to see the attachments). There is also a FindAWF log somewhere in that thread too. Keep in mind that the fixes in that thread are specific to Matty’s computer and should not be taken as a general fix.

Ok thanx very much for the info :smiley:

Tomorrow I’ll run a check with HijackThis and post it :slight_smile:

No problem.